VLAN on pfsense woes [Solved]
After lot of recommendation I ended up installing pfsense at my home. I have not deployed it yet, but am tinkering with it to get a proper setup. I have gone through some documentation and videos for setting up VLANs, but for some reason can't get it to work. Test network is double NATEd and is something like:
current router(192.168.0.1) -> pfsense(192.168.1.1) -> Cisco 3560e(No routing) -> Workstation
I think double NAT should not have any implication on current testing, please let me know if that is not the case. I have setup vlan setup on switch and can ping it from workstation(static ip). However, I can't ping vlan interface on pfsense(igb2) from switch; of course I can't neither get ip or network on workstation.
I have attached various screenshots that might clarify my settings on pfsense and switch. I have also attached my future network diagram. For now, I am just trying to get vlan 10(homelab) working.
Please let me know if there is any more info I can provide. Thanks :)
Why are you tagging the port to the interface to the PC, gi6? This port would be untagged, the port to pfsense since you have vlan 10 setup on pfsense would be tagged.
The only reason you would tag that port is if you setup that PC to understand the tag.. Which you normally never do on such a device.
@johnpoz Thanks for quick reply. Gi0/6 is interface in access mode. It is inherently an untagged port, no?
BTW, I solved the issue of the switch not being able to ping pfsense. I had to make Gi0/5(interface connected to pfsense) as trunk even though it had only one vlan. I think reason is because trunk ports are the only ones that can tag the traffic.
I can now ping switch and pfsense from pc. I can even get an ip from DHCP(yay).
I still dont have internet on PC, and I cant ping PC from neither switch or pfsense. I checked ARP entries and both of them, which indeed have mac populated for the said PC.
I was wondering if I need to configure gateway on switch/pfsense for the vlans that has been added.
What switch is this? Why is showing native vlan tagged on gi6? Which shows as vlan 1..
what are you rules on your vlan.. Out of the box lan gets any any… But any new interfaces you create would not have any rules.. So yeah you have to create them.. See quite often mistake of only allow tcp, so no dns, etc. Ie internet not work ;)
Also if you messed with the automatic nat - again see this quite a bit, then adding new interface would not automatic add outbound nat like it should, etc. You do not add gateway to lan interfaces on pfsense. And why would your switch need gateway? Your not running it as layer 3 (routing)... So unless you want to hit its admin interface from a different network it wouldn't need a gateway.
This is Cisco C3560E. By default all the "Access" ports have trunking VLAN set but it is not active since the port in not in "Trunking" mode. So for an interface in access mode if a vlan is assigned, then it sends untagged traffic for that vlan. All inbound tagged packets are dropped. Please checkout https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/AccessTrunk.pdf doc and https://learningnetwork.cisco.com/thread/54957 discussion if you are curious.
I have attached the vlan rules in op, in short for now I have VLAN wide open to pass all traffic. All the posts in these forums point out that I should check rules first, so I was sure to have them configured. :D
NAT config did the trick. Thanks for pointing it out. I forgot that I had changed NAT from automatic to advanced manual during OpenVPN setup. Setting up rules for my VLAN(10) gave me internet.
I am new to fancy switches/router, although I know some theory about networks I am still discovering how all that stuff translates for this equipment.
Thanks for help. Onto setting up the other VLANS, you may see me again ;)
I am very familiar with cisco ;) Just have never used a static access mode?. As to how they come out of the box - that never lasts more than bootup ;) I am well aware they come default in trunk mode though..
Why would you link to a nexus line switch if your using a 3560? They are very different!!! I mean really different… Also 3560E - did you pick it up on ebay or something they have been end of sale for years. And If not mistaken went EOL last month I think...
For future reference it is almost always better to use hybrid mode on your outbound nat vs manual.. Best of both worlds that way - you can create your own specific sorts of nats while still letting pfsense create auto nats for you when you add an interface. Or even create a route to a downstream network, etc.
Why would you link to a nexus line switch if your using a 3560?
Gah, didn't realize. Access port config seems similar https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750e_3560e/software/release/12-2_55_se/configuration/guide/3750escg/swvlan.html
I did pick it up from ebay recently for good price ;D. From what I read you cant beat it for price/capability.
Why is that most of the tutorials dont about talk good configs. I changed the NAT mode to hybrid and realized that pfsense would have made an automatic rule for this vlan, yet no popular tutorial talked about it. Thanks for pointing it out.
Lastly, since you mentioned you are familiar with Cisco stuff; I was wondering if you would have any idea why I would get speed difference between direct connection to pfsense vs through switch.
Direct connection can give me around 600-950Mbps for gigabit internet connection, but through switch it can't exceed 250Mbps. I confirmed all the interfaces have negotiated Gigabit link, yet I see this strange performance issue. I ran iPerf on pfsense and PC(via switch in middle) and I can see 850Mbps throughput. This is really weird. Have you come across something like this before? I couldn't find anything useful in searches.
Your switch is causing slow traffic? Yeah never seen such a thing other than duplex mismatch or lower speed.. You sure your not limiting traffic on the switch? That is something you could do.. But then say iperf between pfsense and client through the switch gives you 850?
Did you do that iperf test udp or tcp?
I have been working with cisco switches and routers for years and years and years… Never seen such a thing.. What is the config you have on the ports? Just post show run interface.. Then again we don't use EOL hardware that got off ebay ;) But if your saying you are seeing full speed between the devices across the switch, but not to the internet that makes zero sense.