Need help to configure VLAN in HA environment



  • Hello,

    I tried to configure VLAN on a HA environment without success and i need help to do this.

    Here, it is the actual environment and what i want :

    I have two pfsense in HA mode. I have an existing interface on each FW with a CARP IP :

    Master, LAN interface, IP : 192.168.9.2
    Backup, LAN interface, IP ; 192.168.9.3
    CARP IP : 192.168.9.1

    I have created two VLAN (in interfaces -> VLAN)
    VLAN 10 and VLAN 20

    VLAN : i want to assign existing IP of LAN interface : 192.168.9.0/24

    • What shoud i do next for the existing LAN interface ? Disable the LAN interface ? Keep enabled but set to any IP ? This parent interface will host VLAN.

    In my essay, i enabled my VLAN interface and set with 192.168.9.X IP. I changed the interface type on the CARP from LAN to VLAN10.

    My switch layer 2 is configured like this but i'm not sure of the configuration (see picture).
    The port 3 and 4 are PC clients for this example.

    Can you help me to make the vlan work and if you can guide me on the process please ?
    Thank you in advance.


  • Netgate Administrator

    You can't have the same subnet on more than one interface. So you can;t use 192.168.9.0/24 on both LAN and VLAN10.

    If you want to move that subnet to VLAN10 I suggest you make sure you another way of accessing the pfSense webgui, via the WAN perhaps.

    Which of the ports on your switch is connected to pfSense? It should be a port that is tagged on both VLANs but that currently looks like 1 and 2 which seems unlikely. Unless maybe you are them as a LAGG.

    Steve



  • Hi,

    Thanks for your help.

    You can't have the same subnet on more than one interface. So you can;t use 192.168.9.0/24 on both LAN and VLAN10.

    It is interesting. So i can keep LAN interface with actual configuration (192.168.9.X) and just create one extra VLAN (with different subnet of course) ?
    In my idea of first post, it was to migrate LAN interface to VLAN10 but if it is possible to keep actual interface running and create VLAN20 for another subnet, it is what i want. So can you confirm is it possible without problem ?

    Which of the ports on your switch is connected to pfSense?

    PFSENSEs are connected on port 1 and 2 on the switch.
    Port 3 is a device on a LAN
    Port 4 is a device on extra subnet (VLAN20)

    Can you help me for the configuration of VLAN on the switch please ? It is abstract for me.


  • Netgate Administrator

    Sorry for the delay.

    Yes you can do that. Keep LAN as the untagged parent interface on the original subnet. Add a VLAN onto that interface in a new subnet.

    We usually recommend avoiding using tagged and untagged traffic on a single interface because you can end up with unexpected traffic if your switch is not configured correctly or has some firmware bug (which we have seen). However it's fine as long as you're aware of it and much easier to configure.

    If you are only adding one further VLAN then you need to remove the other line from the switch config.

    You also need to remove the VLAN untagged port (3 or 4 whichever one you keep) from the default vlan untagged list to prevent untagged LAN traffic leaving that port.

    Depending on your switch you may also need to set the PVID on the VLAN untagged port to the correct VLAN tag.

    Steve



  • Thank you !
    I try to set up this.