Simple VLAN help.. not sure if my pfSense or switch is misconfigured
-
I'm having troubles getting VLANs setup and being a newbie to VLANs I thought I understood it all, but apparently I do not. Quick background. I have an SG-2220 which has a single LAN port. I want two LANs to separate traffic inside my home for security purposes. I had thought the process was create the VLANs in pfSense, use the LAN port as a trunk to a single port on my layer 3 switch assigned as a trunk port, assign my VLAN IDs as tagged traffic for that trunk port, and assign all other ports on the switch as untagged for either of my two VLAN IDs. But that isn't working so either I don't know my gear, or I don't understand the general premise of VLANs. Before I blabber about the details, did I misstep anywhere above?
I appreciate all of your time and will do my best to be respectful of it. Thanks in advance!
-
Create the VLANs in pfSense and assign pfSense interfaces to the VLAN interfaces.
You'll probably want to post your Interfaces > Assignments screen. -
I think I did that. Here's my assignments screen.
 -
I can ping the VLAN interface from a host connected to the untagged ports assigned for that VLAN ID with the same PVID. But I cannot ping the gateway of the router itself. What I don't know is if my problem is in pfSense, my switch, or both. I think I understand how this works, but.. it isn't working so I don't understand something. I see routes were automatically created in the switch and at first glance they appear to be right. So I'm wondering if there is something about incoming tagged traffic into pfSense I'm missing. Or I just don't get this switch.
-
OK so LAN will be untagged, GREEN will be tagged 10, and RED will be tagged 11 on igb1.
You might want to take a step back and contemplate that a layer 3 switch is really a router.
(A layer 3 switch VLAN without a VIF is just a layer 2 switch…)
What, exactly, are you trying to do?
-
I knew it. I'm in the wrong forum. :)
Simpleton home stuff. I want two LANs to separate crap I'm hosting on the Internet from everything else. Right now I'm using two routers: pfSense in front which forms my Red LAN (untrusted in my head) and another behind it that forms a green LAN for trusted devices. This isn't necessary with pfSense so I'm trying to get rid of the LAN behind the LAN. Why I have the L3 switch is old ideas in my head I abandoned long ago. I want to test this out before buying a small 5 port L2 switch that supports VLAN tagging. Then get rid of this L3 switch because I won't need it anymore and it is insanely noisy.
I dropped the VIF for both VLANs and it still isn't working. I statically set an IP on a host machine with a /16 netmask and ping the Interface IP and the LAN IP of pfSense and I'm not getting anything. Is this still a switch config issue or am I missing something in pfSense? I haven't done anything for DNS yet but I'm hoping I don't have to.
-
LAN will be untagged, GREEN will be tagged 10, and RED will be tagged 11 on igb1.
You need to make your switch do that.
Then put your devices on untagged switch ports on the desired VLANs.
-
Thanks for the help. I ended up buying the simpler L2 switch and I was able to get things setup and working… sorta. I have it all working except I can ping between VLANs which isn't what I want. Where did I go wrong? Is this in pfSense, the switch, or could I have made the error in either one?
-
Firewall rules on the VLAN interfaces. Block the traffic you do not want to flow.
-
Thanks again. At first I thought I had things working well but it turns out Windows was "helping" so I have to use strictly Linux machines for testing purposes. Are there good guides you know of for the firewalls? I keep reading things and trying them but it isn't working. I'll keep poking around. So far I can't block anything with a block rule.
-
I believe I have sorted out my initial request for this thread since I seem to have the VLANs working with my new switch. I bought a Netgear GS108Ev3 and it serves my needs perfectly. My other switch, an HP 24 port L3 switch, drove me insane. I never could get any of the L3 features to work on it and according to the forums no one can because it's impossibly complex. I couldn't even get basic VLAN tagging to work and I did exactly the same setup on it as I did on the cheap little Netgear I just bought. Now I can do everything I need to in pfSense. On to reading more pfSense docs…
Thanks again for the help. Appreciate it. I'm sure you'll see my firewall posts soon enough. :)
-
For anyone looking for similar assistance. I found this article to be extremely helpful.
https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/
