Setting Up a Lab Environment.



  • Hi All.

    Setting up a LAB environment to teach myself up on PF-Sense and Networking.

    PF-Sense book advises not using the 'Default VLAN' , esp for management access.

    SO!

    I have 3 networks in mind for my lab.

    10.0.0.0 /24 - Management and Servers. (VLAN tag 64)
    10.0.1.0 /24 - Corporate - For Desktops and Full time staff (VLAN 100)
    10.0.7.0 /24 - Guest - internet access only. (VLAN 700)

    I have setup a trunk port on my switch with all the VLANS on it. I have assigned an interface on my switch to each of those vlans.

    What is the best way to setup pfsense so that the LAN interface and webconfigurator is at 10.0.0.1/24 so that the interface on my switch that is on VLAN 64 can talk to it. Should I setup VLANs first while installing pfsense or setup or do it via web configuration later.??

    Thanks in Advance
    Mitch.



  • Hello @Mitch_Sullo,

    afair you can use default vlan. But you should not mix untagged and tagged vlans on one physical pfSense interface.

    Please explain your physical connection. You wrote you configured one trunk port with all vlans and one interface to each vlan?
    How many physical interfaces on your pfsense machine you want to use?

    You can use either the gui or the web client to setup the pfSense network. I think it's easier to use the web gui.
    Just setup the vlans and assign them to a physical interface. Configure ip addresses and connect to the switch. Configure firewall rules to allow management over the 10.0.0.1 ip and connect with this web gui. After this delete the old "LAN" interface.



  • Hi Bepo.

    Have 4 physical interfaces available.



  • @bepo said in Setting Up a Lab Environment.:

    But you should not mix untagged and tagged vlans on one physical pfSense interface.

    That's the way trunk port normally work. Why don't you think they shouldn't be mixed? In fact, if you have regular computers and VoIP phones on the same wire, it's the way it's normally done.



  • @jknott first: Don't say its the way a trunk works. A trunk on cisco is something different than on hp switches. And i am not referencing to switches, where you can configure and mix whatever you want.
    On pfSense you should not mix untagged an tagged on a physical interface.

    @jimp said: "That said we always recommend either tagging everything or never tagging on an interface. The best practice is to NOT mix tagged and untagged traffic on the same physical interface"
    Source: https://redmine.pfsense.org/issues/7553



  • @jknott said in Setting Up a Lab Environment.:

    @bepo said in Setting Up a Lab Environment.:

    But you should not mix untagged and tagged vlans on one physical pfSense interface.

    That's the way trunk port normally work. Why don't you think they shouldn't be mixed? In fact, if you have regular computers and VoIP phones on the same wire, it's the way it's normally done.

    Like @bepo said you will have issues, a few years ago I was doing this and I was having issues with my captive portal where my LAN subnet wasn't working because I had CP enabled on one of the subnets and the LAN was not tagged.

    Probably not a good idea in any environment because you could have a native LAN mismatch especially if you have a multivendor environment.



  • @bepo said in Setting Up a Lab Environment.:

    On pfSense you should not mix untagged an tagged on a physical in

    Thanks all for the Feedback!

    As mentioned, I have 4 interfaces, ( I would eventually like to have CARP / HA Sync setup , another battle for another day :D).

    My current implementation steps are

    1. Setup vlan69 on my switch. (Juniper ex2300)
    2. Add port 0 on my switch to vlan69.
    3. setup a trunk port and add vlan69 to it.
    4. fire up PFSense.
    5. during setup (cli) I create vlan69 and make that the LAN interface on pfsense. (ix0.69)
    6. Then jump on to GUI and start setting up WAN and proper configuration.

    So not using or involving the default VLAN from my switch altogether.

    Any risks or land mines with setting this up like this. Am I getting this drastically wrong???



  • @mitch_sullo Sounds correct :-)


Log in to reply