multiple networks on the same lan in pfsense by virtual windows server 2016



  • tenho um servidor windows server 2016 fiz um pfsense hyper v windows server 2016 esta funcionando wan DHCP e LAN 10.30.2.253
    queria colocar mais sub redes 10.30.3.253 / 10.30.4.253 / 10.30.5.253/
    queria saber se funciona com apenas uma LAN fisica... ou se para cada sub rede tenho que ter uma LAN fisica ? eu ja fiz varias OPT... ja acessei o server por ela mas nao navega na mesma faixa de ip... da sub rede ja fiz regras mas nao navegou ... ai tenho essa duvida se funciona ou nao com apenas uma LAN fisica... obrigado



  • Hi Antonio,

    I've used google translate to translate your post. By the way if you want more responses you should post in English.

    To answer your question, yes you can do what you asked. You need to use VLANs. VLANs will allow you to have multiple subnets running on the same wire and physical NIC. But there are some requirements in order to have it work.

    Requirements:

    • Manageable switch that supports VLANs. In order for VLANs to work you'll need to tell your switch what VLANs each port is allowed to talk to. Ex: port 13 on the switch is allowed to "talk" with VLAN 758 and 759.

    that's the only requirement.

    Here's the basic setup:

    1. Write down on a paper which VLAN is corresponding to each one of your subnets. You can use whatever number for your VLAN between 1 and 4094 (VLAN 0 and VLAN 4095 are reserved and should not be used). There's no rule and you can have your VLAN 1 named VLAN 788 it doesn't matter. Just make sure you write down on a paper all the information before you start configuring anything or you'll get lost. 2 or 3 VLANs are easy to remember but in a virtualized environment you can end up with 10s of VLANs or even more. Use VLANs in a logical way, use common sense, use VLANs when you need to have a different subnet for security reasons. Don't create VLANs that have no use.

    2. Carefully read the manual of your manageable switch, some switches do not accept more than 8 VLANs by default but can have this value modified to leave you enough room for the VLANs you create.

    3. Log on the manageable switch. Go to the VLAN configuration menu. This changes from vendor to vendor so I suggest you familiarize with your switch management interface by reading the manual. Create your VLANs. Once again use common sense, don't create VLANs just for jolly, you'll find yourself in a hell later on when you'll need to pass traffic for each subnet/vlan you created.

    4. On the physical RJ45 port where you want to plug your PfSense firewall set it to accept ALL the VLANs you created (ex: vlan 758, 759, 760). Your firewall must have an IP for each VLAN in order to act as a gateway, even if you don't intend to send traffic through the firewall.

    5. Now go back to PfSense -> Interfaces -> Assignments and then just below "Interface Assignments" you'll have other sub-menus : "Interface Assignments", "Interface Groups", etc..., "VLANs". Click VLANs. Click the "ADD" buton, you should see something like this:

    Parent Interface: this is the physical (can be a virtual NIC as well of course) NIC that will be used. The very one you already configured your switch for at point 4.
    VLAN Tag: choose your number as you see fit between 1 and 4094
    VLAN Priority: VLAN Priority is used for double tagging and Quality of Service. Leave it to zero. !!! This is mainly used by ISP and I'm not the one that can give you the right technical explanation, my knowledge is limited as well and maybe someone on this forum will give you examples when you can modify this setting !!!
    Description: This is very important. This "description" will be used later during the configuration and if you leave it empty you'll get lost. Create a "Excel" sheet with the following columns:

    VLAN ID | Description | Network ID | Subnet mask | First assignable IP (usually the default gateway of your network aka your PfSense IP) | Last assignable IP (the last IP you can assign to a device) | Broadcast address | Hostname | Physical NIC (so that you can easily identify the right network card)

    You will need to identify which VLAN you assign to the OPT interface you will create now. Examples of good descriptions: "Customers WIFI network", "ESXi Datastore network", "VM traffic network", etc... Just make sure you'll understand what this network is used for in 1 year when you'll need to modify something.

    1. Once you have created all your VLANs and gave them a good description, save the settings. Then go to the "Interface Assignments". This is where you will create your OPT interfaces and assign them to the VLANs you created and linked with a physical NIC in the previous steps. By default you should have at least the "WAN" and "LAN" interfaces assigned to a physical NIC (physical can also be virtual if your PfSense is virtualized). At the bottom you will have the "Add" buton and on the left the available VLANs you have created in the steps above. This will create a "OPT" interface "linked" with VLAN's you selected and therefore the physical NIC assigned to this VLAN.

    2. Congratulation you created your first interface linked to a VLAN. Click on the "Interfaces" menu at the top, you should now see the "OPT" interface you created. Click it so that you can change its settings. Configure as follow:

    Enable: check box

    Description: You can use the same description as for your VLANs. This is the description of the PfSense interface and not the VLAN description but for obvious reasons they should be named the same. WARNING, this name will be used in the firewall tabs as well so don't go crazy mode and use extremely long names. As soon as you save the changes you'll see in the "Interfaces" menu that your "OPT" interface is now named as your description".

    IPv4 Configuration Type: Choose "Static IPv4". This tells your PfSense how to get the IP address you will assign to your PfSense on this specific VLAN. It will be the default gateway for your computers within this subnet. Honestly I always use "Static" and assign the first usable IP address within the subnet. This doesn't mean you won't be able to use the DHCP server for your computers on this VLAN.

    IPv4 Address: This is the IP you will assign to the PfSense interface. It must reside within the subnet you assigned to the VLANs you created earlier.
    Reserved Networks: un-check "Block private networks and loopback addresses" unless you're configuring your VLAN with IPs that are routable on the Internet. You can leave the "Block bogon networks" checked.

    You can now click the "SAVE" buton.

    !!! I strongly recommend you create only 1 VLAN at a time, then create the Interface and assign the VLAN you just created to it and change its settings as in point 7. If you create all the OPT interfaces you might get lost while trying to identify which interface is doing what.

    1. At this point, you have configured your manageable switch so that the port you plug your Pfsense on is configured to accept all the VLANs you want to use. You also configured the first VLAN and interface on your PfSense.

    Now you need to repeat the process in PfSense for each VLAN you want. Create the next VLAN, create the next "OPT" interface and link it with the VLAN you created. Assign a static IP for each new "OPT" interface for each one of your subnets.

    1. You now have multiple "OPT" interfaces each with a IP within a different subnet, each with a different name and linked with a different VLAN, you can now go to the "Firewall" menu then "Rules". You should have all your "OPT" interfaces. Add the default "Allow" OPT LAN to ANY rule so that you can run tests without the firewall blocking anything.

    Once you have configured your PfSense you can configure the switch for each computer/device. Plug a computer on the switch port you want. Go in your switch management interface and assign a VLAN for this port. This will allow the computer you plug on this port to communicate with machines configured on the same VLAN as long as you put an IP that is in the corresponding subnet. Always refer to your Excel sheet to avoid misconfiguration or you'll waste a lot of time.

    You can then test your configuration with ping. You should be able to ping the default gateway within the same subnet/VLAN and Internet hosts.

    Last step is to configure the DHCP server on your PfSense box for each "OPT" interface so that each VLAN device get an IP. You can alternatively use the DHCP Relay and link it with your DHCP server (like a Windows Domain Controller). I highly recommend using DHCP Relay and have a single DHCP server within your network where you can configure all the settings. Not using a centralized DHCP can create chaos within your network if you forget that this subnet is already assigned somewhere else within your organization.

    I hope it helps, if you have any troubles don't hesitate,

    Cheers

    Headhunter


Log in to reply