VLAN with multiple routers
-
Have a SG-1100 and wanted to try segmenting my network using VLAN tagging. Attached to the LAN port of the SG-1100 is a D-LINK DGS-1100-05 managed switch. Looking at the diagram below, does it make sense? Mainly referring to the use of VLANs. For arguments sake lets say I want to keep VLAN_20 and VLAN_50 from talking to each other, but also allow VLAN_20 devices to talk to VLAN_10.
-
Would I setup VLAN tagging on the DGS-1100 switch and still provide each router in each vlan with it's own subnet OR put them all on the same subnet?
-
Do I also need to setup VLAN tagging in pfSense (because it technically is the router for VLAN_10...right?)?
-
-
Looking at the diagram below, does it make sense?
Yes.
For arguments sake lets say I want to keep VLAN_20 and VLAN_50 from talking to each other, but also allow VLAN_20 devices to talk to VLAN_10.
Access to each VLAN is controlled by firewall rules.
- Would I setup VLAN tagging on the DGS-1100 switch and still provide each router in each VLAN with its own subnet OR put them all on the same subnet?
- Do I also need to setup VLAN tagging in pfSense (because it technically is the router for VLAN_10...right?)?
Since you have a need to firewall your VLANs, you would create your VLANs (10, 20, 40, 50) on PFsense making sure the parent interface is LAN. Then assign each VLAN interface an IP. You then create matching VLANs on the DGS-1100-05 and tag VLAN's 10, 20, 40 and 50 on the interface connected to PFsense.
That's it. All downstream switches from SW_MAIN can be managed or unmanaged depending on your needs, but your switches will all be implemented at layer 2 and PFsense will be the router for the entire network.
-
Ok, so I set up all my VLANs on both pfSense and the D-Link, but it doesn't seem to be working right.
Right now I am just trying to get pfSense to actually see VLAN20 traffic. It seems like all traffic is still being placed on VLAN1 (I think) on the D-Link. My D-Link configuration is:
I have tried various other combinations and this one show seems to be the only one that lets me access my router, d-link switch, pfSense, and the Internet.
Maybe my understanding is wrong, but I thought if I ran a cable from eth2 on the d-link to the WAN port on my TP-Link Archer C5 router (with the setup shown) it would tag all that traffic as VLAN20 traffic.To my knowledge, the TP-Link seems to be VLAN-Unaware. The way I understand it, if the device is VLAN-unaware then I would put eth2 (the port it is plugged into) as "Untagged" with the understanding that "Untagged" mean traffic has not yet been tagged. Yet putting eth2 into "Untagged" gives me router and switch access, but no pfsense or Internet.
Now, pfSense is showing nothing in the Firewall logs. I have a Allow All rule setup for VLAN20 and have it set to log
At this point I don't know if my issues is the router, switch, pfSense, or just my basic misunderstanding...
-
Ok, now we need more specifics. Which port is connected to PFsense? (eth1, eth2, eth3, eth4 or eth5?).
-
The pfSense LAN port is connected to eth1 on the D-Link switch (the SW_MAIN
switch in my drawing). -
Ok. I followed this thread (https://forum.netgate.com/topic/139859/sg-1100-running-real-vlans/35) and it looks like for the SG-1100 there is a VLAN tab under Switches that need the VLAN defined as well. I defined my VLANs there and then saw that my clients on VLAN50 were getting DHCP offers in the correct subnet, but were not ACK.
On that same thread I saw a example of a switch VLAN setup that I was able to somewhat mimic on my D-Link and finally got a client on VLAN50 access to both the internet and pfSense. Now, since VLAN50 is one I am experimenting with right now I would also like for devices on that VLAN to be able to access my D-Link switch.
They can access pfSense (10.0.0.1) but not D-Link switch (10.0.0.2). The Firewall shows were they passed going from 10.0.50.100 (device) to 10.0.0.2 so I don't think it is a FW issue. Here is my current 98% working D-Link config. Any thoughts?
-
Unfortunately, I work on the Cisco side and not familiar with D-Link's interface, but what you want to see is eth1 in the "Tagged VLAN Ports" column for each VLAN. That will allow each VLAN to traverse the link on eth1 to PFsense.
Next, you'll need to assign a VLAN to your access ports for each segment of the network. For example:
You currently have VLAN 50 configured on eth3, but for this example, let's assume the following:
eth1 = uplink to PFsense
eth2 = downlink to SW_SRV
eth3 = downlink to WiFi_Router (10.0.20.1/24)
eth4 = downlink to SW_CAM
eth5 = downlink to WiFi_Router (10.0.50.1/24)You would then assign an untagged VLAN to each port:
eth2 = PVID 10
eth3 = PVID 20
eth4 = PVID 40
eth5 = PVID 50At this point, your downlink switches can be unmanaged or managed to suit your needs.
As far as management on the D-Link, do you have the default gateway set? If not, you will only be able to access the D-Link on VLAN 1.
-
First off, thank you for you help. Been going nuts trying to figure all this out, but i think I finally got it working (all systems are getting IPs in the correct subnet for their VLAN from pfSense). Now to see if I have a basic understanding:
Untagged: So by listing eth2 as untagged in VLAN 10
-
Untaggedd traffic going IN eth2 is added to VLAN 10 (this is because PVID on eth2 is set to 10)
-
Traffic going OUT eth2 has tags stripped because eth2 is untagged (we are saying that the device connected to eth2 does not expect tags)
Tagged: This is the one that confuses me. Basically when traffic enters on eth1, the switch checks for what VLANs eth1 is a "tagged" member of. If the traffic has a VLAN ID that matches a VLAN eth1 is tagged in, the traffic is allowed to pass. If the traffic has no tag or has a tag with a VLAN ID that doesn't match a VLAN eth1 is a tagged member of, then the traffic is dropped. Any traffic exiting eth1 keeps its pre-existing tag or is tagged with the PVID if no tag exists.
So my device can send untagged traffic to eth2, have it tagged as VLAN 10, and then sent out eth1 to pfSense. In order to get any traffic back from pfSense tagged as VLAN 10, I must have eth1 as a "tagged" member of VLAN 10.
This all sound correct?
-