pfSense and D-Link DGS-3100 VLAN setup issues



  • Hi All,

    I'm having a bit of trouble setting up my home network with pfSense and VLANs at the moment and would like some guidance on what I might be missing or doing wrong with my setup.

    My current setup is as follows, its a flat network with no traffic separation:
    pFsense Visualized with 2 NICs.

    pfSense IP - 192.168.100.1

    em0 - WAN (DHCP)
    em1 - LAN (DHCP - 192.168.100.XXX)

    Layer 2 switch - D-Link DGS-3100-24P

    This setup is working well with no issues. However, I want to separate some of the traffic on my network using VLANs. Below is what I want to achieve:

    VLAN 150 - General (DHCP - 192.168.150.XXX)
    VLAN 200 - Security (DHCP - 192.168.200.XXX)
    VLAN 250 - Management (DHCP - 192.168.250.XXX)

    Below is what I have done so far to try and get this to work:
    1. Create VLAN interfaces on pFsense with em1 as the parent interface.
    pFsense - Interfaces.jpg

    2. Enable all interface in pFsense with associated DHCP settings.
    3. Setup pass all rules in firewall for starting purposes and testing.
    4. Configure D-Link 3100 to identify VLAN Trunk ports (Port 1 and Port 5 - WAP)
    D_LINK - Trunck Port Settings.jpg

    **5.**Setup VLAN tagging in D-Link 3100. Note: I have only shown VLAN 200 setting below as I wanted to test prior to doing all of them.
    D_LINK - VLAN_Settings_1.jpg
    D_LINK - VLAN_Settings_2.jpg

    The issue:

    • When I connect a device to Port 21-24, They do not seem to get a IP address from VLAN 200 subnet. They get a IP from the non VLAN DHCP (192.168.100.XXX).

    Question:

    • What am I missing, do I need to turn off the DHCP on the original LAN interface?
    • I'm a bit confused with the d-link VLAN assignment, maybe I'm not configuring the switch correctly.

    I can ping VLAN 200 interface from my main PC (192.168.100.12), however I cant ping anything else connected to the assigned ports due to missing IP.

    Any guidance, assistance will be much appreciated. I've read through quite a few guides and seems like I'm doing things right, however I have feeling I have missed something with the switch config or pfSense config.


  • LAYER 8 Netgate

    Not sure what that switch does in that case but you have ports 1:21-1:24 listed there in default VLAN 1 (included in 1:1-1:24) and VLAN 200.



  • The D-link doesn't allow me to remove those from the default VLAN unfortunately. The only options available are "Untag" and "Tag".D_LINK - VLAN_Settings_3.jpg


  • LAYER 8 Netgate

    OK, well, you have to figure out how to get the switch to send traffic on VLAN 200 tagged with VID 200 on the port connected to pfSense and it will work as expected.



  • Did a bit more digging and found out that the the DSG-3100 has a firmware update. Which allows removal of ports from the default VLAN.

    Did the update and I have managed to remove port 21-24 from the default VLAN. However, the issue is still there..
    Do I need to modify Port 1 and Port 5 (Trunk ports) on the default VLAN to tagged? I loose connectivity to pfSense when I do this.

    D_LINK - VLAN_Settings_4.jpg


  • LAYER 8 Netgate

    Tagging the default VLAN is nonsensical.

    The way you have pfSense configured, on the switch port connected to pfSense em1:

    The LAN_MAIN VLAN should be untagged and the PVID
    VLANs 150, 200, and 250 should be tagged.

    If you do that it will work.


Log in to reply