Needs some advice for VLAN/DMZ

jireland

I have spent many hours trying to get my network setup with VLANS for PFsense. I will include my setup here in case anybody is able to offer me some advice, but to be honest I've kind of had enough of it and looking at cheating. Basically my DSL router is in my house, I have a server in my garage with Proxmox installed and it has a PFsense container. House and garage are connected by 1 cable. I have devices on either end that also need LAN access. (My attached diagram should explain)

I have got so far that i could ping the other servers on Proxmox, but not my PFsense gateway. and PFsense could not get to my Router.

So i was wondering, is it acceptable to use the DMZ setting on my router to "push" the Internet connection to PFsense? Keeping the WAN interface and Router on a different subnet to the rest of the network? Then I could do away with all of the VLAN'ing completely. The frustration in me really wants to crack the vlans but I'm just getting no where.

I would really appreciate any help you can spare me.

johnpoz

I didn't get past tl-sg108, what version of hardware and what version of firmware? Those things do not do vlans correclty - you can not remove vlan 1..

So if your having issues with setting up vlans - that most likely is the problem!

Also not sure how you think running 2 untagged network to your proxmox is going to work.. 1 of those 99, or 10 would need to be tagged at min.

Then you need handle the tagged vlan on pfsenes, or in your proxmox.. You can not send more than 1 untagged vlan over the same physical wire.

Or you would need to break out your 99 and 10 vlans if you want to send both untagged via another interface on proxmox box and 2 ports on your switch.

jireland

@johnpoz said in Needs some advice for VLAN/DMZ:

Also not sure how you think running 2 untagged network to your proxmox is going to work

Thanks very much for replying to my post.....

Yeah, I couldn't figure out if the interfaces in PFsense were working like a dumb client where you need untagged - or if it needed the tags.... I am pretty sure I tried both (I spent 3 hours trying all sorts of combinations). I was finding that with the connections tagged, I would lose connection to the other servers on the Proxmox server. Sitting here telling you that made me realise why, the PFsense server requires the connections to be tagged, but the other guest servers on my Proxmox won't be able to process them, they need untagged. So maybe if I add the VLAN tag 10 to my guest servers network cards it should work.

I'll give that a try tonight.

with regard to my TP-Link version, I cannot tell from here because it uses an awful configuration utility. When I get home from work I will take a look and update. Its reasonably new though so shouldn't be too far behind...

johnpoz

So if recall v3 or v4 of the hardware should be ok.. But v3 would require a firmware upgrade if not current. Not sure about the v4 hardware or past.. You should easy be able to tell if you can remove vlan 1 from ports.

Last I checked v2 of the hardware didn't get the firmware update to be able to remove vlan 1.. So no matte what you were doing with vlans on the thing - it was no better than just running a bunch of l3 over single l2..

You can for sure do what your wanting to do, just need to make sure your switches are doing vlans correctly and you correctly set up tagging and untagged in the proper locations. Not sure on proxmox - but for example in esxi unless you setup 4095 tag on the vswitches inside VM host, it will strip tags, etc.

jireland

Thanks for the info on the switch, i will make sure i update it tonight.

After some further thought, I am going to put another physical network card in the Proxmox Server, connect it to port 3 in my Zyxel switch, and mark that port 'Untagged LAN' traffic. I can use that NIC for my hosted servers that do not support VLAN tagging. The other card I can dedicate to just my PFsense server which needs the ports tagged.

johnpoz

Your virtual pfsense doesn't actually need them tagged.. You can for sure have interfaces as untagged in pfsense 1 connected to wan and other to lan with 2 virtual interfaces in pfsense.

But if your only going to give your pfsense 1 virtual nic - then yeah one of the networks would have to be tagged.

If your going to run 2 interfaces into your host - just bridge 1 to 99, and the other to 10 connected to your switch untagged. And then on pfsense create 2 interfaces one connected to the 99 and the other to the 10.. Then both of those could run untagged into proxmox server.