PFSense & VLANs
-
Hi,
I am relatively new to PFSense so just getting to know and use the product. I have installed the firewall successfully at one location but now the 2nd location has VLAN's so with regards to getting this working with PFSense I am a bit of a novice..
I know how to create my interfaces in PFSense for VLAN's but the question I have is regarding the VLAN tagging...
We have a Cisco 4500 switch, would I be right in saying I just need to configure the ports used by the LAN interface on PFSense as trunk mode with the relevant VLANs allowed?
Or do I also have to assign sub IP's to that interface?
Thanks for any assistance given...:) -
sub IPs are for Layer 3 interfaces. All you need to do is tag the VLANs on the switch port going to pfSense.
-
Thanks for that reply.. Still having fun with this.. We tagged the ports on the LAN port that's connected to PFSense but even with VLANs now enabled to the LAN interface I still cannot get them to work..
Currently the VLAN's IPs are assigned by a windows DHCP Server (not PFSense)
The IP I configured for example in VLAN20 on PFSense is the default gateway that the DHCP server would have assigned.. Not totally sure this will work but not in a position to change the DHCP server
There is an allow rule for VLAN20 traffic configured but we seem to be missing something...This PFSense firewall is virtualised on ESX as well just to complicate matters...
-
You have to put VLAN 4095 on the ESXi interface to send VLAN tags from the vswitch.
If you just put a VLAN on a virtual interface it will be on that VLAN but untagged from pfSense's perspective. It will be another interface to assign, not a VLAN.
-
Thanks.. Not sure I explained it too well but PFSense sites on ESX 6.5 with 3 virtual switches one for management, one for WAN and one for LAN.
The LAN Virtual Switch I had configured with 2 physical network cards for redundancy and originally I had only assigned one Virtual NIC to PFSense for LAN, however I have now added in another virtual NIC (Virtual port group) on the LAN Switch tagged it as VLAN40 for wifi and in PFSense reconfigured the interface assignment to the new vmx2 NIC and now I am getting basic ping communication.. So getting there...
Not sure I need to do anything else with tagging... -
It depends on how you configure the hypervisor interface.
Unless you put VLAN 4095 on it the guest will see an interface with untagged traffic on the configured vswitch VLAN.