Unable to route between multiple VLAN's on the same uplink port

emiljan · Aug 19, 2019, 3:54 PM

Hello,

I have a ESXI host connected to pfSense via one uplink (igb1) and trying to create a router on a stick topology with that one uplink trunking multiple VLAN's and performing the routing.

My lab topology:

ESXI
-Virtual Switch (Homelab) (Uplink: ESXI:igb1 > pfSense:igb1)
--PORT GROUP (NAME:VLAN-10) (VLAN ID: 10)
--PORT GROUP (NAME:VLAN-20) (VLAN ID: 20)
--PORT GROUP (NAME:VLAN-30) (VLAN ID: 30)
--PORT GROUP (NAME:VLAN-100) (VLAN ID: 100)
--PORT GROUP (NAME:VLAN-122) (VLAN ID: 122)

pfSense:
-Created 5 VLANs
--Tag: igb1.10
--Tag: igb1.20
--Tag: igb1.30
--Tag: igb1.100
--Tag: igb1.122
-Assigned all VLAN interfaces under "interface Assignments"
-Enabled all interfaces and set the default gateway address
-Set Firewall rule to allow-all traffic

I am able to access the internet of the VM's inside of ESXI
I can ping all of the VLAN gateways from the VM's
I am able to ping/connect to any of the VM's within the same port group in ESXI
I am unable to ping or connect to any VM's that are on a different port group/VLAN - i get a error stating it cannot find a route to the destination

I am at a loss and need some assistance with getting the routing between VLAN's working properly.

Thank You,

johnpoz · Aug 19, 2019, 3:55 PM

You understand if you doing port groups on esxi, then there are no tags on pfsense.. I you want pfsense to handle the tags then your port group would be set to 4095 on your vswitch so it doesn't strip tags.

emiljan · Aug 19, 2019, 4:03 PM

Thank you for the quick reply, so i can just use one port group with the VLAN tag set to 4095 and keep my current config in pfSense?

johnpoz · Aug 19, 2019, 4:11 PM

yup as long as your switch the connected to this interface that is corrected to the port group is tagging the traffic, if the port group is 4095 it will not strip tags. You only use 1 port group in such a setup, and your pfsense interface that is connected to this port group has the vlans on it.

emiljan · Aug 19, 2019, 7:02 PM

I created a new port-group with a tag of 4095 in ESXI and added 2 hosts, each from different subnets, and neither has internet access or able to communicate with the other.

johnpoz · Aug 19, 2019, 7:16 PM

2 hosts for what... Your going to have to provide more info..

You mean 2 more vms.. Two boxes via physical connections? Do they get dhcp from pfsense..

do you own research esxi vswitch set to 4095 does not strip tags.. If you want to pass tags for pfsense to handle then that is what you need to set on your vswitch.

jagradang · Aug 22, 2019, 4:36 PM

Ok, I'm assuming you meant your pfsense is a vm inside esxi? Or am I misunderstanding you?

johnpoz · Aug 22, 2019, 5:09 PM

Yes if the pfsense is inside your vm host, ie a vm itself and you want it to handle tags, then the vswitch its connected to that connects it to the real world needs to be set for 4095 if you want pfsense to see the tags.

Is your pfsense external to your host?