Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] VLAN and pfsense as KVM guest (no switch)

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    2 Posts 1 Posters 578 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lbm_
      last edited by lbm_

      Hi,

      Im having difficulties to get my VLANs to work in pfsense.
      My lab setup is as following:

      KVM host
      KVM guest VM
      KVM guest pfsense

      The KVM host, has an bridged interface, which is used by both pfsense, and the guest VM, and its also used for non vlan traffic. This interface is not connected to any switch, since traffic is just parsing inside the KVM host + kvm guest, and also has an non vlan IP in a different subnet.

      The guest VMs interface is configured as eth0.50.
      PFSense, has an interface configured as vtnet1.50, + LAN and WAN (non vlans).

      The problem is, I cannot connect to anything related to the vlan 50 network on pfsense, from this guest. If I try to tcpdump, I can see the traffic with vlan ids.

      example:
      From the guest VM, I try basic ping against the pfsense server, but no response:

      ping 192.168.50.2
      PING 192.168.50.2 (192.168.50.2) 56(84) bytes of data.
      

      From the KVM host, if I do an tcpdump, I can see the vlan id 50..
      vnet7 = virtual interface of the guestVM
      vnet2 = virtual interface of pfSense

       tcpdump -nn -i vnet7 -e vlan
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on vnet7, link-type EN10MB (Ethernet), capture size 262144 bytes
      23:04:34.574633 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 171, length 64
      23:04:35.598534 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 172, length 64
      23:04:36.622708 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 173, length 64
      23:04:37.646491 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 174, length 64
      

      tcpdump -nn -i vnet2 -e vlan

      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on vnet2, link-type EN10MB (Ethernet), capture size 262144 bytes
      23:05:19.628811 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 215, length 64
      23:05:20.652802 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 216, length 64
      23:05:21.676749 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 217, length 64
      23:05:22.700682 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 218, length 64
      23:05:23.724662 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 219, length 64
      23:05:24.050950 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 85: vlan 50, p 0, ethertype IPv4, 192.168.50.13.49370 > 192.168.39.2.53: 46653+ A? 2.debian.pool.ntp.org. (39)
      23:05:24.050974 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 85: vlan 50, p 0, ethertype IPv4, 192.168.50.13.49370 > 192.168.39.2.53: 56646+ AAAA? 2.debian.pool.ntp.org. (39)
      23:05:24.748613 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 220, length 64
      23:05:25.772583 52:54:00:4e:72:1c > 52:54:00:49:49:69, ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 802, seq 221, length 64
      

      If I inside pfsense, tcpdump, again I can see the vlan.

      tcpdump -i vtnet1 -e vlan
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on vtnet1, link-type EN10MB (Ethernet), capture size 262144 bytes
      23:08:35.175036 52:54:00:4e:72:1c (oui Unknown) > 52:54:00:49:49:69 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 813, seq 140, length 64
      23:08:36.199005 52:54:00:4e:72:1c (oui Unknown) > 52:54:00:49:49:69 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 813, seq 141, length 64
      23:08:37.223215 52:54:00:4e:72:1c (oui Unknown) > 52:54:00:49:49:69 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 813, seq 142, length 64
      23:08:38.246896 52:54:00:4e:72:1c (oui Unknown) > 52:54:00:49:49:69 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 50, p 0, ethertype IPv4, 192.168.50.13 > 192.168.50.2: ICMP echo request, id 813, seq 143, length 64
      

      I cannot see any blocks in the firewall log in pfsense.

      Any suggestions ?

      1 Reply Last reply Reply Quote 0
      • L
        lbm_
        last edited by

        Im not really sure exactly what was wrong...

        I've started from scratch, and came to the same or new issues. Doing troubleshooting, i found that the broadcast address was way off, which I did not really understood. I then found that the VLAN interface was created as /32 CIDR, which it defaults to, so its highly important to remember to change this. 😆

        Changed it to /24 CIDR, and then it started working.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.