Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLANs please help

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 2 Posters 896 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      efny
      last edited by

      I have never thought of myself as dumb, I fix people for a living, but I am utterly failing at this. I'd appreciate some help.

      This is my setup now:
      Quad LAN Pfsense box (configured as WAN, LAN, OPT1, OPT2)
      Tplink T2600G-28TS managed switch
      I have a Ubiquiti controller running as a VM, and a number of access points. These access points tag WLAN clients to a DMZ VLAN if they are guests.
      The Tplink switch is configured for tagged DMZ VLAN number (say 102) at the Pfsense uplink and the ports that connect to the Wifi APs.
      Pfsense firewall lets the DMZ devices see the internet.
      Everything works.

      I have acquired some time ago an 8-core server on a supermicro quad LAN motherboard with IPMI, and I'd like to experiment with this machine.

      I want to make sure that the management port and IPMI are on a different VLAN from the rest of the network, but are still accessible to the desktop machines on the main LAN and nothing else.

      I would appreciate some advice.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        If you put this server on vlan X, and don't even put any rules on this vlan interface... Lan would be able to access it, because default rules are any any on lan.. And the return traffic is allowed by state. But nothing on the vlan could access lan - because there are no rules to allow unsolicited traffic from vlan to lan.

        If you want detailed help - I would suggest you put together a drawing of your network. Showing your vlans, and rules you have on each interface.

        Rules are evaluated as traffic enters an interface from the network its attached too. Top down, first rule to trigger wins - no other rules are evaluated..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • E
          efny
          last edited by

          Thanks let me try to explain in a little more detail.

          My pfsense box has several ethernet ports.
          Let's say eth0 is WAN uplink, and eth1 is connected to my switch.
          eth1 is assigned to vlan 101 LAN, as well as 102 LANrestricted and 103 DMZ
          My TPlink switch is set to allow VLANs 1, 101, 102, 103 (their version of trunk port) on the port connected to pfsense.
          Two IP cameras are assigned VLAN 102 "untagged" ports on the switch and should be able to grab DHCP addresses on the LANrestricted interface.
          Right now I have restricted the rules I have to just to rules
          Pass->any protocol / any port -> LAN address to LAN restricted address
          Pass->any protocol / any port -> LAN restricted address to LAN address
          I have replicated both rules on both interfaces.
          I figured if I can't get to the cameras using these minimal rules, I won't be able to do it at all.

          Ultimately, my goal is to have VLAN 102 be restricted to devices that I want to disallow access to the internet, and which can only connect to my NAS that is located on VLAN 101.

          Clearly I'm going wrong somewhere with either rules or VLAN assignments.

          Does this help explain what I have and what my goals are?

          Thanks in advance!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            @efriedman said in VLANs please help:

            My TPlink switch

            Stop you right there - which make and model... Their low end switches are shit... They do not allow you to remove vlan 1... So they are not much more than trying to run multiple L3 on the same L2..

            Now their is suppose to be a fix firmware, and it does allow you to remove vlan 1...

            But I wouldn't use those switches if you gave them to me for free when it comes to vlans..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            E 1 Reply Last reply Reply Quote 0
            • E
              efny @johnpoz
              last edited by

              @johnpoz

              JetStream Gigabit L2 managed switch T2600G-28TS
              It's not a cheap model, it's supposed to be L2 24 port rackmount switch. At the time when I was buying it the reviews and features seemed ok.

              1 Reply Last reply Reply Quote 0
              • E
                efny
                last edited by efny

                I just figured it out. I wasn't setting the PVID of the switch ports correctly. Once I set the PVID of the untagged ports to the same VLAN ID as what I wanted the packets entering those ports tagged as, as I was able to connect to the cameras.

                Yet again the need to be explicit in your instructions proves itself.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.