Vlan tagging not working (from dlink switch)



  • I've set up a lab consisting of 1 pfsense fw going to the internet and a lan consisting of 1 switch and 2 pcs off that switch. The aim is to have the 2 pc's each in their own vlan (unable to see eachother), but both having pfsense as their GW and being able to reach the internet.

    I have set up the pfsense box to have 2 vlans (2 & 3) on the LAN nic. On the switch (d-link dgs1224t) the pc's designated ports are given their vlan ID (2 & 3) and set as untagged and a separate port acting as the vlan trunk which has both vlan 2 and 3 tagged going to pfsense.

    This seems like such a simple set up, but it doesnt work. I cant reach pfsense from either computers. I'm certain the switch is configured properly as i've tested it and vlans seem to work in other situations. I've also tried 2 different boxes with pfsense on and its the same outcome.

    Where am i going wrong?!!!

    Ell



  • Did you create firewall rules?
    Can you post a little more details about your config?

    btw: if it's just about making sure that the two clients cannot see each other, you can do that on the switch itself without going over the pfSense.

    3VLANs.

    VLAN999, pfSense
    VLAN100, user1
    VLAN200, user2

    VLAN999 member of all ports.
    VLAN100 member of user1 port and pfsense port
    VLAN200 member of user2 port and pfsense port

    pfSense PVID: 999
    user1 PVID: 100
    user2 PVID: 200



  • Hi, thanks for the quick response!  :o

    It is about making sure the clients cant see each other, and I plan on adding a few more in time, but unfortunately I dont have the option to do use PVID on this switch, otherwise it would indeed make my life a lot easier.

    I havnt set up any firewall rules yet and the config is pretty much bare minimum as its a fresh install. All i've configured is IP's on the LAN and WAN ports and assigned vlan 2 and 3 to the LAN.
    I can reach pfsense without any vlan's on the switch or when all the vlans are untagged but as soon as I try and set that port on the switch (the trunk essentially) to use tagging my continuous ping from the client stops.

    The clients are both bog standard laptops (1 dell, 1 hp) on the same subnet going through the same d-link switch. Pfsense is a Sun Fire v20z server (this is quite an overkill but, as I said I was using another smaller box and I thought it might have been a compatibility issue with those nic's and 802.1q encaps so i'm now using the Sun). The LAN IP, 10.101.2.19, is both clients gateway.

    If you need anything more specific just ask.

    Thanks again



  • You should not mix tagged and untagged traffic on the same interface.
    This can lead to fsked up setups where clients can resolve their IPs directly via ARP but are unable to communicate since they are in different VLANs.

    A new interface in pfSense (adding a VLAN is treated as adding a new interface) will be added without any firewall rules.
    Per default anything is blocked, so you will have to create rules to allow traffic between the VLAN-interfaces.

    Why can't you set the PVID on this switch?
    How else are you differing between the clients?



  • @311w3nt:

    The clients are both bog standard laptops (1 dell, 1 hp) on the same subnet going through the same d-link switch.

    In addition to what GruensFroeschli has already mentioned, this is a potential showstopper as well. If you set up separate VLANs, you need to consider them separate networks. Each needs its own subnet and each interface on pfSense needs to be configured on the matching subnet.



  • D'oh.
    I missed that part about the same subnet.
    In this case you would have to bridge the VLANs on the pfSense (which i personally find kind of ugly).

    For me it comes back to: "why can't you do the client separation on the switch itself?"



  • I see what your both saying and I will rectify these problems (though I dont think i'm mixing tagged and untagged traffic, all tagged traffic is going down one line to pfsense).

    I just wonder if theres more configuration to do on vlans in pfsense. All I can see is the option to assign a vlan to an interface. In terms of setting the vlans IP, how could I do that? I cant even see how I can set firewall rules per vlan?

    I'm beginning to wonder if the switch i'm using is just too crap to do anything proper. The way I have to set vlans is by creating the vid and selecting what ports I want to be tagged (going to a vlan capable device), untagged (going to an end user) or not a member. I can have 1 port with multiple tagged vlans (trunk) but I cant have multiple untagged vlans on a port.

    So, for example, on the switch, if I set up vlan 2 and assign it the port for client 1 untagged, and then also set the port going to pfsense untagged in the same vlan, it works, and that client can see only pfsense and no other clients off that switch. However, if I then want client 2 in vlan3 to see pfsense I need to get the trunk going. So I set up the pfsense (trunk) port as having vlan 2 and 3 tagged. Though the clients still cant see eachother, neither can see pfsense.

    I apologize if my examples are a little lame, but as you've probably noticed, i'm fairly new to this.

    Thanks again for the help





  • K i'm being pretty stupid. Just realised I hadnt created additional interfaces and assigned them vlans on fw!

    Had a play around with it and sure enough it works like a charm!!!

    But… I now have another question:

    Is it possible to do inter vlan routing on the firewall? I just need some clients on a vlan to see one client on another. (i bet your getting sick of me now  ;)



  • @311w3nt:

    Is it possible to do inter vlan routing on the firewall? I just need some clients on a vlan to see one client on another. (i bet your getting sick of me now  ;)

    Yes, pfSense will do this without any special configuration. You just need to create rules to allow the traffic.

    There are additional complications if you want Windows networking etc. to work since broadcast traffic won't cross the firewall.



  • Cool, i think i've got everything how i want it now. Thanks all for your help. Time to put it live!  ;D



  • I essentially have the same configuration as 311w3nt.  I am still having trouble with the pfSense configuration of my VLANs.
    Here is my setup:

    NICS            Interface              Addresses                              Gateways

    • rl1    –>      LAN        -->  192.168.11.0/24              -->  192.168.11.254
    • rl1    -->      VLAN3      -->  192.168.12.0/24            -->  192.168.12.254
    • dc0  -->      WAN        -->  1.2.3.4 (example address) -->  10.1.2.3
    • rl0    -->      DMZ        -->  (not yet configured)        -->  (not yet configured)

    I have a number of hosts on various switches connected to untagged VLAN3 ports.  Each switch that has at least one untagged VLAN3 port also has once tagged VLAN3 port to "trunk" it to the next switch in the chain.  Eventually, the final switch in the chain connects to the pfSense LAN / VLAN3 port as a tagged VLAN3 port.

    Communication between all VLAN3 devices is working fine, but none of them can see the pfSense box at all.
    I have attached images showing my VLAN and firewall settings.  The firewall is opened up for the moment to make sure it is not the problem, but I wonder if my issue lies in the VLAN3 Interface screen...?

    Image 1 - Initial VLAN setup and ID
    Image 2 - Assigning VLAN3 to LAN interface on "rl1"
    Image 3 - VLAN setup screen.  (This is where I might be misunderstanding the settings...)
    Image 4 - Firewall rule allowing any traffic to enter VLAN3
    Image 5 - Firewall rule allowing any traffic out of VLAN3

    I would be grateful for any assistance you can provide.  Thank you.












  • As was stated earlier it is bad idea to have untagged LAN and tagged VLAN3 on the same physical interface. Nevertheless it should work.
    What do you mean "none of them can see the pfSense box at all", how do you check?



  • Eugene,

    Thanks for your reply.  I do not have any available PCI slots in the box I am using to add another NIC, otherwise I would use it.  My main goal was to make sure I was configuring the VLAN3 interface properly, see "3.jpg".  I have been able to ping the pfSense box now after I changed "TCP" to "Any" on the VLAN3 interface in the firewall, but I cannot get out to the Internet.

    Any further thoughts?

    Thanks again!



  • If you have Internet from firewall itself then check NAT.



  • Ok, I've got it working.  It ended up not being a NAT issue after all, it was the way I was setting up my VLAN3 interface.

    In the "IP Configuration" section I had entered the pfSense WAN address in the "Gateway" field.  As it turns out I needed to leave that field blank to allow traffic in and out.

    See the attached image details…

    Thanks again for helping me out.



Log in to reply