Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bridging physical interfaces and VLANs, geting DHCP with no routing? Or is it

    Scheduled Pinned Locked Moved
    L2/Switching/VLANs
    vlans bridging rules firewall firewall rules
    1
    3
    652
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • imark77I
      imark77
      last edited by

      Okay not sure if this is in the right spot, feel free to move it if necessary.

      I don't know where I begin.
      I built myself a PFSense box a few.... a while ago.
      Daunted by the thought that I really need to upgrade to gigabit and 64-bit rather than upgrading the desktop I was using I decided to go out and buy dedicated hardware the SG-3100. This would also give me the benefit of starting my configuration from scratch (that'll be easy……).

      I also bought a SG-1100 for use as a travel router and yes I really do need gigabit capability for a travel router as I'm getting more into video streaming for some reason in a mobile Fashion.
      Both routers have more or less a similar set up, so if I can solve the problem on one... I can swap it out and retire my old one and take advantage of my higher Internet 250mbps speed.

      Okay I think? I should get on-topic now.
      I started playing around with VLAN's on my old system and it occurred to me I could create a VLAN that would directly connect me on the LAN to the WAN interface to Aid troubleshooting. I've used a handful of ISPs going from AT&T to Sprint to Comcast (sadly) business (Yah) and wanted to carry that forward into my new configuration.
      However creating firewall rules on each interface is a headache to keep straight, so this seems simple switch the rules to the bridge interface right?

      So this is an attempt to explain the insane structure on a relatively simple and straightforward? configuration to start with on the SG-1100.
      I have a bridge created that is assigned to the LAN and a LAN VLAN on the same port, and I assigned the OPT switch port to the LAN interface. On top of both ports I have a guest VLAN and a test VLAN.
      And then I created 4 WAN bridges and assign them as the primary outbound connections with plans to sort of virtualized the WAN connections as I will need to bring in only the physical connection, eventually I'm going to bring in Cellular. I figured if I do it this way all I have to do is add something to the WAN bridge which will make on the flight configuration easier for a travel router and simple management of fallover and load balancing.
      As part of that I have a VLAN 11-14 as WAN's on all ports. This will allow me to both bring in and export a WAN to the internal network, since most of the time I will be behind NAT at a hotel and from the Wi-Fi, Wi-Fi hotspot rarely actually hitting the public Internet directly.
      I swapped the firewall rule configuration settings to the bridges.

      I've been struggling to getting this configured and I think I have everything straightened out to the point where I am getting DHCP on all assigned LAN's, VLAN's and passed through on the WAN VLAN's.

      It seems like it wants to work and I think I might've had some issues with firewall rules.
      But when I plug a cable into my linux box (to use LAN0) I get an IP and I can't ping Google, can't access web interface.
      Plug into a Mac (to use LAN0) I get an IP and I can ping Google, can access web interface.
      On linux all LANs get IP's but can't transit traffic and show up in the log as blocked.
      I haven't tested VLANs on the Mac today but I am able to use the Internet from the Mac through the router with the Wi-Fi turned off when swapping the cable to the other computer ????????????
      This makes no sense to me!

      I want to say it's because I have a reserve DHCP assignment (I feel like that's a red herring as I didn't enable any blocking) for the Mac that it's able to get Internet but That doesn't make any sense as this seems to be only working on my Macs and not windows or linux boxs and none of these are virtual machines.

      Yes I know bridging physical ports to a switch will cause a slight speed reduction and I believe this will be an acceptable trade off for the reduced equipment count not needing a separate managed switch. The idea is that i will come in on the WAN port from the hotel's Internet, LAN out to a dumb switch to all equipment wired and OPT to a airport express for management control WIFI Devices and a Secure Guest SSID. For the time being I will use a spare port on the express to grab the WAN VLANs for the 2nd and 3rd Internet connections to public Wi-Fi and private Hotspot Wi-Fi with the ultimate goal to integrate a Wi-Fi adapter into the box at some point.

      I am sure I will have to clarify everything that I just said, also please let me know what you'd like me to take screenshots of and upload. as other than uploading the entire configuration file and a screen shot of the VLANs, bridges and rules I don't know where to start.

      https://ln2.sync.com/dl/6d3686b10/ywn47qmx-58gz6qci-r23hvpbt-wkbbpurh

      1 Reply Last reply Reply Quote 0
      • imark77I
        imark77
        last edited by

        I have been trying to get this working for two months+ since the package arrived.

        New information: I forgot to mention I like to answer my own questions.
        so..... I might have it working turns out the linux laptop I was using has no DNS server for some reason. Once I realized that and tried a different system it seems to be working. I'm getting some dropped packets transiting.

        Otherwise I'm getting DHCP leases in a reasonable amount of time and I'm seeing my full 100 meg ethernet bandwith to the Internet/modem.

        the Lawrence systems was somewhat hopeful with the videos but nothing that check all the boxes. It came down to deleting the firewall rules and starting over. If that solved it.

        imark77I 1 Reply Last reply Reply Quote 0
        • imark77I
          imark77 @imark77
          last edited by

          edit:
          on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post