Quad port Pfsense box - no switch VLAN setup help
-
Hi,
Trying to setup a new pfSense machine with quad port Intel NIC. First installed pfSense without any VLAN setup as follows. Connected laptop directly to LAN port, able to ping pfSense machine, have internet - all good.
WAN - igb0
LAN - igb1Now, I want to create VLANs based off the LAN interface. Following online resources, I created a VLAN with the configuration as shown in this screenshot -- https://drive.google.com/file/d/1rHEEVzGWMUkSq5yVCTQ-7-C4Ky41tKm1/view?usp=sharing
Then on my laptop, I created two static connection profiles.
- Static IP - 192.168.1.2 -- connect to LAN -- everything works.
- Static IP - 192.168.10.2 -- connect to VLAN -- can't ping pfSense box, no internet.
I'm not sure why the 2nd profile doesn't allow me to reach anywhere. I went through forum questions and found many have managed switch added to the mix. I assume, it should be doable with the single standalone machine too w/o the managed switch.
- Is my understanding - machines assigned different static IP to put them on appropriate VLANs - correct ?
- Also, is testing via a laptop (static IP assignment) correct, or does the laptop also needs to understand the VLAN tags etc.?
Any help/pointer is appreciated. Thank you.
-
A pass any rule is automatically placed on LAN. If you create new interfaces, you must create rules on those interfaces to pass any traffic.
You can use the LAN rule as a model.
Yes, the laptop would need to tag and be prepared to receive tagged traffic.
On a mac:
-
Thank you for the quick reply @Derelict.
I do have the firewall rule setup on OPT1 (mimicking the LAN rule - last section in my Google Drive hosted screenshot).
I was testing on a Linux laptop, would give it a try on the Macbook and share results.
-
Do you not have a Switch config page in Interfaces either? I think I'm facing the same issue on an APU2 box where I cannot work out how to add the vlan tag to the LAN interface
-
https://forum.netgate.com/post/944426
-
Interfaces > Assignments - Add the VLAN to the physical interface
Interfaces > Assignments - Create the interface using the select list at the bottom
Edit the interface, enable it, number it
Put the desired firewall rules on the new interface
Enable DHCP servers, etc.
If you have (for some reason) enabled Manual Outbound NAT, add rules for the new interface's source addresses. -
@Derelict This is my interfaces list:
-
OK?
You should see the VLAN in the Available network ports at the bottom like I described. Select it and hit add.
-
@Derelict Nope!
-
Then you haven't added the VLAN to the interface. Use the VLANs tab at the top of that page.
-
@Derelict
Not sure what else I can do beyond this! -
If you want to use VLAN 20 on the GuestNet interface you have already done that. Click on GuestNet, enable it, number it, add rules, DHCP servers, etc.
Whatever is connected to igb1 will need to be expecting traffic tagged with VLAN 20.
Tagged traffic will be on GuestNet. Untagged traffic will be on LAN.
-
Dual topic ... See here
https://forum.netgate.com/topic/158698/port-tagging-on-apu2I think it must be outbound nat , or something really weird.
Edit: He gets a Vlan20 (Guest ip) on his wifi guest.
He can (via Guest WiFi) ping Guest IF , he can ping devices on his Lan (def-gw works)
He cant ping 8.8.8.8 , or anything on INET/Bingo
-
@Derelict - It worked as expected on the Macbook (must be config issue on my Linux laptop). Thanks.
