PFsense and Vlans



  • Hi,

    I'd like to try this out, but could you tell me if it's possible?
    I'd like to create 2 vlans, 1 for the office part of the building and 1 for the visitors part of the building. (which are totaly seperated from each other)
    We have a computer with 2 nics inside it. (1 for wan and 1 for lan)

    • Is it possible to create a vlan with just 1 nic?
    • Is it possible to seperate the 2 vlans?
    • Is it possible to lower the speed on vlan 1, but not on vlan 2?

    We have switches that support vlans.

    Thanks



  • @reyntjensw:

    • Is it possible to create a vlan with just 1 nic?

    Yes.

    • Is it possible to seperate the 2 vlans?

    You mean with firewalling? Yes.

    • Is it possible to lower the speed on vlan 1, but not on vlan 2?

    Via traffic shaping, yes.

    db



  • I've still got some questions :

    • Could you use traffic shaping on just 1 vlan?
    • Is it also possible to use different ip adresses in different vlans?(different range from 1 vlan to another)
    • Is there a possibilty to use the pfsense as a hotspot system where people on 1 vlan can buy cards for a limited time to surf the internet?
    • Do you need a special nic to work with vlans or is a simple nic good enough? (in the pfsense system)


  • @reyntjensw:

    • Could you use traffic shaping on just 1 vlan?

    Yes.

    • Is it also possible to use different ip adresses in different vlans?(different range from 1 vlan to another)

    I believe it's necessary, but definitely possible.

    • Is there a possibilty to use the pfsense as a hotspot system where people on 1 vlan can buy cards for a limited time to surf the internet?

    I guess that depends what kind of functionality you're looking for. Newer versions of m0n0wall have a module that prints out tickets with a PIN or code of some sort that gets the user through the captive portal for a set interval. I imagine that's probably been ported to pfsense, but I don't know for sure.

    • Do you need a special nic to work with vlans or is a simple nic good enough? (in the pfsense system)

    A nic that supports vlan tagging is essentially able to use a slightly larger mtu. A nic that doesn't support vlan tagging can still be used in pfsense on a vlan, but the vlan tag will reduce the effective mtu of the nic.

    db



  • What nic do I have to choose that works with vlan tagging?
    Will this nic work (D-Link - NIC PCI 32-bit - 10/100/1000 Mbps auto-sensing)?



  • http://m0n0.ch/wall/hardware.php

    Check the section "VLAN tagging".

    Note that m0n0wall 1.3 is based on FreeBSD 6.x, as is pfsense 1.2, so any of those NICs should be supported. You can search the hardware that corresponds to those drivers here:
    http://www.freebsd.org/releases/6.2R/hardware-i386.html

    db



  • I've set up a vlan test setup with a procurve 1800 switch and a pfsense firewall (pc).
    The setup looks like this:

    • vlan 10 : port 1-10 incl 22 -> connection fw
    • vlan 20 : port 10 - 18 incl 22 -> connection fw
    • vlan 30 : port 19 - 21 incl 22 -> connection fw
      As in these examples (http://pfsense.comuf.com/mysetup/index.html), I've setup my switch and firewall, but there is a problem:
      I can't get the dhcp server delivering ip adresses to vlan 10, 20 or 30, at the dhcp tab, I've filled in correct data.
      vlan 10 : 192.168.10.10 - 192.168.10.240
      vlan 20 : 192.168.20.10 - 192.168.20.240
      vlan 30 : 192.168.30.10 - 192.168.30.240

    There must be a dhcp server in each vlan, could some tell me what I need to do?



  • I don't have VLAN capable hardware so can't advise you from experience, but here's what I would look at:

    I presume you have DHCP server enabled on each of the VLAN interfaces.
    (From web GUI, Services -> DHCP Server, click on appropriate interface tab and ensure there is a tick in the box Enable DHCP Server on … interface)

    I presume you are not restricting DHCP to particular MAC addresses.

    It may be that you will also need firewall rules to pass DHCP traffic. To me, this is an area where things are non-intuitive. If you enable DHCP server on the LAN interface then the appropriate firewall rules seem to get generated automatically. If you have an interface bridged with LAN then there is no option under DHCP server to enable DHCP service on the interface bridged with LAN, the firewall blocks DHCP traffic on the interface bridged with LAN and there is no hint that you will need to add you own firewall rules for that interface to pass DHCP traffic.



  • I've looked at al the things you told me, but I don't think my settings are wrong so I'll post some screenshot.
    The firewall configuration is for each vlan the same and the dhcp configuration is also the same, I only use different subnets.

    So does anyone see my error?

    ![Afbeelding 4.png](/public/imported_attachments/1/Afbeelding 4.png)
    ![Afbeelding 4.png_thumb](/public/imported_attachments/1/Afbeelding 4.png_thumb)
    ![Afbeelding 10.png](/public/imported_attachments/1/Afbeelding 10.png)
    ![Afbeelding 10.png_thumb](/public/imported_attachments/1/Afbeelding 10.png_thumb)
    ![Afbeelding 11.png](/public/imported_attachments/1/Afbeelding 11.png)
    ![Afbeelding 11.png_thumb](/public/imported_attachments/1/Afbeelding 11.png_thumb)
    ![Afbeelding 12.png](/public/imported_attachments/1/Afbeelding 12.png)
    ![Afbeelding 12.png_thumb](/public/imported_attachments/1/Afbeelding 12.png_thumb)
    ![Afbeelding 14.png](/public/imported_attachments/1/Afbeelding 14.png)
    ![Afbeelding 14.png_thumb](/public/imported_attachments/1/Afbeelding 14.png_thumb)
    ![Afbeelding 15.png](/public/imported_attachments/1/Afbeelding 15.png)
    ![Afbeelding 15.png_thumb](/public/imported_attachments/1/Afbeelding 15.png_thumb)



  • You really shouldn't have tagged and untagged traffic on the same interface. It'll usually work, but it's bad practice and can lead to weird issues. It's not the cause of your trouble, but I'd move the LAN onto a VLAN.

    I think your problem is probably that you only have a firewall rule to allow TCP traffic. Change that to any and it should work. If you really do want to block other types of traffic you'll at least need to create rules for DHCP and ICMP would be a good idea as well.



  • So I've changed the firewall rules, but that didn't change a thing, the vlans still doen't receive an ip adress.

    I have to say that I didn't create a trunk on my switch, I just added the router connection port to each vlan. Could that be it?



  • Some things to try.

    Allow all protocols on vlan1 in firewall

    Create trunk on pfsense's port in switch.

    Merge LAN with a vlan (or create a new vlan for it).

    Confirm that your pfsense LAN NIC supports vlan tagging.

    Apply all changes and try again. If that still doesn't work then run tcpdump or wireshark on pfsense or the machine that is trying to get dhcp. You can do this on the pfsense console thus:

    
    tcpdump -n -i vr1
    
    

    and watch for dhcp traffic. ctrl-c will stop it. Paste the output here if you're not sure what to make of it.

    db



  • Sorry for my late reply, we had some problems with the hardware so the pc had to go in for repair.
    When the pc returned a couple of days ago, it seems that the nic wasn't working as suppost to.

    So we replaced the nics with working ones and everything is working fine now.
    Thanks for the help.


Log in to reply