basic VLANS - Noob

chrischambers

morning I am trying to set up a very basic one VLAN environment for testing before I go ahead and start to spit my domain.
after a lot of reading it looks like it comes down to the following steps.

Create the VLAN
add to the Interface Assignment ( Fix IP Address )
set up DHCP for VLAN
add firewall for vlan for any source to any destination with any ports
add NAT for outbound traffic for VLAN

this I did but for some reason I am only able to ping from any IP address on my VLAN to any IP On my LAN, but I am only able to ping my gateway on my VLAN from my Lan.

also I am not able to ping any ip address on the internet, to access any sites.

if there anything I have missed out.!

rameshk

@chrischambers
Please provide settings for your LAN and interfaces screen shot.

chrischambers

@rameshk as requested.

rameshk

@chrischambers
I don’t see any issues with your settings VLAN settings.

How did you connect your PC to VLAN20 ?

Did your PC get correct IP address from DHCP ?

Could you please send ping results?

NogBadTheBad

@chrischambers

Do a packet capture on your pfSense new VLAN interface, then ping from a box on the new VLAN.

Do you see ping packets?

Is your outbound NAT set to automatic?

chrischambers

@rameshk said in basic VLANS - Noob:

I don’t see any issues with your settings VLAN settings.
How did you connect your PC to VLAN20 ?
Did your PC get correct IP address from DHCP ?

I connected my VLAN PC via a unfi switch - where I set up a LAN 20 and assigned that VLAN to a switch port.

Yes my VLAN workstation did get the right IP Address

chrischambers

@rameshk yes I am able to ping both sides from PFSENSE package capture

johnpoz

So you have 1 port in vlan 20.. Where did you tag that in your unifi setup?

Since you have this connected to pfsense via igb1, the port on your unifi switch would need to have lan (vlan 1 I take it) untagged. While your vlan 20 would be untagged.

Ports connected to pc that you want in vlan 20 would be untagged.

pfsense (igb1) -- (vlan 1U,20T) -- (portX) unifiswitch (portY) -- 20U -- PC

Your showing only 1 port on your switch in vlan 20, and is that tagged or untagged? What is port 15 connected to?

chrischambers

@johnpoz said in basic VLANS - Noob:

So you have 1 port in vlan 20.. Where did you tag that in your unifi setup?

Since you have this connected to pfsense via igb1, the port on your unifi switch would need to have lan (vlan 1 I take it) untagged. While your vlan 20 would be untagged.

Ports connected to pc that you want in vlan 20 would be untagged.

ok I think I understand your question, if you look after you will see that I have define a vlan " Testing only" and assigned the vlan 20 to it, and then assigned this to port 15 on the switch

yes the link from the PFsense to the Switch is connected via igb1 and on the switch I have the port profile set to All, to allow all traffic through it

I am not sure that you mean by " Untagged " ?

rameshk

@chrischambers
Looking at your image of Unifi settings. There is a misconfiguration of interfaces in the Unifi controller. As John mentioned please revisit the VLAN settings.

chrischambers

@rameshk said in basic VLANS - Noob:

misconfiguration of interfaces

can you please explain as I can't see this " misconfiguration of interfaces " as I understand it that you create the vlan on the switch and then assign it to the port

johnpoz

@chrischambers said in basic VLANS - Noob:

I have the port profile set to All,

How is pfsense to know what is vlan 1 (lan) or vlan 20? For pfsense to know what traffic is what the traffic is ether tagged or untagged.

In this case since lan is native on the igb1 interface it would be untagged. Since you added vlan 20 to this same interface this traffic has to be tagged. You need to edit unifi to tag the vlan 20 traffic when it sends it to pfsense port.

rameshk

@chrischambers
Currently my Unifi controller is off line due to experimenting with VPN and other activities. I will get you more information once I reconnect it.

chrischambers

@johnpoz said in basic VLANS - Noob:

@chrischambers said in basic VLANS - Noob:

I have the port profile set to All,

How is pfsense to know what is vlan 1 (lan) or vlan 20? For pfsense to know what traffic is what the traffic is ether tagged or untagged.

In this case since lan is native on the igb1 interface it would be untagged. Since you added vlan 20 to this same interface this traffic has to be tagged. You need to edit unifi to tag the vlan 20 traffic when it sends it to pfsense port.

sorry if this all sounds a bit dump but I am I trying to get my head around this: I through that when you enter in a number for the VLAN, in my case 20 and this match's the VLAN on pfsense then this is the tagging.

johnpoz

No that just creates a vlan.. Where do you say when its tagged or not tagged

Untagged or Native is when that traffic has no tag on it.. like when connected to a pc.. Or when your sending that traffic to a device that has multiple vlans on it.. Like a port on pfsense, or AP etc..

1 vlan, can be untagged or native. Any other vlans on that port need to be tagged.. So the router, the other switch the AP, etc. can tell the traffic apart.

Since you are having more than 1 network(vlan) on your igb1.. 1 vlan can be untagged (lan) and the other vlan 20 has to be tagged..

https://help.ui.com/hc/en-us/articles/222183968#3
Vlan Tagging.

To be honest - the docs for unifi to work with other devices and tag or untagged seems hard to find.. They use to have a doc when working with other switches.. But can not seem to find it..

From what I can tell if set to all, vlan 1 would be untagged.. Any other vlans would be tagged.. So the port connected to pfsense should be set to ALL, and then other port connected to PC would be just vlan 20..

Does your client get on this port get dhcp from vlan 20 on pfsense? If so that is working correctly most likely.. But you should really be able to see what vlans are tagged and untagged on what ports..

rameshk

@chrischambers
Don’t worry mate I have spent hours / days / months with these trying learn and keep my knowledge updated.
Looking at your details I assume that the connection from your Router to Switch (trunk) doesn’t carry both VLANs to the switch. Therefore the switch don’t have any information about the route back to your router/gate way.
I have attached a sketch below to explain.

chrischambers

@rameshk said in basic VLANS - Noob:

yea that is my set. if I am reading it with that vlan1 is the default traffic and vlan 20 is my test

rameshk

@chrischambers
Check your settings on Unifi controller and let us know how it went.

chrischambers

@rameshk said in basic VLANS - Noob:

@chrischambers
Check your settings on Unifi controller and let us know how it went.

ok I am still having the same issues, I did watch a video about tagging and untagging, but he was creating a DHCP on the switch and not passing the DHCP range through a VLAN.

I did try creating a profile setting the Native network but this didn'twork as I got the same results, that I was able to ping from VLAN to anything but no from LAN to VLAN

and here is a little picture of my network, showing there my DHCP are

johnpoz

If your client is getting dhcp from your dhcp server for vlan 20... This means your tagging is correct.. Or your traffic would never hit the vlan dhcp server.

Not being able to ping some device on vlan 20.. You sure there is no firewall on this device. Out of the box windows for example is not going to allow some device from anything but its local network to ping it.

Simple sniff on pfsense vlan 20 interface while you ping the vlan 20 pc IP from lan.. Do you see the ping request go out?

That pic of tagging makes NO sense.. What port is that on.. Your saying vlan 20 is native.. but then you say tag all?

edit: One last time..

P1 on your switch vlan 1 (lan) untagged. Vlan 20 Tagged. Port 15.. Vlan 20 untagged..