Vlans with pfsense and Linksys SLM2048 switch
-
Hey everybody,
Just wondering people's experiences with pfsense and Linksys SLM2048 switches.
I am running pfsense on an old PC for testing with the previously mentioned switch. So far I have had no luck with getting vlans to work between the two.
Pfsense box has 2 NIC, 1 wan, 1 LAN, VLANS 10, 20, 30 configured in pfsense on LAN interface using this tutorial.
http://networktechnical.blogspot.com/2007/04/pfsense-how-to-setup-vlans.htmlFirewall rules are set to allow traffic from all LAN (and vlan) interfaces to any desination, WAN has default settings.
To be honest I dont think that this is an issue with my pfsense settings, what is confusing to me is what the switch is asking for. It seems to have 2 or 3 different ways that you can set the vlans, and a number of detailed parameters.
some params under vlan management are..
-I can create vlans with vlan name and vlan ID (did this for 10, 20, 30)
-ports can be tagged, untagged, excluded on one or more vlans (they are always set as untagged on port 1)for each port individually
-I can set PVID
-I can choose 'all' or 'tagged' as acceptable frame types
-I can turn on or off ingress filteringat this point these are my pfsense settings
LAN IP 192.168.0.1 DHCP enabled
vlan10 10.0.10.1 DHCP enabled
vlan20 10.0.20.1 DHCP enabled
vlan30 10.0.30.1 DHCP enabledand this is my switch settings
Port 1 uplink to LAN interface (untagged on vlan 1)
port 7-12 tagged vlan 10 (PVID 10, ingress on, acceptable frame type=tagged)
port 13-18 tagged vlan 20 (PVID 20, ingress on, acceptable frame type=tagged)
port 19-24 tagged vlan 30 (PVID 30, ingress on, acceptable frame type=tagged)I have tried changing around the settings with port 1, and even plugging the uplink onto one of the vlan 10 ports (port 7) and was playing with the settings. i have also tried various changes to the individual port settings(PVID, ingress, etc.). The only results I ever achieved were either no dhcp address or an ip address from the default LAN subnet (192.168.0.0/24) never from the vlan interfaces.
I am about ready to pack it in and look into another router solution. please help!Thanks for looking this over.
-Steve
-
I don't have any experience with the Linksys switches so can't comment on their particular terminology.
The switch port connected to the pfSense "LAN" physical interface needs to insert VLAN tags in transmitted frames so pfSense can distinguish the various VLANs. So I guess the switch would need to have that interface "tagged" (that is, VLAN tags retained on transmitted frames, VLAN tags present on received frames)
Unless you have done something special in the systems connected to switch ports 7 to 12 these systems will not be using VLAN tags so the switch ports should be configured as "untagged" (that is, no VLAN tags on received frames, VLAN tags stripped on transmitted frames).
Hence I suspect you need to move your pfSense "LAN" link from switch port 1 (since you have said that is always "untagged") and ports 7 to 12 possibly need to have acceptable frame type set to ALL (since "tagged" presumably requires VLAN tags to be present in received frames).
Also, from the web GUI, Status -> System logs, click on the DHCP tab to check that your DHCP requests are seen and on the correct interface. There might be a little bit of a lag before a DHCP request is logged there.
Here's a conceptual outline of how the DHCP request/response might work. (Actual implementation might be a bit different). I've assumed the system on switch port 7 doesn't have VLANs enabled; things will be a little bit different if the system on switch port 7 does have VLANs enabled.
System on port 7 sends DHCP request without VLAN tag. Switch adds VLAN tag (VLAN id=10) to frame, then since its a broadcast frame sends it to all ports in VLAN 10. The port connected to pfSense has VLAN tags enabled so the frame is forwarded to pfSense with the VLAN id 10. On pfSense the VLAN tag specified the vlan interface to which the frame is to be given then the frame goes to dhcp server which looks up its database to find a free IP available for allocation on the interface, builds a response and sends it on the VLAN interface where the driver adds the VLAN tag (VLAN id=10) and transmits the frame. When the switch receives the DHCP response it looks up its databse to find the port corresponding to the destination MAC address in the frame, sees that port is "untagged" so strips the VLAN tag before sending the frame.
-
Hi all, I have already asked in this forum some questions about PF and mini-itx systems. I realize that I didn't give enough information to you guys to really help me to choose. So my goal is to train myself with several networking and firewalling concepts that could help me to be a better sysadmin (;-)). In fact, I am a linux sysadmin but I realize that I am completly lost when possible for some kind of installation mechanism that takes into account the type and capacity of media you are trying to use and partition accordingly? We have considered it but unlikely for the first version. It's a lot of work and adds a lot of room for error on 1.2.3.Another little question about PF and EPIA M700 10E mini itx motherboard: - I really don't know anything about via system but I know that this board have a PCI slot. Is there a nive wilress adpater that is nice to have with PF and that tuns on the board? - If the option of adding a PCI card is not working, can someone give me some hints about a usb wireless solution (like the …
-
I have a mini-ITX board with VIA C3 CPU and CLE-266 chipset. The PCI slot holds a TP-LINK TL-WN651G wireless NIC which uses the Atheros chipset which is well regarded, supported by FreeBSD/pfSense and has given good service for over 16 months.
There are quite a few different brands of Wireless NIC that use a supported Atheros chipset. However be aware that some brands (Linksys, Netgear and DLink among them) change the chipset without changing the model number. For example, the DLink DWL-G630 might use a Marvell chipset (unsupported by FreeBSD/pfSense) or a TI Chipset (unsupported by FreeBSD/pfSense) or an Atheros chipset (supported by FreeBSD/pfSense) or a Ralink chipset (supported by FreeBSD/pfSense). One of the factors in my choice of a TP-LINK card was that they seem to change the model number when they change the chipset, making it easier to know what you are buying.
I have found http://linux-wless.passys.nl helpful in determining what chipset is used in particular products even though that site is focused on Linux. I know of no comparable site with a FreeBSD focus.