PFSense, VLANs, and an HP Switch
-
I just upgraded to a new switch that is VLAN-capable. I'm planning to create a couple of them and would like for the PFSense box to handle the routing between them and block packets where applicable.
My question is what do I do on the firewall to have it communicate properly? Should I configure a trunk port on the switch and connect that to the pfsense box? Or should it be a normal port that's a member of multiple VLANs and is using tagging for each packet. Also, I'm a Cisco guy, and this is my first experience with an HP switch. So if my terminology is wrong on that part, oops. ;)
THanks!
-
You're basically right. Create a trunk port (or whatever HP calls it) and create your VLANs on your switch. Then create VLANs on your pfSense box using the same VLAN tags and assigned to the interface you plug into the trunk port. Assign the VLAN'd interfaces to actual interfaces and remember that OPT interfaces are default deny.
-
Hp's use Tagged and untagged. To (cisco term) trunk the port you need to make it tagged along with the other vlans that connect to the pfsense box.
-
Ok, I'll try that.
Thanks!
-
Sorry, it's been a while.
I created the VLANs on the switch and on the pfsense box. I then rebooted the pfsense box, and the VLANs are still there. But even though the VLANs show up on the config, I don't have any additional interfaces. I thought when I created the VLANs, each one would be treated as a new interface? Do I have to enable something somewhere else on the pfsense box?
EDIT:
Never mind. I didn't realise that i had to add another OPT iface, then choose the VLAN as the source. I should be good.
Man, and it was only a little further down on the search results page. I need to be more patient. ;D
-
Actually, I do have another question…
For the interface that's connected to the switch. In my case, "LAN" or fxp0, should it be assigned to a VLAN? Or should it still be fxp0?
For example, I currently have 3 VLANs on my switch. "Default" (1), "Internal" (2), and "No_Inet" (3). Right now, all my devices are in #1, but I'm planning to add a couple that won't have internet access, but will be accessible from the internal VLAN(s). Should fxp0 be changed to VLAN1?
I of course will create new DHCP scopes & firewall rules for each VLAN I use.
Thanks!
Edit: Also, the switch side is set as a trunk. Would having the interface be set for fxp0 be the same thing as a trunk on the switch?
-
You should assign a VLAN for your LAN traffic and on the fxp0 interface. It's never a good idea to mix tagged and untagged traffic on the same physical interface.
A 'trunk' is just vendor slang for an interface that carries multiple tagged VLANs. Generally there isn't any untagged traffic on these, and that's the way you should set up pfSense too (ie. LAN traffic is on a tagged VLAN as well). Since in either case the link carries multiple tagged VLANs, I'd still consider it a 'trunk' whether you also have untagged traffic or not.
-
Welp, I'm having no luck whatsoever.
Here's the config for the switch.
interface 3 name "ROKU" exit interface 5 name "Broom_1" exit interface 6 name "Broom_2" exit interface 10 name "FRoom_1" exit interface 12 name "MBedroom" exit interface 17 name "WAP" exit interface 18 name "Firewall" exit ip default-gateway 192.168.1.1 sntp server 192.168.1.1 timesync sntp sntp unicast snmp-server community "public" Unrestricted vlan 1 name "DEFAULT_VLAN" untagged 1-48 ip address 192.168.1.2 255.255.255.224 exit vlan 2 name "Internal" ip address 192.168.1.34 255.255.255.224 tagged 18 exit vlan 3 name "No_Inet" ip address 192.168.1.66 255.255.255.224 tagged 18 exit password managerI've tried it with all access ports untagged, and with all 3 vlans set to tag the ports on the pfsense uplink. But once I change the LAN interface from the NIC itself (fxp0) to be vlan0, I lose connectivity to the pfsense box. From my research, HP uses the term "trunk" to mean an aggregate of physical ports. Like pagp or lacp.
The way it is now, the pfsense box is routing the vlans correctly, but it looks like I'm mixing tagged and untagged traffic.
Hepl! ;)
-
Well your config for vlan2 and vlan3 seems correct, assuming you don't have any clients attached to those networks right now (and port 18 is where you attach pfSense). You shouldn't really use vlan1 for anything though, some hardware specifically reserves that VLAN id and won't let you use it for tagged traffic, and it may just cause problems. I'd try changing that number. You'll also need to add a tagged port (probably 18) while leaving the rest of the ports untagged.
That should work for you, but obviously you will need to configure pfSense to put the LAN on the VLAN instead.
-
I've since moved all ports out of VLAN1, and reassigned its IP address to something else so that I can keep my current rules, aliases, & dhcp reservation for the old scope (192.168.1.0/27). So VLAN2 is now what VLAN1 was, address-wise. I moved VLAN3 down to VLAN2's old address.
Everything is now working, but, only when VLAN2 is untagged on the uplink (18). As soon as I change the interface assignment for LAN from fxp0 to VLAN2, I lose connectivity.
A side note, before resetting the interfaces, I tried to ping the switch at 192.168.1.2 but got an error about "ping: sendto: operation not permitted". Is that a hint?
-
Post your new switch config.
-
Oops, sorry. Here it is.
interface 3 name "ROKU" exit interface 5 name "MBRoom_1" exit interface 6 name "MBRoom_2" exit interface 10 name "FRoom_1" exit interface 12 name "MBedroom" exit interface 17 name "WAP" exit interface 18 name "Firewall" exit ip default-gateway 192.168.1.1 sntp server 192.168.1.1 timesync sntp sntp unicast snmp-server community "public" Unrestricted vlan 1 name "DEFAULT_VLAN" ip address 192.168.2.2 255.255.255.224 tagged 18 no untagged 1-17,19-48 exit vlan 2 name "Internal" untagged 1-48 ip address 192.168.1.2 255.255.255.224 exit vlan 3 name "No_Inet" ip address 192.168.1.34 255.255.255.224 tagged 18 exit -
Your switch doesn't really need an IP on every VLAN anyway, you're not doing routing with it are you, not that it's a problem.
So what you're saying is when you issue "vlan 2 tagged 18" and create a new pfSense VLAN interface on VLAN id 2, and assign this interface to be your LAN, you can't connect? If that's what you're doing, your configuration seems correct.
-
No, I'm not routing on the switch, that's just out of habit and so I could still manage the switch while I was sorting out the pfsense part.
But yes, once I change the lan interface to be vlan2, and tag vlan 2 on 18, I lose connectivity. The odd part is, the pfsense box still responds to dhcp requests and is assigning addresses properly according to reservations. ???
I'm running 1.2.3 RC1, but the same thing was going on with 1.2.2
The NIC is a dual interface intel 10/100. Might that be the issue? I thought the intel cards supported the .1q tags.
Is there a list of what interfaces support the tagging?
-
Yah the fxp cards work well with VLANs, I have lots of these dual cards.
It sounds like you're doing everything correctly… do the other VLANs work okay?
Edit: Maybe we can find some problems if you post your switch config and pfSense vlan assignment/interfaces configurations with the config that's having trouble.
-
They did when I was testing earlier, but now, VLAN3 is down. Not sure why. Do I need traffic to be generated for it to come up? It is enabled and has a "pass-any-any" rule applied to it.
-
Finally!! I got it!!
I ended up re-assigning the VLANs a couple of times with no luck, then finally removed them all, rebooted, re-created them, rebooted, assigned them, rebooted, and while it was rebooting, I set the switch to tag all vlans on the uplink port (18), and when it came back up, it was responding properly.
I'm not sure if I had originally mis-assigned the VLANs or what since I was using VLAN1 and might not have removed it correctly. Clearing out them altogether might have ensured I started with a clean slate.
Thanks for all your help ktims!
-
On a similar note, I too am using a VLAN capable HP switch, a 2510. I am having a hard time getting a straight answer to this googling about, but when a packet is untagged, with regards to a VLAN aware switch doesn't it automatically become a member of VLAN1? I thought I read that on a Cisco site so it may not even apply here, but I was trying to use pfSense as a captive portal only with a single interface and assigned VLAN1 to LAN and VLAN2 to WAN on the fxp0 interface and when I set up my PC on the same subnet as VLAN1, I couldn't connect. When I changed VLAN1 to fxp0, it worked. I have not set up my switch to do anything with VLANs at the moment, but I'm wondering–am I misunderstanding how VLAN1 works, or is this a unique issue with HP switches?
Hope this isn't a breach of etiquette, but I thought it'd be better to ask here rather than open a new thread for what is probably a dumb question.
Thanks!
-
Well, from what ktims said here, don't use VLAN1. That's set for the primary VLAN by default on HP switches, and is apparently treated differently by some devices. I started using that, but ended up with my first VLAN being "2". It can be changed on the switch, but it's probably best to just avoid it.
As for the untagged part, a port can be set for any untagged vlan, but only one at a time. So if you're set for VLAN1 untagged, any other vlan membership will have to be tagged. (The HP switches also have "no" and "forbid" settings, but I haven't started playing with those yet.)
As for how you'd configure the switch, all VLANs to be sent to the pfsense box would be tagged on that port (probably VLAN2 & VLAN3 if you skip #1).
I ended up with all my ports except 18 (the firewall uplink) untagged on vlan2. Port 18 is tagging vlans 2 & 3 and any more I might create. For access ports, I'd change the port to be untagged on whatever vlan I wanted. So If I create vlan4, and want to send people in VLAN 4 to the 'net, port 20 (or whatever) would be untagged for vlan4, and I'd tag vlan4 on port 18 (to present it to the pfsense box).
-
If you fancy a read this is a good thread about my HP Vlan implementation, may have some useful pointers.
http://forum.pfsense.org/index.php/topic,11913.0.html
http://wan2.cheesyboofs.co.uk/home.htm
As you will see nearer the end I was having a mare until I stopped using VLAN 1, the web interface for pfsense was unusable and the network ground to a halt.
Cheers
