How to set the same VLANs between the switch and PfSense
-
Hi,
I finally got my box fully working and I need to set up the network.
The PfSense box is running 192.168.1.1 IP, I can easily change it, that's not the problem.
But how can I connect that range of IP to something like 10.200.200.200? (switch)
I can also change the IP of the switch and of the VLANs I think, but it's something I need to have it clear in my mind.
The doubt is, shall I use NAT?
I'd like to use it for the benefit it offers. -
@jt40 If the router has a third interface you could use that.
For VLANs, did you find https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#web-interface-vlan-configuration ?
-
@jt40 said in How to set the same VLANs between the switch and PfSense:
The doubt is, shall I use NAT?
No I wouldn't think so.. There is normally little reason to nat rfc1918 to rfc1918 unless you have some issue your trying to overcome like duplicate IP ranges or source natting traffic to something.
Some more details of what your trying to accomplish would be helpful. And a layout of your network.. Where exactly is this 10.200 network you want to talk to? How is it connected to your network.
Are you just wanting to create a new network/vlan and use something other than 192.168.1/24 on it?
Is this switch L3 and routing? And downstream of your 192.168.1/24 network. I wouldn't suggest using 192.168.1 as your transit network to get to pfsense, if there are hosts on this network. It can lead to asymmetrical traffic flow.
A diagram would be great start in helping you.
-
@steveits thanks, but it doesn not help in my case where I have the VLANs set in the switch.
-
@jt40 said in How to set the same VLANs between the switch and PfSense:
but it doesn not help in my case where I have the VLANs set in the switch.
Huh.. So your routing these vlans at your L3 switch? If so then you need to setup pfsense for downstream router. You need to create the gateway and routes to the downstream networks in pfsense. You need to adjust your rules on your transit network (the network that connects pfsense to this downstream router)
And again suggest that there are no hosts on this transit network - or your going to run into asymmetrical issues.
Normally if pfsense has auto outbound nat, once you create the routes in pfsense it would auto add these networks to the outbound nat. But if you had changed to manual you would need to adjust those.
Here is a good drawing for how to do downstream router (L3 switch routing).
-
@johnpoz Thanks, I'll find the way to quickly draw the diagram.
The schema is this:
- modem - 192.168.1.1
- router - 192.168.2.1 (it can change)
I assigned a VLAN ID to the port dedicated to the switch, is this a wrong approach? - switch - for the moment sitting on 10.x
Issues
-
Fixed (but not intuitive) - PfSense was not able to communicate with the modem, even if I reserved the IP in the modem
-
I don't know what to do in the switch, unless setting up an IP interface, there is already one but it's used for administrative purposes.
I have VLANs there but the uplink port doesn't have a VLAN (I believe it should not have a VLAN), there is a VLAN ID 1 by default though.
If this is correct, it makes sense to remove the VLAN for the switch from PfSense.
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
but it doesn not help in my case where I have the VLANs set in the switch.
Huh.. So your routing these vlans at your L3 switch? If so then you need to setup pfsense for downstream router. You need to create the gateway and routes to the downstream networks in pfsense. You need to adjust your rules on your transit network (the network that connects pfsense to this downstream router)
And again suggest that there are no hosts on this transit network - or your going to run into asymmetrical issues.
Normally if pfsense has auto outbound nat, once you create the routes in pfsense it would auto add these networks to the outbound nat. But if you had changed to manual you would need to adjust those.
Here is a good drawing for how to do downstream router (L3 switch routing).
Thansk for the example, mine is quite different though, please read the previous message.
I also created the gateway and it's assigned to the L2_switch VLAN, but I can't still ping the router from the switch. As said previously, it's possible that a VLAN on that port should not be there.
Do you know where is the biggest struggle? When you create such things, there is zero explanation, the few that are there create even more confusion to me.
It seems I did some redundant task that created network conflicts. -
@jt40 said in How to set the same VLANs between the switch and PfSense:
please read the previous message.
Draw it dude.. What you stated makes zero sense.. Modem - you mean gateway.. A modem router combo?
Modems don't do nat.. And how exactly is pfsense even talking to this "modem" if they are not even on the same network? 192.168.1.1 and 192.168.2.1? Is that your routers lan interface? What is its wan 192.168.1.2? Or is that typo?
Vlan ID of what a different network? And this is a 10.x something? If your switch is just L2, it doesn't really need a gateway.. But how could you point 10.x something 192.168.2? What other vlans did you create on this switch? etc. etc..
If you need to grab a napkin and some crayons and then take a picture with your phone.
What vlan IDs do you have set on the switch - what switch is it? Out of the box a switch, even a fully managed one is in dumb mode and everything is vlan 1, untagged! If you created other vlans on this switch.. Then you would need to set those vlans up with the same vlan ID on pfsense and connect them via a port where your vlans are tagged. Other than lan which out of the box is untagged, so that would be vlan 1 on your switch.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
Normally you would create the same VLANs on pfSense and the switch.
-
@johnpoz said in How to set the same VLANs between the switch and PfSense:
Modem - you mean gateway.. A modem router combo?
People will often refer to the box as a modem, no matter how it's configured. That's why I say modem in bridge or gateway mode, to eliminate the ambiguity.
-
@jknott said in How to set the same VLANs between the switch and PfSense:
That's why I say modem in bridge or gateway mode, to eliminate the ambiguity.
That is clear as mud.. Makers calling their devices "modems" when they are really gateways started the whole confusion mess if you ask me. You don't put a modem in "bridge mode" - you can put a gateway in bridge mode and disable its "gateway" function ;)
Modem - just that, a modem "Modem is short for "Modulator-Demodulator."
Router - A router is a device that connects two or more packet-switched networks. It serves two primary functions: managing traffic between these networks by forwarding data packets to their intended IP addresses, for the typical home or smb allowing multiple devices to use the same Internet connection (NAT or more precise NAPT "Network address port translation")
Gateway - A combo device combining both modem and router functions.
Since these terms seem to confuse many - I just try and say your isp device, and ask if you are getting a public IP or private IP on pfsense wan ;)
Confusion also abounds with wifi router and AP (access point).. Are you using the wifi router as router, or are you just using it as just an AP..
And L3 vs L2 switch.. If someone says they are using a L3 switch - the reason for calling that out would hint that your routing at it, vs if you just say switch or L2 switch your not going to be doing any routing at it. Why call out that its L3 if your not actually routing ;)
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
The problem is two devices are in one box, a modem and a gateway, which is or isn't enabled. Year, years ago, modems were just that and any firewall or router was a separate device. But not now.
BTW, having worked in telecom going back almost half a century, I do know what "modem" stands for. I was working with them back in the '70s, when it took 2 1200B modems, over conditioned lines, to provide 2400B for a major customer. My own first modem ran at a blazing 300B! Incidentally, back in those days, the terms baud, a signalling rate, and bits per second, a data rate, were almost always interchangeable, as complex modulation methods weren't often used then.
-
-
@jknott there are many that do - wish they would stop it!
-
Thanks everyone , below you find the schema and other details.
The modem is a modem/router, even though I was using another router after that, it has to be the same case with PfSense.
There is a fundamental problem with it, the modem/router will remain as such, it can't be set as only modem, even if I disable the WIFI, which is mandatory for one bug inside (just saw it on the website).
At the moment it can accept another router anyway, I'm not concerned about it.With this IP range, the packets don't reach the modem/router, but when I've set the PfSense IP to 192.168.0.50 it worked, I don't get it :D
I removed the VLAN on the Uplink port, so it's a normal uplink port now but it's categorized as WAN, I just don't remember if it was a label or not, but from the networking point of view it should be the same, as long as it's on the LAN.
It seems I can't login anymore on the UI, wrong credentials, any bug as such? :D , I'll need to reset the box in somehow, which is a good thing considered the mess inside, but damn...
I highly doubt I messed the password...
I recovered the password from the backend, nice automated job. -
++ I've set the upstream gateway on the WAN interface at 192.168.0.1 , it seems the correct step to follow...
Still no network. -
@jt40 said in How to set the same VLANs between the switch and PfSense:
There is a fundamental problem with it, the modem/router will remain as such, it can't be set as only modem, even if I disable the WIFI, which is mandatory for one bug inside (just saw it on the website).
What make is it? I haven't yet seen one that couldn't be put in bridge mode, though some can be a pain to do so. Or you may have to call your ISP to have them do it.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@jknott sky
-
@jt40 said in How to set the same VLANs between the switch and PfSense:
I removed the VLAN on the Uplink port, so it's a normal uplink port now but it's categorized as WAN
Well if you put a gateway on it - pfsense is going to think its a WAN..
Your lan interface of pfsense should have NO GATEWAY set on the interface..
Pfsense tells you this when setting it up. And even states it on the gui, etc..
Not sure where your coming up with management IP on pfsense of 192.168.200.1 ? How many nats are you going to do.. So the device you have plugged into pfsense wan is 192.168.0, then behind that you have 192.168.140? (pfsense wan). Are you using some other mask other than /24 on pfsense lan? Is this 192.168.200.1 address another interface, a vip? What?
If your network is 192.168.140/24 and you want to talk to your switch, then put it on the 192.168.140 network.. Or change pfsense lan to be this 10.90.90 network.
Your modem/router (isp device) wan is 192.168.x.x ? If so your ISP is doing nat, not sure why they wouldn't be using cgnat 10.64/10 space? Or do you have some other device in front of what your showing?
I would suggest you get internet working, ability to talk to your switch before breaking out networks/vlans for admin or management, etc.
With a typical isp modem/router setup and pfsense, double nat. Something like this out of the box just works. As long is you didn't setup a gateway on your interface used for lan.
You can use whatever rfc1918 ranges you want as long as they don't overlap
Get devices behind pfsense working, talking to your switch, everything on 1 network.. Then more than happy to walk you through setting up vlans/networks - creating rules for blocking traffic between multiple vlans... But get a working base setup first. Doesn't really matter how many networks in front of pfsense, etc. But pfsense wan and lan can not overlap, etc..
-
@johnpoz Thanks for that, I must have missed it, it wasn't enough to fix it though.
192.168.200.1 is the IP management interface for the WebUI, it doesn't correlate with other IP communications for my knowledge.
I'm using 255.555.0.0 subnet mask on both devices (modem/router and PfSense, it should cover my actual setup, in fact the CIDR validation doesn't fail)
Your modem/router (isp device) wan is 192.168.x.x ? Yes, it's in the diagram, it's 192.168.0.1, but 192.168.140.130 is the IP dedicated to the PfSense, which should act as a gateway with that IP, it seems it doesn't.
Not sure about the NAT, that is a simple modem/router, it can't assign IPs of a range 10.x, so it's a simple internal switch functionality where you can assign different IP ranges, most probably it doesn't give problems until you don't leave the range 192.x.x.x
I don't think that the IP management interface is creating issues with the rest of the network... With overlap you probably mean that it cannot be after 192.168.x.x, is this the overlap you are talking about?
For my understanding, it won't overlap until I don't saturate this IP range, meaning of, until I don't choose the same Ip for 2 things, which won't happen.I'll follow the approach "start easy" and then I let you know.
