How to set the same VLANs between the switch and PfSense

SteveITS

@jt40 if 192.168.0.0/16 is the WAN then you can use whatever address you want in that range, but those devices all need to be in the WAN. Otherwise pfSense won’t know where to route packets.

JT40

I can't setup an IP range of 172.x.xx. or 10.x.x.x from the modem/router, I precisely tried to reserve that IP address, nothing.

Not sure why, I guess it's a limitation of these crappy ISP devices.
What choice remains?
It seems anything of a range like 192.168.x.x
Well, not even that it's supported :D
I tried 192.169.x.x or 192.166.x.x, it says both are out of range with a mask of 255.255.0.0

SteveITS

@jt40 you can use 192.168.x.x for your pfSense WAN just fine. You just can’t also use it on other interfaces.

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

I can't setup an IP range of 172.x.xx. or 10.x.x.x from the modem/router, I precisely tried to reserve that IP address, nothing.

Well use that range on your lan then behind pfsense.

I have another router sitting on 192.168.5.1

And where was that on your drawing? Dude can not help you if get wrong or missing info..

Where and the F does this router sit?? is that some network behind a wifi router doing nat?

Not sure why, I guess it's a limitation of these crappy ISP devices.

What device does not let you change the lan IP address? You can not just change the scope of the dhpc, you have to change its lan IP!

I mean, I need to be able to change x.x.N.x , for that I need 255.255.0.0 mask as far as I know.

What?? Why do you need to change that? Dude You seem to have a REAL mess - none of this stuff was in your drawing - there was no masks set on anything in your drawing, etc. Still haven't answered where you setup 192.168.200.1 on pfsense, etc..

I tried 192.169.x.x or 192.166.x.x, it says both are out of range with a mask of 255.255.0.0

Why would you think that is valid? Maybe its time you do a bit a research on what network is and what the masks actually means.. And what the valid rfc1918 space is 10/8,192.168/16,172.16/12

Your going to have a real hard time getting anything working, especially if your goal is to have multiple vlans/networks without understanding the basic concepts.

JT40

@steveits Every interface has its own IP, that's for sure.

JT40

@johnpoz
Ok for the LAN, I'll use something like 192.168.140.130 as it is right now.

I didn't represent the other router because it will be removed, I just mentioned it as an example, but in any case it's like that, it's after the modem/router with IP 192.168.5.1, manually assigned in the modem/router, it works fine.
The machines behind have IPs like 192.168.5.2 and so on...

I need to clarify that also the IP 192.168.20.1 can't be reserved on the modem/router, which means that I can't reserve anything else, only 192.168.0.x seems faultless, I just wonder how I've set up 192.168.5.1 at this point.....
It keeps saying that the address is out of range.

I think I know what do you mean about that range, you mean that I can't set up something like 192.169.x.x, but I can set 192.168.x.x, is it right?

I don't use DHCP at the moment to avoid complexity.

I've set up 192.168.200.1 on my Pfsense on a dedicate port for management (pfsense management or WebUI).
This IP doesn't have anything to do with the rest of the production network, I have direct access to it, that's how I manage the Pfsense box, as well as any other if I need to.
I just assigned this custom address for the management, sorry for the confusion.
Do you see anything bad here?

SteveITS

@jt40 said in How to set the same VLANs between the switch and PfSense:

I'll use something like 192.168.140.130 as it is right now.

You can't, if the WAN is 192.168.anything.anything/16. In that config pfSense "knows" anything in that subnet is on the WAN so it will get confused if traffic is also on any other interface. So you can't use 192.168.200.x or anything else, on other interfaces.

192.169.x.x is a public IP block.

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

need to clarify that also the IP 192.168.20.1 can't be reserved on the modem/route

What, what device make and model is this device.. There is no freaking way they do not let you change the lan IP and force a /16 mask... Just no freaking way.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

need to clarify that also the IP 192.168.20.1 can't be reserved on the modem/route

What, what device make and model is this device.. There is no freaking way they do not let you change the lan IP and force a /16 mask... Just no freaking way.

Sky Hub, 2 ethernet ports.

johnpoz

@jt40

https://helpforum.sky.com/t5/Broadband/Changing-LAN-IP-subnet-address/td-p/3736225

https://setuprouter.com/router/bskyb/sky-hub/ip-address.htm

JT40

@johnpoz Thanks mate, I know it :D
But it says that it's out of range.
Let me post you the current config.

johnpoz

@jt40 says what is out of range your dhcp server?

And again doesn't matter leave that at 192.168/16 - that has zero to do with what pfsense can use on its lan side interfaces. Set them to 10 or 17.16-31 space.. There you go no possible way to have a overlap or routing problem based up some shit /16 mask on your wan in 192.168 land.

JT40

@johnpoz here's the config.

LAN TCP/IP SETUP

• IP Address: 192.168.3.1
• IP Subnet Mask: 255.255.0.0

Use router as DHCP server (checked, some device is on the modem/router directly at the moment)

• Starting IP Address: 192.168.0.2
• Ending IP address: 192.168.255.254 (I think it was precompiled, I don't recall to have set it)

Address reserved

• 192.168.140.130 (uplink port of Pfsense), all the communications should pass through this port, I don't know how to set it up from PfSense at the moment.

I also agree that the IP range of the modem/router shouldn't cause issues on the other side of PfSense, but there is the struggle, I can't get internet there, no ping, no routing works.

The error message says: the IP is out of range, that's it.

johnpoz

@jt40 your still using shit /16 mask.. WHY???

The error message says: the IP is out of range, that's it.

What says that?? If you set an IP of 192.168.140/24 and try and point it to a gateway of 192.168.0.1 then yeah that is out of range because its not in the 192.168.140 network.

Dude change the mask on your router to 255.255.255.0 - there is no possible way have 65k some clients needed on this network.. Why would you think in any way that a /16 makes any sense??

If you want to use 192.168.140/24 as pfsense - then set your router to 192.168.140.1 and pfsense to 192.168.140.2 both with /24 or 255.255.255.0 masks.

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 your still using shit /16 mask.. WHY???

The error message says: the IP is out of range, that's it.

What says that?? If you set an IP of 192.168.140/24 and try and point it to a gateway of 192.168.0.1 then yeah that is out of range because its not in the 192.168.140 network.

Dude change the mask on your router to 255.255.255.0 - there is no possible way have 65k some clients needed on this network.. Why would you think in any way that a /16 makes any sense??

If you want to use 192.168.140/24 as pfsense - then set your router to 192.168.140.1 and pfsense to 192.168.140.2 both with /24 or 255.255.255.0 masks.

No, it fails when I simply try to reserve the address, I need to reserve it because I can't have DHCP for the Pfsense Uplink.
I don't understand why it's wrong, CIDR looks correct to me.

I could change the mask to 255.255.255.0, but then I would not be able to change the range in this way 192.168.x.x, am I wrong?
Or you are telling me that for the uplink is not necessary to be outside of that range? Basically 192.168.0.5 would be just fine for you?

Just a note, the rest of the PfSense interfaces can't be on that range, so can I set them to 10.x.x.x like the switch?

johnpoz

@jt40 said in How to set the same VLANs between the switch and PfSense:

No, it fails when I simply try to reserve the address

Show us..

SteveITS

@jt40 I am still a bit confused but it sounds like you're unclear on how subnet masks work. In the simplest explanation, "255" means "this part of the address must match." So 192.168.0.0 with 255.255.0.0 (a /16) means "any address that starts with '192.168' is on this interface."

You can use 192.168.0.0/16 on one interface but then can't use any 192.168.x.x addresses on any other interfaces. Or, you can use 192.168.1.x with a 255.255.255.0 (/24) mask on one, 192.168.2.x on another, etc.

If you expect less than 254 devices on a network then it's fine to use 255.255.255.0 on that interface/network. You can use a larger subnet, but it's not necessary.

johnpoz

@steveits Im also a bit confused on "where" he is trying to set what.. Is he trying to set it on the isp device?

If he trying to set it on wan, then yeah 192.168.140/16 is going to overlap if he has any 192.168 on pfsense other interfaces.

And it could even overlap with 192.168.140/24 on wan if he has some /16 on other pfsense interface. He has some management interface he set to something in 192.168

edit: But pfsense shouldn't say out of range - it would say overlap and should show you what is overlapping. Here I just tried to change one of my test interfaces to a /16 mask

JT40

@johnpoz said in How to set the same VLANs between the switch and PfSense:

@jt40 said in How to set the same VLANs between the switch and PfSense:

No, it fails when I simply try to reserve the address

Show us..

What do I need to show?
I mean, I'm not idiot till that point :D , this is what I receive from that UI...

I discovered something though, look at this example:
192.168.80.5 (out of range)
192.168.80.1 (ok)

I think that the address I assigned to the Pfsense management interface interfers with the rest of the modem/router config. (192.168.200.1)
I unplagged it from the modem/router, same result though, I was expecting a difference here but since the address is reserved in the modem/router, I think it's the same for this reason...

Changing the mask to 255.255.255.0 on the modem/router and removing the previous assignments, my previous connection running on 192.168.5.1 still works.
This was my doubt, I was pretty sure that the subnet mask mentioned by you would have cut off that connection, but it didn't happen.

Look at the fun again:
Mask: 255.255.255.0
192.168.0.220 (ok)
192.168.1.50 (out of range)
192.168.50.50 (out of range)

Based on what I get here, the connection on 192.168.5.1 should have been stopped, but it didn't.

Coming back to the dumb approach, I can assign ~192.168.0.200 in the modem/router, + to the PfSense uplink interface (same IP).

Then I assign something like 192.168.0.199 to the management interface of PfSense (instead of 192.168.200.1), or from now on I should only use 10.10.x.x on the other PfSense interfaces?

johnpoz

@jt40 where are you setting that?? On the isp device?

I want to see the actual error from the page your setting on it - so I have a clue to if your doing it on pfsense or your isp device, etc.

Is it telling you your dhcp is out of range for the network your setting..

192.168.1.50 255.255.255.0 is not out of range - out of range of what? The dhcp server that is set to 192.168.0.x -- y?

my previous connection running on 192.168.5.1 still works.

Works to where? Have no idea where this is set, or if its a wan or lan on a router?

Then I assign something like 192.168.0.199

With what mask? Where are you setting that on pfsense, some other device.. Show us all of the interfaces you have set on pfsense.

here are mine.. all /24 other than the ipv6 address which are /64 and the public IP space is dhcp from my isp and has a /21 on it.. And my vpn 172 also has a /21 on it.. 255.255.248.0