Newbie having trouble with vlans & dhcp
-
Hi guys,
brand new to the world of pfSense and a Netgate 2100. I have read about this setup as well as watching videos, but I am still stuck and would appriciate some help. My goal is having the pfSense serving my managed switches with Vlans, DHCP & DNS.My problem: As I need a controller to configure my switches, and that lives on a server that has an IP of one of the newly configured vlans, I thought of configuring one of the Netgate's built-in ports to serve that one vlan temporaily so I can setup the switches and getting started. Turns out none of the vlans I just configured in pfSense seem to work, when trying to ping any of them all I get is "Network is unreachable". I must have missed something vital, but can't find out what. Setting up the vlans and configuring the DHCP scopes (enabled them too) seemed pretty straight forward, what I suspect might be the issue is the configuration of the switch ports on the Netgate. But I would have expected to be able to at least ping the gateways, regardless of the switch port settings. I find this a bit confusing, so please help me troubleshoot so I can get on with all the fun stuff! :)
Thanks -
@furom said in Newbie having trouble with vlans & dhcp:
But I would have expected to be able to at least ping the gateways, regardless of the switch port settings
Why would you think that? If your connected to one vlan, and you have not rules to allow access to the other vlans, etc.
When you create new interfaces, be native or vlans there are no rules auto put on these interfaces.
Without some details of your setup, not going to be possible for anyone to help you.
-
Fun start. I'll just read until I get it then if you don't know what the issue might be. Assuming this is not the first of these kind of questions. Impressive
-
@furom huh? Be more than happy to help you, but you have provided no details of what you have done...
If you created a new interface on pfsense. And your coming from an already working lan, with the default any any rule, then yes you would be able to ping this new interface IP, etc.
But I can think of lots of reasons why you wouldn't be able to ping another interface.. Don't even know where your trying to ping from, have no idea what your rules have been set, don't even know if your vlans and tags are setup correctly either on pfsense switch ports, or your switch connected to them, etc.
-
Well, guess you are right. I'm sorry, just being a little frustrated after being at this for so long. I'll try to be more detailed. This is a much more serious appliance/software than I have used before, hence not grasping all steps required.
My setup is the Netgate-2100, a server running Proxmox, hosting a few VM's where the switch controller being one of them. Proxmox server and the controller VM is on the same vlan#5, so I need to understand two things.
- How I should set up the vlan#5 to server the Netgate's built-in switch port #2
- How I should configure pfSense to present available vlans to the managed switch
I am setting this up offline (no wan) atm while getting familiar with it as I need the working network working. This makes it hard for me to take screenshots, hope that won't be a problem.
Step-by-step what I've done;
- Reset to factory defaults and completed the wizard
- Created a vlan#5 (Interfaces/VLANs/Add)
- Parent IF: LAN
- VLAN Tag: 5
- Went to 'Interface Assignments' and added the new vlan. Configured the following;
- Enable: yes
- Description: vlan#5
- IPv4 Type: Static IPv4
- IPv4 address: 192.168.5.1/29
- Services/DHCP Server;
- Enable: yes
- Set range to: 192.168.5.2 -- 192-168.5.6
- Added a rule for vlan#5 (Firewall/Rules)
- Action: Pass
- Protocol: Any
Here I realized I had rushed passed entering the Netgate as gateway on the laptop I configure with, so... facepalm. After adding that vlan#5 gateway responds to ping. Server on that vlan still don't.
- Going to Interfaces/Switch/Vlans
- Enable 802.1q mode
- Adding a new VLAN tag: 5
- Members: 2,5t (enable vlan#5 on physical port#2 using uplink port#5)
- In Ports;
- For port#2: setting Port VID: 5
I thought this was it, but still no answer from Proxmox on vlan#5 @ Netgate port#2, so guess I have missed something. Laptop goes into Netgate#4, Proxmox is Netgate#2, link and good cables..
Network adapter on Proxmox is set to "vlan aware", as I need different ones for the VMs.
-
@furom said in Newbie having trouble with vlans & dhcp:
a server running Proxmox, hosting a few VM's where the switch controller being one of them
I would take that whole VM thing out of the picture until you grasp setting up vlans at a basic level.. Is your VM natting, is it stripping tags, is doing its own tagging, etc.
And then all the VM stuff can be different. Hyper-V does it different than VMware, etc. With esxi you need to set vlan ID of 4095 on your vswitch if you don't want to strip tags. Or maybe you want esxi to handle all the vlans for your vms, etc..
I would make sure your vlans are working with normal devices before you start bringing any VM host and VMs into it..
The netgate appliances can have a learning curve with setting up the switch ports with vlans..
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html
I would suggest you get say 1 port of your switch port working as discrete interface. Then add a vlan on top of that interface where you have tagged vlans going into your switch, etc. And that is working before you throw into the mix the extra complexity that a VM host and doing vlans brings.
-
So your laptop you are testing from is connected to port 4 in the LAN subnet? Not in VLAN5?
You have added port 2 as untagged to VLAN 5 in the switch setup. That means whatever is attached to it should be expecting to use that subnet directly. I.e. no VLAN config in Proxmox or any switches connected. Is that the case?
Steve
-
A couple of things. First off, rules and routes. Your rules have to allow whatever traffic you want and pfsense only knows about routes to directly configured LANs. Anything beyond that, it has to be told about.
Second, how are your managed switches communicating with whatever you're trying to manage them with? Often, they will rely on discovery, which means they have to be on the same LAN, without a router in the way. The way around this is management where the IP address is used to reach them.
-
@stephenw10 Hi,
There may be many mistakes, and I will happily take any pointers I can to learn to better use this fw. I watch much on youtube, sometimes too much perhaps, but are slowly getting the feel for this. I come from Ubiquity where things was handled similarly but different. A lot was done behind the scene, here its more hands on, which is good, but also a bit harder harder.
I do want to use VLANs in Proxmox, and did eventually sort of get it working. The server itself and one of the VMs are on the same (untagged) network, and another VM on the correct (tagged) one. My aim is to have all VMs to use VLAN tags, but have yet to find a way to have one untagged plus all the tagged VLANs available. Perhaps something I need to do in the switch config, not in pfSense? -
@jknott Hi! Good point about the management network. Since I'm just starting with this, and am currently using all the switches, I will have to read up in advance on the requirements. I have seen a reply somewhere that the discovery software should not be necessary, but definitely something to look into. Thanks :)
-
@furom said in Newbie having trouble with vlans & dhcp:
I have seen a reply somewhere that the discovery
Are you using unifi switches - with controller, then to adopt them yeah you need to be on the same L2 for "discovery" and or do L3 adoption, etc.
I know they added vlan tag support for management of their AP a while back, maybe the same with their switches. I only have the one little flex mini to play with, and to adopt it was on my management vlan which is untagged.
Not really a fan of their switches, while the little flex is not bad for the price, and it is so freaking tiny.. It for sure has some use cases it can fill with that price and ability to be powered by poe.. Just overall all their switches are not very feature rich for the price point. And their way of doing vlans is also very limited. Can not prune vlans at the port that caries all the vlans - with the mini, you either have all vlans allowed or just 1, etc.
-
@furom said in Newbie having trouble with vlans & dhcp:
Perhaps something I need to do in the switch config
Possibly in the switch config in pfSense.
You would need to make port 2 a tagged member of VLAN 5 to it available as a VLAN to anything connected there.
You can add port 2 as a tagged member to however many VLANs you need to have available there. Just be sure to have it only ever a member of one untagged.
Steve
-
Well, find out how your management works. Often, with complex networks, a separate management VLAN is used. Discovery relies on multicasts and they generally don't pass through routers. People run into the same issue with printers and other devices. If they're on the same subnet, the computer can learn about them. If not, then they have to be specifically configured or a domain controller used.
As an example, I have a Unifi access point here. When I want to manage it, I connect to the controller, not directly to the AP. The controller is capable of discovering all the supported devices on the LAN it's connected to. In comparison, I would directly access, via IP address, the TP-Link AP I used to use. Same with my Cisco managed switch, which I can access directly, compared to a crappy¹ TP-Link switch that has to be discovered.
- Yeah I know, calling TP-Link gear "crappy" is redundant.
- Yeah I know, calling TP-Link gear "crappy" is redundant.
-
@johnpoz Ah, figures. I am a little hesitant to remove the switches to redeploy them, guess I will have to figure how that management lan should be setup first and have a plan. Still fiddling with setting up the vlans and think it will be more straight forward once the controller and switches are in place. I haven't figured out how to configure the built-in switch to supply all vlans and one untagged yet, but should be possible I hope :)
-
@stephenw10 Agreed. I tried with Vlan tag: 5, Members: 2t,5t, but while that would give the VM its tagged one, the server itself did not get an IP...
-
Got it! I configured it as "2t,5t" and then made Proxmox use the tagged network instead of untagged. Much better. Thanks for the help! :)
