VLAN on D-link
-
Nice that you are making progress.
But watch out on enabling L3 on the switch , if done "incorrectly" you could easily bypass the pfSense fwall , and route packets between vlans directly on the switch.
-
@bingo600 Do you see any error in the "show vla" command on the console of the switch above? Not sure why it doesn't work without layer 3. Would be so much easier to avoid it, but I get no outside VLAN60 communication whatever I do.
One problem I discovered after enabling layer 3 and still not seeing DHCP, was that the switch had enabled DHCP-protection on most of the ports. Probably done years ago... So that was important discovery at least.
I see that I can control through firewall-rules on pfSense where VLAN60 can go. If I have a server in VLAN1, I can have a rule that by default block all traffic from VLAN60 to not go to servers inside VLAN1. That is a big positive. Doesn't this indicate that correct setup? Or do you think that if I create a layer3 IP on switch for VLAN40, it will allow traffic between VLAN40 and VLAN60 without going through the firewall?
-
@fireix said in VLAN on D-link:
@bingo600 Do you see any error in the "show vla" command on the console of the switch above? Not sure why it doesn't work without layer 3. Would be so much easier to avoid it, but I get no outside VLAN60 communication whatever I do.
I see no immediate errors in the config except i'm not sure what switchport you have connected to the pfSense (or was that P3)
The port connected to the pfSense , should have both VL40 & VL60 as tagged.
If you want the switch to forward packets for both VL40 & 60 down that interface.And offcause you must match the pfSense end , and have both VL 40 & 60 defined on that interface port too.
One problem I discovered after enabling layer 3 and still not seeing DHCP, was that the switch had enabled DHCP-protection on most of the ports. Probably done years ago... So that was important discovery at least.
DHCP Snooping is a usefull feature if setup correctly.
I see that I can control through firewall-rules on pfSense where VLAN60 can go. If I have a server in VLAN1, I can have a rule that by default block all traffic from VLAN60 to not go to servers inside VLAN1. That is a big positive. Doesn't this indicate that correct setup? Or do you think that if I create a layer3 IP on switch for VLAN40, it will allow traffic between VLAN40 and VLAN60 without going through the firewall?
I would expect the switch might be "kind enough" to interroute packages between the vlans with an ip interface.
I can't (wont) say anything with certainty , as this is super switch/firmware dependant , and as i said. I have not even seen a 15xx switch.
-
@bingo600 I ended up putting the pfSense LAN to Port #3 to have a fresh port/start.
VLAN60: Based on the show vla, all traffic arriving on Port 3 is defined as Tagged, so the switch should in theory forward any 60-traffic to Untagged-port at Port 34 and all other access-ports (untagged ports) in VLAN60? At least good to verify that in theory that is how it is supposed to work. If there is an error, I suspect it is on the Port 3 as there is many options for it under VLAN1 at least. With "native VLAN" and how these options can be set, it is hard to know exactly.
I feel it looks a bit weird to me to have all ports in vlan1 untagged. Doesn't this remove the VLAN-tag from the traffic in port 3? Or it is normal, since VLAN60 have port 3 tagged, it should still work.
"I would expect the switch might be "kind enough" to interroute packages between the vlans with an ip interface."
That's what I fear... At least it doesn't for now between VLAN1 and VLAN60, but maybe it will happen with the next VLANs I create with similar config..
-
@fireix said in VLAN on D-link:
@bingo600 I ended up putting the pfSense LAN to Port #3 to have a fresh port/start.
VLAN60: Based on the show vla, all traffic arriving on Port 3 is defined as Tagged, so the switch should in theory forward any 60-traffic to Untagged-port at Port 34 and all other access-ports (untagged ports) in VLAN60?
Correct Vlan60 data should be sent/received tagged on P3 , and also be copied to all untagged port members of VL60.
All untagged traffic sent/received on P3 would (in the switch) belong to Vlan1.What happened to Vlan40 ???
You haven't tagged VL40 one on P3 (the connection from switch to pfSense)At least good to verify that in theory that is how it is supposed to work. If there is an error, I suspect it is on the Port 3 as there is many options for it under VLAN1 at least. With "native VLAN" and how these options can be set, it is hard to know exactly.
Native vlan is a way to tell the switch what Vlan "Untagged packages" belong , on a port that that has no "Untagged Vlan" defined. Ie. a port that only has tagged vlans defined.
If "The other end" decides to send packages untagged to that port , the switch now know what vlan to put those packages in.I have a "Dummy VlanXX" just for native vlan purposes , all my "Pure tagged Vlan switchports" have their native vlan set to XX.
No switch ports are Tagged or Untagged members of that Vlan XX , effectively making it a "Garbage or /dev/null" vlan , where nothing listens , and packages just "die"."I would expect the switch might be "kind enough" to interroute packages between the vlans with an ip interface."
That's what I fear... At least it doesn't for now between VLAN1 and VLAN60, but maybe it will happen with the next VLANs I create with similar config..
I feel it looks a bit weird to me to have all ports in vlan1 untagged. Doesn't this remove the VLAN-tag from the traffic in port 3? Or it is normal, since VLAN60 have port 3 tagged, it should still work.
The untagged definition only affect packaged wo a Vlan tag , VL60 on P3 is defined as tagged , and would not be affected.
But having (almost) all ports untagged menbers of Vlan1 , enables devices in all member ports , to send untagged data like from a normal netcard setup, to eachother.
Well you're the boss , the switch just does as told. -
@bingo600 All servers (on non-vlan/vlan1) fell down once I connected the pfSense to port 2/LAN40 like I had prepared for yesterday. Port 2 was tagged on VLAN40 and port 34 untagged. But total block of all traffic from start. So now the VLAN40 is broken/not-used. Will fix once I'm good with VLAN60, so I can see how traffic goes (or hopefully not goes) between VLAN60 and VLAN40 on the switch.
Ended up resetting everything and using Port 3 instead with fresh vlan-setup.. somehow what seems to be the same setup now works (kind of). I think it changes if you define a port as access-port vs doing it as hybrid and untags it. In theory, it should be similar, but..
-
This post is deleted! -
@bingo600 Thanks for all the help :)
For some reason, once I configured VLAN40 just like VLAN60 now - even without adding the interface ip on Layer #3 on the switch, VLAN40 works. I have no idea how come. But I have tested in details and I can't get to any IP on VLAN40 just like I would hope for (from VLAN60). And DHCP works just great on both VLANs.
I have public IP on the LAN-network and private IPs in the VLAN. This worked just great to do NAT from public static IP to this VLAN IP. Just wonder if there is a simple way to just assign a public IP on the VLAN-side somehow. Since it works on the LAN, I suspect it is just come configuration needed to be able to re-use that public IP (on LAN) also on the VLAN-side. But no idea how.. any ideas? I can use it like it is now, the private IP gets the public static Ip externally, but just a bit administration.
-
I dont think i understand the public ip on the lan part ??
-
@fireix said in VLAN on D-link:
just assign a public IP on the VLAN-side somehow
You can use whatever IP range you want on your local network, rfc1918 or public. But public isn't going to work unless the range is actually routed to you. And just pulling some public IP range out of thin air and natting it to some other public IP is pointless, and could quite likely cause you issues when you can't actually get to the public site that actually owns/uses that IP space
Do you have public space routed to you.. If so you can subnet that out to whatever you want for your local segments as long as you have a large enough cidr routed to you.
-
@johnpoz It is public /24 on the LAN side - my ISP has assigned me transport net /29 on WAN side and also assigned me the /24 I use on the LAN. I have them on my LAN and all of them are reachable on Internet (with NAT).
I can't divide them up in smaller subnets as I have customers using random IPs in the hole /24 range with static settings of mask/gw and so on. To much work to take offline or change them all as IPs are used deep into their applications and it works just fine, it is more like from a better isolation perspective I want this.
Some customers I could have moved on to new settings, but I understand I have to move everyone into different smaller ranges (changing it on their servers) at the same time and can't take just a few of them at a time based on what I'm told.
Since I'm able to "route" the public statics IPs to both private (NAT) and public IPs on my LAN-side (both using the public IP directly on server AND nat to private IPs), it should be possible into the VLAN-side also. But my question is how :) I assume my explanation so far rule out subnetting.
-
@fireix said in VLAN on D-link:
my ISP has assigned me transport net /29 on WAN side and also assigned me the /24 I use on the LAN
Sure that is fine, but you can just break that /24 up in say /29 or /28 or whatever you need for your other segments. Or you could get them to assign you more space routed via your /29
But sure you could assign the IPs from your /29 as vips and nat your other rfc1918 segments to those IPs
-
@johnpoz said in VLAN on D-link:
but you can just break that /24 up in say /29 or /28 or whatever you need for your other segments.
How is the big question :)
Let's say I have this range 142.250.74.0/24 on my LAN interface.
I have cPanel-servers using 142.250.74.10 (255.255.255.0), some using 142.250.74.200 etc.
What I would have wanted, is to give out for instance 142.250.74.112 /28 to a friend/customer - I have no servers on IPs in that range, so it is unused. I assume it is not as easy as just setting up a server with 142.250.74.114/255.255.255.240 and just have a GW (a VIP on my pfSense with IP 142.250.74.113). I do see that it actually work (I can get to internet both directions), but maybe it can cause problems. I assume I need to set up this network/reference on pfSense somehow. Is there a way I can set this up without interupting traffic to 142.250.74.10 for instance?
I tried just for fun to try to set that /28 (not actually that IP, but same type public static Ips I'm assigned) on a VLAN-interface, but pfSense told me I couldn't do that due to overlap. So in my mind, I think I would need to remove that entire /24 allocation from LAN interface of pfSense and then put /28 (or smaller/different non-overlapping ranges) on each VLAN-interface.
Then change the netmask/gw etc on each server. That is the only way I can see with my limited knowledge how to create extra interfaces.
Note that I'm using 1-1 NAT and don't need to share public IPs, there are plenty for my use. There are only a limited cases where I need private IPs on the inside.
-
@fireix said in VLAN on D-link:
How is the big question :)
You want to know how to subnet a /24?
You don't just random pick IPs ;) And if you have a /24 on one interface, and then want to use a /28 out of that 24 on another interface - then yeah they would overlap..
If you want to break your /24 its quite possible there will be an interruption. Depending are all your devices on your /24 currently, are they all within a specific range.. You mention .10 and other .200 means they are spread across the /24 and not easy to change without an interruption. Now lets say all your IPs being used where less than .126, then you could change your /24 to a /25, then you could break up the other /25 into say /28s
If your goal is to be able to use other subnets. I would consolidate your current devices into a specific subnet (leaving yourself room for growth).. Maybe the first /25 or /26, then you can use the rest of the space as you see fit for other segments.
How many total IPs are you currently actively using? And what are they? Your not going to be able to split your /24 into other subnets if you have .10 and .200 There is no way to to split the /24 and leave those to IPs in the same subnet.
The first split would be /25
.1-126
.128-254Would be the 2 ranges of IPs you could use in
192.168.0.0/25
192.168.0.127/25Using whatever actual IP range you have, the 192.168.0 is just an example of where the split is. You could use the first /25 and then break up the other /25 into /28s for example.
-
@johnpoz Not so much how to subnet, more practical on how to implement it. The reason for doing subnetting (in my head), is to group some customers into their own "network". Bit due to security and bit because customers of data centers (all the ones I have been customer of) are used to beeing handed out a small or big public IP subnet to their customer. Customer can just plug in their server, assign it a public static IP in the range I have set up to them and be online in a minute without having to use private IPs. And less risk that they by accident take an IP I already use - less broadcasting inside a /28 than a /24. I use like 70 IPs out of 256 today, but not super heavy traffic here.
Now, I understand the theory of subnetting (subnet-calculators can help me divide to find the allowed IPs and broadcast domains), but how it is implemented in pfSense is my biggest question. How to you set up the subnets when only one subnet is allowed on the pfSense LAN side?
I'm missing something fundamently. Since I have been struggeling with VLANs, and finally know how to set them up, I do see that I can create an interface for the VLAN and I can enter private IP-range there just like on the LAN-interface. So I think somewhat of a solution is to enter the public static IP-ranges (for instance /28s). But then I need to first remove the /24 and then add each subnet again - to each vlan. This way, no overlapping and I will both have subnetting and more isolated traffic.
However: Is there a way to add interfaces (like several subnets) to the pfSense LAN (remove the /24 assignment first) WITHOUT using vlans and interfaces from there is basically something I wonder I think.. Without introducing seperate router/extra switches. Having a seperate VLAN for each customer I suspect will be hard to manage in the GUI after a while.
-
@fireix said in VLAN on D-link:
How to you set up the subnets when only one subnet is allowed on the pfSense LAN side?
Huh, who says only 1 subnet is allowed on the lan side.. I have 8 different networks on the lan side all using different address space. Currently they are all /24 but that has nothing do with anything they could be /22s they could be /29s, etc.
How many networks are you wanting to created - a /24 isn't going to support many customers if you break those up into /28s
-
@johnpoz 8? That's child's play... my new network has 15.
Of course 5 of them are for testing pfSense releases...
-
@rcoleman-netgate hhehee but I thinks his point it might be cumbersome to manage 2000 some networks off of pfsense.. Yeah it would, not really something I would think you would be doing ;)
Out of your 24 you could create 16 /28s - that should be easy enough to manage, or even /29s wouldn't be something you couldn't do pretty easy.
But yeah you start getting into the 100s of interfaces it might be a bit cumbersome
-
@johnpoz Hmm.. maybe I was thinking it was more complicated ;) I was thinking it was special since I have public static IPs on the non-wan side of the firewall and stuff, but maybe not..
But what would you choose on the LAN-interface from start? Would I just choose one random subnet of the (for instance) /28s out of all I want and then just start using the rest on servers?
I set up at /28 (for example) on the VIP (lan), one for each subnet - or isn't that needed either - to use as gw for each subnet?
-
@fireix said in VLAN on D-link:
) on the VIP (lan), one for each subnet
What? VIP?
Why would you do vips? This isn't difficult, using public behind pfsense is just as using rfc1918, you just don't nat it.. Its that simple.