VLAN on D-link
-
@fireix said in VLAN on D-link:
@bingo600 I ended up putting the pfSense LAN to Port #3 to have a fresh port/start.
VLAN60: Based on the show vla, all traffic arriving on Port 3 is defined as Tagged, so the switch should in theory forward any 60-traffic to Untagged-port at Port 34 and all other access-ports (untagged ports) in VLAN60?
Correct Vlan60 data should be sent/received tagged on P3 , and also be copied to all untagged port members of VL60.
All untagged traffic sent/received on P3 would (in the switch) belong to Vlan1.What happened to Vlan40 ???
You haven't tagged VL40 one on P3 (the connection from switch to pfSense)At least good to verify that in theory that is how it is supposed to work. If there is an error, I suspect it is on the Port 3 as there is many options for it under VLAN1 at least. With "native VLAN" and how these options can be set, it is hard to know exactly.
Native vlan is a way to tell the switch what Vlan "Untagged packages" belong , on a port that that has no "Untagged Vlan" defined. Ie. a port that only has tagged vlans defined.
If "The other end" decides to send packages untagged to that port , the switch now know what vlan to put those packages in.I have a "Dummy VlanXX" just for native vlan purposes , all my "Pure tagged Vlan switchports" have their native vlan set to XX.
No switch ports are Tagged or Untagged members of that Vlan XX , effectively making it a "Garbage or /dev/null" vlan , where nothing listens , and packages just "die"."I would expect the switch might be "kind enough" to interroute packages between the vlans with an ip interface."
That's what I fear... At least it doesn't for now between VLAN1 and VLAN60, but maybe it will happen with the next VLANs I create with similar config..
I feel it looks a bit weird to me to have all ports in vlan1 untagged. Doesn't this remove the VLAN-tag from the traffic in port 3? Or it is normal, since VLAN60 have port 3 tagged, it should still work.
The untagged definition only affect packaged wo a Vlan tag , VL60 on P3 is defined as tagged , and would not be affected.
But having (almost) all ports untagged menbers of Vlan1 , enables devices in all member ports , to send untagged data like from a normal netcard setup, to eachother.
Well you're the boss , the switch just does as told. -
@bingo600 All servers (on non-vlan/vlan1) fell down once I connected the pfSense to port 2/LAN40 like I had prepared for yesterday. Port 2 was tagged on VLAN40 and port 34 untagged. But total block of all traffic from start. So now the VLAN40 is broken/not-used. Will fix once I'm good with VLAN60, so I can see how traffic goes (or hopefully not goes) between VLAN60 and VLAN40 on the switch.
Ended up resetting everything and using Port 3 instead with fresh vlan-setup.. somehow what seems to be the same setup now works (kind of). I think it changes if you define a port as access-port vs doing it as hybrid and untags it. In theory, it should be similar, but..
-
This post is deleted! -
@bingo600 Thanks for all the help :)
For some reason, once I configured VLAN40 just like VLAN60 now - even without adding the interface ip on Layer #3 on the switch, VLAN40 works. I have no idea how come. But I have tested in details and I can't get to any IP on VLAN40 just like I would hope for (from VLAN60). And DHCP works just great on both VLANs.
I have public IP on the LAN-network and private IPs in the VLAN. This worked just great to do NAT from public static IP to this VLAN IP. Just wonder if there is a simple way to just assign a public IP on the VLAN-side somehow. Since it works on the LAN, I suspect it is just come configuration needed to be able to re-use that public IP (on LAN) also on the VLAN-side. But no idea how.. any ideas? I can use it like it is now, the private IP gets the public static Ip externally, but just a bit administration.
-
I dont think i understand the public ip on the lan part ??
-
@fireix said in VLAN on D-link:
just assign a public IP on the VLAN-side somehow
You can use whatever IP range you want on your local network, rfc1918 or public. But public isn't going to work unless the range is actually routed to you. And just pulling some public IP range out of thin air and natting it to some other public IP is pointless, and could quite likely cause you issues when you can't actually get to the public site that actually owns/uses that IP space
Do you have public space routed to you.. If so you can subnet that out to whatever you want for your local segments as long as you have a large enough cidr routed to you.
-
@johnpoz It is public /24 on the LAN side - my ISP has assigned me transport net /29 on WAN side and also assigned me the /24 I use on the LAN. I have them on my LAN and all of them are reachable on Internet (with NAT).
I can't divide them up in smaller subnets as I have customers using random IPs in the hole /24 range with static settings of mask/gw and so on. To much work to take offline or change them all as IPs are used deep into their applications and it works just fine, it is more like from a better isolation perspective I want this.
Some customers I could have moved on to new settings, but I understand I have to move everyone into different smaller ranges (changing it on their servers) at the same time and can't take just a few of them at a time based on what I'm told.
Since I'm able to "route" the public statics IPs to both private (NAT) and public IPs on my LAN-side (both using the public IP directly on server AND nat to private IPs), it should be possible into the VLAN-side also. But my question is how :) I assume my explanation so far rule out subnetting.
-
@fireix said in VLAN on D-link:
my ISP has assigned me transport net /29 on WAN side and also assigned me the /24 I use on the LAN
Sure that is fine, but you can just break that /24 up in say /29 or /28 or whatever you need for your other segments. Or you could get them to assign you more space routed via your /29
But sure you could assign the IPs from your /29 as vips and nat your other rfc1918 segments to those IPs
-
@johnpoz said in VLAN on D-link:
but you can just break that /24 up in say /29 or /28 or whatever you need for your other segments.
How is the big question :)
Let's say I have this range 142.250.74.0/24 on my LAN interface.
I have cPanel-servers using 142.250.74.10 (255.255.255.0), some using 142.250.74.200 etc.
What I would have wanted, is to give out for instance 142.250.74.112 /28 to a friend/customer - I have no servers on IPs in that range, so it is unused. I assume it is not as easy as just setting up a server with 142.250.74.114/255.255.255.240 and just have a GW (a VIP on my pfSense with IP 142.250.74.113). I do see that it actually work (I can get to internet both directions), but maybe it can cause problems. I assume I need to set up this network/reference on pfSense somehow. Is there a way I can set this up without interupting traffic to 142.250.74.10 for instance?
I tried just for fun to try to set that /28 (not actually that IP, but same type public static Ips I'm assigned) on a VLAN-interface, but pfSense told me I couldn't do that due to overlap. So in my mind, I think I would need to remove that entire /24 allocation from LAN interface of pfSense and then put /28 (or smaller/different non-overlapping ranges) on each VLAN-interface.
Then change the netmask/gw etc on each server. That is the only way I can see with my limited knowledge how to create extra interfaces.
Note that I'm using 1-1 NAT and don't need to share public IPs, there are plenty for my use. There are only a limited cases where I need private IPs on the inside.
-
@fireix said in VLAN on D-link:
How is the big question :)
You want to know how to subnet a /24?
You don't just random pick IPs ;) And if you have a /24 on one interface, and then want to use a /28 out of that 24 on another interface - then yeah they would overlap..
If you want to break your /24 its quite possible there will be an interruption. Depending are all your devices on your /24 currently, are they all within a specific range.. You mention .10 and other .200 means they are spread across the /24 and not easy to change without an interruption. Now lets say all your IPs being used where less than .126, then you could change your /24 to a /25, then you could break up the other /25 into say /28s
If your goal is to be able to use other subnets. I would consolidate your current devices into a specific subnet (leaving yourself room for growth).. Maybe the first /25 or /26, then you can use the rest of the space as you see fit for other segments.
How many total IPs are you currently actively using? And what are they? Your not going to be able to split your /24 into other subnets if you have .10 and .200 There is no way to to split the /24 and leave those to IPs in the same subnet.
The first split would be /25
.1-126
.128-254Would be the 2 ranges of IPs you could use in
192.168.0.0/25
192.168.0.127/25Using whatever actual IP range you have, the 192.168.0 is just an example of where the split is. You could use the first /25 and then break up the other /25 into /28s for example.
-
@johnpoz Not so much how to subnet, more practical on how to implement it. The reason for doing subnetting (in my head), is to group some customers into their own "network". Bit due to security and bit because customers of data centers (all the ones I have been customer of) are used to beeing handed out a small or big public IP subnet to their customer. Customer can just plug in their server, assign it a public static IP in the range I have set up to them and be online in a minute without having to use private IPs. And less risk that they by accident take an IP I already use - less broadcasting inside a /28 than a /24. I use like 70 IPs out of 256 today, but not super heavy traffic here.
Now, I understand the theory of subnetting (subnet-calculators can help me divide to find the allowed IPs and broadcast domains), but how it is implemented in pfSense is my biggest question. How to you set up the subnets when only one subnet is allowed on the pfSense LAN side?
I'm missing something fundamently. Since I have been struggeling with VLANs, and finally know how to set them up, I do see that I can create an interface for the VLAN and I can enter private IP-range there just like on the LAN-interface. So I think somewhat of a solution is to enter the public static IP-ranges (for instance /28s). But then I need to first remove the /24 and then add each subnet again - to each vlan. This way, no overlapping and I will both have subnetting and more isolated traffic.
However: Is there a way to add interfaces (like several subnets) to the pfSense LAN (remove the /24 assignment first) WITHOUT using vlans and interfaces from there is basically something I wonder I think.. Without introducing seperate router/extra switches. Having a seperate VLAN for each customer I suspect will be hard to manage in the GUI after a while.
-
@fireix said in VLAN on D-link:
How to you set up the subnets when only one subnet is allowed on the pfSense LAN side?
Huh, who says only 1 subnet is allowed on the lan side.. I have 8 different networks on the lan side all using different address space. Currently they are all /24 but that has nothing do with anything they could be /22s they could be /29s, etc.
How many networks are you wanting to created - a /24 isn't going to support many customers if you break those up into /28s
-
@johnpoz 8? That's child's play... my new network has 15.
Of course 5 of them are for testing pfSense releases...
-
@rcoleman-netgate hhehee but I thinks his point it might be cumbersome to manage 2000 some networks off of pfsense.. Yeah it would, not really something I would think you would be doing ;)
Out of your 24 you could create 16 /28s - that should be easy enough to manage, or even /29s wouldn't be something you couldn't do pretty easy.
But yeah you start getting into the 100s of interfaces it might be a bit cumbersome
-
@johnpoz Hmm.. maybe I was thinking it was more complicated ;) I was thinking it was special since I have public static IPs on the non-wan side of the firewall and stuff, but maybe not..
But what would you choose on the LAN-interface from start? Would I just choose one random subnet of the (for instance) /28s out of all I want and then just start using the rest on servers?
I set up at /28 (for example) on the VIP (lan), one for each subnet - or isn't that needed either - to use as gw for each subnet?
-
@fireix said in VLAN on D-link:
) on the VIP (lan), one for each subnet
What? VIP?
Why would you do vips? This isn't difficult, using public behind pfsense is just as using rfc1918, you just don't nat it.. Its that simple.
-
@johnpoz So no setup at pfSense at all except firewall rules?
-
@fireix you have to setup the interfaces or vlan on an interface. But there is nothing special to do other than disable the nat..
The only difference in running 192.168.0/24 vs 42.15.16.0/28 for example would be you don't nat that network to some public interface, because the whole 42.15.16/24 is routed to you.
So there is not port forwarding required, etc. Just firewall rules that you allow or block traffic with.
-
@johnpoz That sounds great :) But when you say "interfaces"... Can I put more than one network on one interface - assume I have one LAN-port on my pfSense. I suspect not. Now I have the entire /24 on LAN-port. So let say I have one port for WAN and one for LAN.
I don't get it ;)
-
@fireix they are called vlans - the exact subject of your thread.. Yes you can put more than one network on a physical interface - via vlans!