Separating 2 networks question
-
I've been using pfSense for a while. My network contains a LAN and multiple VLANs, which include my IOT network and a couple of other networks on my NAS. There is a Ubiquiti U6 Pro wifi access point that serves up wifi for the LAN and IOT VLAN. Connections between the LAN and IOT were slow (probably hairpinning), so I put the IOT VLAN on another NIC port. So IGB1 is the WAN, IGB2 is the LAN and it's VLANs, and IGB3 is the IOT VLAN. Performance improved, so I was happy. IOT cannot talk to any other LAN or VLAN except for some apps on my NAS.
Fast forward, I'm getting rid of static IPs because they caused some issues with my NAS. I have a 16 port switch that feeds an 8 port swtich and 5 port switch. I converted the 8 port and 5 port to dynamic IPs and all is well. They pick up IPs on the LAN, which is how it should be. Configuring my 16 port for dynamic IPs picks up an IP on the IOT VLAN. Switch port 11 has the IGB3 cable going to it and is tagged for IOT VLAN. It's PVID is 1. The ports on the switch that have TV, audio, etc have a PvID of 10 for the IOT VLAN. I wanted IGB3 to be a VLAN so the u6 Pro could serve up IPs. It only allows one main network, and I can't add multiple subnets.
I'm thinking either the switch is setup incorrectly, or I"m going about this the wrong way. My initial thought was to create a LAG, but my switch only supports static LAG's. This may cause hairpinning to return. from what I have read. I have another 8 port managed switch lying around and was thinking I can connect the IOT VLAN cable to that and connect that switch to the 16 port switch. Would that solve my issue with dynamic IP? Is there another way to solve this issue or another way to make this work?
-
What exactly is the problem here? The switch is pulling a dynamic IP from the wrong subnet?
Most switches will try to use untagged traffic for dhcp by default, usually vlan1 internally on the switch. If you have igb3 connected to it using untagged traffic it will pull a lease from there unless you configure it to use another VLAN for management.
Is igb2 connected to it?Steve
-
I have IGB2 and IGB3 connected to the switch. I'd like it to pull dhcp from IGB2, which is my LAN network. Looking at it another way, IGB2 is on port 2 of the NIC. IGB3 is on port 3 of the NIC.
I'd like to know if I have this configured correctly, or if there is a better way like putting IGB3 on its own switch. The end result is 2 networks, each on it's own NIC.
IGB1 - WAN - NIC port 1 (connected to fiber broadband router)
IGB2 - LAN (plus 2 vlans)( - NIC port 2 (connected to 16 port switch)
IGB3 - IOT VLAN - NIC port 3 (connected to 16 port switch)IGB3 was not setup as another LAN. I had to set it up as a VLAN because my access point won't route traffic to 2 separate networks.
From the assignments tab:
WAN - igb1
LAN - igb2
IOT - VLAN 10 on igb3
abc - VLAN 20 on igb2
def - VLAN 30 on igb2
ghi - VLAN 40 on igb2 -
How is the switch configured?
I assume you don't have both igb2 and igb3 connected to ports that are untagged on VLAN1? That would just conbnect those subnets together which is not what you want.
Steve
-
They are both untagged on vlan1. Should I leave igb3 blank?
-
You should only have one NIC connected to pfSense in the native VLAN. Otherwise when the switch tries to pull a dhcp lease on the native VLAN (1) that request will hit both igb2 and igb3 untagged and pfSense is running dhcp servers on both those.One of those should either be tagged between pfSense and the switch or be on a different VLAN at thew switch.
However re-reading your post it looks like igb3 is not assigned directly, only as igb3.10 in pfSense?
In that case the switch should not be able to connect to it untagged and it seems more likely it's configured to use VLAN 10 for management dircetly. Check that.Steve
-
Port 11 on the switch is the connection from igb3. You are correct igb3 is only assigned as igb3.10. Port 11 was shown untagged for native vlan1. Removing the untagged to blank, I had to change the PVID of port 11 to 10 instead of 1 (default). But even removing the tagging I still get a dhcp address in the IOT network. I'm guessing I can't have 2 nic ports connected on the same switch.
I think I may have a resolution using another switch. I'll make igb 3 the IOT lan. Then I can make an IOT VLAN igb3.10 for wireless connections since I can't use 2 networks on the access point. Would this work?
The other option is to setup a lag and see if that helps with performance. From what I have read, it may not, especially since my switch only has static lag's.
-
You can have both ports connected to the same switch as long as the switch is configured to isolate them at layer2. Which it sounds like it is.
It still seems more likely that the switch is actively configured to use VLAN10 for it's management interface.
-
Thanks for your help. Unfortunately, this router is a bit older and does not allow me to pick a management vlan. I'll just keep it with a static IP until I replace it in the near future.
-
Hmm, if there's no option I'm amazed it doesn't use VLAN1. If I've understood correctly that could only pull a lease from LAN. Or should at least.
