Having an issue configuring vlans, looking for some help.
-
So I have a limitation that I can only get network to the rest of my house through moca adapters.
you can see in my current setup https://imgur.com/a/2fACUj1
i have an edge router x and it has 3 active ports all supporting vlans.
- the ap's are tagging wireless traffic
- my server is hosting containers / vms in multiple vlans and is tagging that traffic appropriately
- i cannot support a switch at the location of the router.
I bought this device https://protectli.com/product/vp4630/ from protectly because it was beefy and will allow me to set up multiple vpns for streaming when i travel international.
I tried following this guide https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#figure-vlans-interface-list gut I cannot seem to get it to work as it says.
As a test
- windows laptop configured for vlan 200(inside windows) as a test in IGC1
- Configure vlan 200 interface on igc4
- make sure both interfaces are enabled
- rules are any is allowed to any
pings from the pc in 10.10.200.2 > 10.10.200.1 do not work. If I move the ethernet cable to igc4 pings work.
If I put the vlan parent interface as igc3 (management pc, just to make sure it doesn’t need an up/up interface) the laptop still cannot ping it’s gateway.
I would love to maintain the current network setup I have no because that would reduce rule maintenance and I can avoid probably like casting to tv's on different vlans etc. Any help is appreciated.
-
@thisiswhatimherefor I think I found my issue... maybe i'm off-base here but correct me if i'm wrong. My interfaces are
igcwhereas this requirements doc doesn't list my interfaceshttps://docs.netgate.com/pfsense/en/latest/vlan/index.html#requirements
Ethernet interfaces with VLAN hardware support:
ae(4), age(4), alc(4), ale(4), bce(4), bge(4), bxe(4), cxgb(4), cxgbe(4), em(4), igb(4), ixgb(4), ixgbe(4), jme(4), msk(4), mxge(4), nxge(4), nge(4), re(4), sge(4), stge(4), ti(4), txp(4), vge(4).
-
@thisiswhatimherefor I have not heard anything that igc doesn't support vlans - that would be very odd..
if you do a ifconfig, what does it show.. example see the vlan_HWtagging under options.
[23.05.1-RELEASE][admin@sg4860.local.lan]/root: ifconfig igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: LAN options=4e100bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> ether 00:08:a2:0c:e6:24 -
That doc probably just needs updating. igc(4) supports VLANs and has VLAN hardware offloading features. It should work.
Conversely if you configured the NIC in Windows to use vlan 200 it should fail when connected to an untagged interface. The fact it does not implies the Windows machine is not actually using the vlan.
Steve
-
@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:
If I move the ethernet cable to igc4 pings work.
As Steve mentioned - if you setup windows to use vlan on the nic, and you put it on some untagged native network - it wouldn't work.. So if your saying its working.. That screams windows is not setup to actually use the vlan..
-
Hey
igc0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: LAN1TVXBOX options=4e020bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> ether 00:e0:97:1b:97:d0 inet6 fe80::2e0:97ff:fe1b:97d0%igc0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect status: no carrier nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> igc1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: TestLaptop options=4e020bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> ether 00:e0:97:1b:97:d1 inet6 fe80::2e0:97ff:fe1b:97d1%igc1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> igc2: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: LAN3BAP options=4e020bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> ether 00:e0:97:1b:97:d2 inet6 fe80::2e0:97ff:fe1b:97d2%igc2 prefixlen 64 scopeid 0x3 media: Ethernet autoselect status: no carrier nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> igc3: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: ManagementPC options=4e020bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> ether 00:e0:97:1b:97:d3 inet6 fe80::2e0:97ff:fe1b:97d3%igc3 prefixlen 64 scopeid 0x4 inet 10.10.100.1 netmask 0xffffff00 broadcast 10.10.100.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> igc4: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=4e020bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> ether 00:e0:97:1b:97:d4 inet6 fe80::2e0:97ff:fe1b:97d4%igc4 prefixlen 64 scopeid 0x5 media: Ethernet autoselect status: no carrier nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> igc5: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN options=4e020bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> ether 00:e0:97:1b:97:d5 inet6 fe80::2e0:97ff:fe1b:97d5%igc5 prefixlen 64 scopeid 0x6 media: Ethernet autoselect status: no carrier nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> enc0: flags=0<> metric 0 mtu 1536 groups: enc nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pflog0: flags=100<PROMISC> metric 0 mtu 33152 groups: pflog pfsync0: flags=0<> metric 0 mtu 1500 maxupd: 128 defer: off syncok: 1 groups: pfsync igc4.200: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: VLAN200 options=4600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> ether 00:e0:97:1b:97:d4 inet6 fe80::2e0:97ff:fe1b:97d4%igc4.200 prefixlen 64 scopeid 0xb inet 10.10.200.1 netmask 0xffffff00 broadcast 10.10.200.255 groups: vlan vlan: 200 vlanproto: 802.1q vlanpcp: 0 parent interface: igc4 media: Ethernet autoselect status: no carrier nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> -
I think there is a misunderstanding here, it only succeeds when i connect it to the vlan'd interface.
If i connect it as the doc recommends, it doesn't work. vlan tagging is absolutely working because if i remove vlan 200 from the windows pc while it is connected to the igc4 it no longer pings.
-
You only have the VLAN configured on igc4 so that's the only place I'd expect it to work.
What exactly are you doing that doesn't work?
-
Well, if you look at the guide i posted they did exactly the same thing. their lan is on igb1 and they configured the vlan on igb2.... I want this same scenario so i can have multiple ports share the same gateway (so i can cast from my phone on the wifi to the tv that's connected to the protectli device) without having to do multicast configurations.
https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#figure-vlans-interface-list
0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) pfSense Developer Shell 4) Reset to factory defaults 13) Update from console 5) Reboot system 14) Disable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Enter an option: 1 Valid interfaces are: igb0 00:08:a2:09:95:b5 (up) Intel(R) PRO/1000 Network Connection, Version - igb1 00:08:a2:09:95:b6 (up) Intel(R) PRO/1000 Network Connection, Version - igb2 00:08:a2:09:95:b1 (down) Intel(R) PRO/1000 Network Connection, Version - igb3 00:08:a2:09:95:b2 (down) Intel(R) PRO/1000 Network Connection, Version - igb4 00:08:a2:09:95:b3 (down) Intel(R) PRO/1000 Network Connection, Version - igb5 00:08:a2:09:95:b3 (down) Intel(R) PRO/1000 Network Connection, Version - Do VLANs need to be set up first? If VLANs will not be used, or only for optional interfaces, it is typical to say no here and use the webConfigurator to configure VLANs later, if required. Should VLANs be set up now [y|n]? y WARNING: all existing VLANs will be cleared if you proceed! Do you want to proceed [y|n]? y VLAN Capable interfaces: igb0 00:08:a2:09:95:b5 (up) igb1 00:08:a2:09:95:b6 (up) igb2 00:08:a2:09:95:b1 igb3 00:08:a2:09:95:b2 igb4 00:08:a2:09:95:b3 (up) igb5 00:08:a2:09:95:b3 (up) Enter the parent interface name for the new VLAN (or nothing if finished): igb2 Enter the VLAN tag (1-4094): 10 VLAN Capable interfaces: igb0 00:08:a2:09:95:b5 (up) igb1 00:08:a2:09:95:b6 (up) igb2 00:08:a2:09:95:b1 igb3 00:08:a2:09:95:b2 igb4 00:08:a2:09:95:b3 (up) igb5 00:08:a2:09:95:b3 (up) Enter the parent interface name for the new VLAN (or nothing if finished): igb2 Enter the VLAN tag (1-4094): 20 VLAN Capable interfaces: igb0 00:08:a2:09:95:b5 (up) igb1 00:08:a2:09:95:b6 (up) igb2 00:08:a2:09:95:b1 igb3 00:08:a2:09:95:b2 igb4 00:08:a2:09:95:b3 (up) igb5 00:08:a2:09:95:b3 (up) Enter the parent interface name for the new VLAN (or nothing if finished): <enter> VLAN interfaces: igb2.10 VLAN tag 10, parent interface igb2 igb2.20 VLAN tag 20, parent interface igb2 If the names of the interfaces are not known, auto-detection can be used instead. To use auto-detection, please disconnect all interfaces before pressing 'a' to begin the process. Enter the WAN interface name or 'a' for auto-detection : igb1 Enter the LAN interface name or 'a' for auto-detection NOTE: this enables full Firewalling/NAT mode. : igb0 Enter the Optional 1 interface name or 'a' for auto-detection : igb2.10 Enter the Optional 2 interface name or 'a' for auto-detection : igb2.20 Enter the Optional 3 interface name or 'a' for auto-detection :<enter> The interfaces will be assigned as follows: WAN -> igb1 LAN -> igb0 OPT1 -> igb2.10 OPT2 -> igb2.20 Do you want to proceed [y|n]? y Writing configuration...done. One moment while the settings are reloading... done! -
Right but those VLANs would only connect to anything on igb2 in that example. Exactly like you are seeing with the VLANs on igc4.
It sounds like you want the VLAN to be in the same subnet as the untagged LAN?
In that case you would need to bridge the LAN and VLAN interface together,
-
@stephenw10 said in Having an issue configuring vlans, looking for some help.:
In that case you would need to bridge the LAN and VLAN interface together,
Which would be a horrible idea to be honest..
so i can have multiple ports share the same gateway.
Get a switch if you want multiple ports in the same network..
-
Yup a switch would be better in almost every way here.
-
switch doesn't work for my use case because of the moca adapters.
If I get a switch and then create the vifs there, intervlan traffic completely ignores FW rules.
If i put in an l2 switch that receives tagged frames from moca and just forwards it to bridged interfaces on the device, i'm just back to where I am right now. except without having to have a silly configuration of a switch with multiple 6 inch patch cables going to the router.
What I want is basically what I have now.... but with pfsense. if it's not something it's capable of, that's fine. but it should be really.
and if i do the third solution of just having a separate network for the basement ap and tv/ xbox then that just breaks AP roaming, complicates fw rules, and blocks multicast applications like casting from phone etc....
I know it's a unique scenario but it doesn't look like pfsense software can handle an L3 type switch setup.
-
@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:
my use case because of the moca adapters.
Says who - you can connect into as switch from a moca adapter.. And put it on any vlan you want.. What are you doing running now multiple L3 on the same L2 network?
You can do that too with pfsense.. if you really wanted to - but its a bad idea to ever do that..
doesn't look like pfsense software can handle an L3 type switch setup.
Well its not really a L3 switch.. Not exactly sure what your doing with your moca, but moca is just a way to run over coax.. It then connects into ethernet - that ethernet can be just plugged into any switch.. And put on any vlan on that switch that you would want to put that network..
-
You can do that too with pfsense.. if you really wanted to - but its a bad idea to ever do that..
I would love to. that's all I find googling is people saying that but never offer any solution to try it lol
Says who - you can connect into as switch from a moca adapter.. And put it on any vlan you want.. What are you doing running now multiple L3 on the same L2 network?
if you look at the diagram all the vlans going over the moca adapter will go to the switch and like i said there are these scenarios
-
moca -> trunk on a switch port that accepts tags -> now, if you host L3 vlan interfaces here the firewall is ignored. solves the issue but then creates another.
-
moca -> trunk on a switch port that accepts tags -> configure multiple ports for each vlan going towards the edge router so port 0 is the trunk, port 1 is vlan 10, port 2 is vlan 20, port 3 is vlan 30... this solution does not scale and i'm physical limited by the amount of ports I have for vlans.
-
moca -> trunk on a switch port that accepts tags ->configure a dumb switch that just forwards all traffic out every port but now I have the issue of my tv+ xbox not being able to tag it's own frames because they need to connect into this device as well. ( because they need to be on the same lan as the wifi for casting etc)
with regular networking gear cisco, juniper, ubuiqiti, etc this is extremely easy and i do it daily. I'd rather not go back to ubiquiti hardware but I guess if that's my last resort
-
-
@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:
I would love to.
You want to run multiple Layer 3 on the same Layer 2?? Really - that is horrible idea.. But if you really want to, all you need to do is setup a vip on the interface in whatever other IP range you want to run on that same layer 2. You won't be able to do dhcp for this other L3 but they would be on the same L2..
Not sure where your doing it.. Its not good practice..
Hosting multiple L3 on the same L2 is never a good idea - while it is sometime necessary in the process of migrating to different IP space..
-
Do you want to filter traffic between the WIFI and wired parts of the network while still having them on the same subnet?
That's about the only time using a bridge is justified.
But you can do it with pfSense even if you don't need to filter and would probably be better using a switch.
Just create a bridge and add the interfaces you want in the same subnet to it.
https://docs.netgate.com/pfsense/en/latest/bridges/index.htmlA long time ago we did a hangout that covered it. Still applies to current pfSense:
Youtube Video -
@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:
https://imgur.com/a/2fACUj1
Ok having reviewed that diagram (and got distracted on imgur) are you just trying to make those VLANs available on several ports but share the same subnet?
-
@stephenw10 said in Having an issue configuring vlans, looking for some help.:
https://imgur.com/a/2fACUj1
Why not get some cheap vlan switch, like a 5 porter for like 30 bucks or something.. put between your moca and pfsense.. Now you can have your AP plugged into that for vlan 10 and 100, and then that other device only on vlan 10..
-
"good practice" generally means - We recommend this way because if you do it another way you may lose something ( functionality, security, etc) they aren't "hard" rules.
If it was a limitation of the platform, that's fine. I'm ok with that. but to say hosting multiple l3 on the same l2 is not a good idea... is basically saying all L3 switches aren't a good idea which is not true in the least.
For ANYONE in the future (and there are a lot of you through my googling....) I got it to work using the following methodology (vlans below were just testing and not representative of my end state)
1. create vlans for each interface you want in the bridge
igc0 (lan 1) -> VLAN_IGC0_200
igc1 (lan 2) -> VLAN_IGC1_200
igc4 (unused port) -> VLAN_IGC4_200
2. Go to interface assignments and add your vlans, after they're added go into each one and enable it give it a good description (gui doesn't like the '.' char in descriptions
igc0 -> enable interface -> INTERFACE_igc0.200
igc1 -> enable interface -> INTERFACE_igc1.200
igc4 -> enable interface -> INTERFACE_igc4.200
3. Go to bridge, add a bridge and include all your interfaces
Member interfaces -> INTERFACE_igc0.200,INTERFACE_igc1.200,INTERFACE_igc4.200
description -> BRIDGE_VLAN200
4. Go back to interface assignements and add BRIDGE_VLAN200, then enable, then give ip address
enable -> description INTERFACE_BRIDGE200 -> ip address 10.10.200.1/24
5. go to firewall rules, INTERFACE_BRIDGE200, add rules (i'm doing permit any any for testing)
Because my usecase requires multiple vlans I went ahead and ADDED vlan 110 the same exact way with the same exact ports.
- So now my pfsense device is hosting 10.10.200.1/24 on vlan 200 and 10.10.110.1/24 on vlan 110
- i've ip'd my laptop with 10.10.200.2/24 and 10.10.110.2/24
- in windows I opened 2 commands prompts with
ping -t 10.10.200.1andping -t 10.10.110.1 - I open network adaptor configurations and I can toggle between vlan 110 and 200 successfully
- I can swap physical ports and still ping
This will allow me to 100% replicate my setup.
The only downside I see to this is the UI is going to get cluttered with ~6 vlans and I think I need to change my names a bit more to be more intuitive but this WORKS.
Do you know if there is a way to "remove" items from the gui? like these extra interfaces. I'll never create rules for the child interfaces so they don't serve a purpose
once I convert everything over I'll do some speed tests.
