Having an issue configuring vlans, looking for some help.
-
@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:
my use case because of the moca adapters.
Says who - you can connect into as switch from a moca adapter.. And put it on any vlan you want.. What are you doing running now multiple L3 on the same L2 network?
You can do that too with pfsense.. if you really wanted to - but its a bad idea to ever do that..
doesn't look like pfsense software can handle an L3 type switch setup.
Well its not really a L3 switch.. Not exactly sure what your doing with your moca, but moca is just a way to run over coax.. It then connects into ethernet - that ethernet can be just plugged into any switch.. And put on any vlan on that switch that you would want to put that network..
-
You can do that too with pfsense.. if you really wanted to - but its a bad idea to ever do that..
I would love to. that's all I find googling is people saying that but never offer any solution to try it lol
Says who - you can connect into as switch from a moca adapter.. And put it on any vlan you want.. What are you doing running now multiple L3 on the same L2 network?
if you look at the diagram all the vlans going over the moca adapter will go to the switch and like i said there are these scenarios
-
moca -> trunk on a switch port that accepts tags -> now, if you host L3 vlan interfaces here the firewall is ignored. solves the issue but then creates another.
-
moca -> trunk on a switch port that accepts tags -> configure multiple ports for each vlan going towards the edge router so port 0 is the trunk, port 1 is vlan 10, port 2 is vlan 20, port 3 is vlan 30... this solution does not scale and i'm physical limited by the amount of ports I have for vlans.
-
moca -> trunk on a switch port that accepts tags ->configure a dumb switch that just forwards all traffic out every port but now I have the issue of my tv+ xbox not being able to tag it's own frames because they need to connect into this device as well. ( because they need to be on the same lan as the wifi for casting etc)
with regular networking gear cisco, juniper, ubuiqiti, etc this is extremely easy and i do it daily. I'd rather not go back to ubiquiti hardware but I guess if that's my last resort
-
-
@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:
I would love to.
You want to run multiple Layer 3 on the same Layer 2?? Really - that is horrible idea.. But if you really want to, all you need to do is setup a vip on the interface in whatever other IP range you want to run on that same layer 2. You won't be able to do dhcp for this other L3 but they would be on the same L2..
Not sure where your doing it.. Its not good practice..
Hosting multiple L3 on the same L2 is never a good idea - while it is sometime necessary in the process of migrating to different IP space..
-
Do you want to filter traffic between the WIFI and wired parts of the network while still having them on the same subnet?
That's about the only time using a bridge is justified.
But you can do it with pfSense even if you don't need to filter and would probably be better using a switch.
Just create a bridge and add the interfaces you want in the same subnet to it.
https://docs.netgate.com/pfsense/en/latest/bridges/index.htmlA long time ago we did a hangout that covered it. Still applies to current pfSense:
Youtube Video -
@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:
https://imgur.com/a/2fACUj1
Ok having reviewed that diagram (and got distracted on imgur) are you just trying to make those VLANs available on several ports but share the same subnet?
-
@stephenw10 said in Having an issue configuring vlans, looking for some help.:
https://imgur.com/a/2fACUj1
Why not get some cheap vlan switch, like a 5 porter for like 30 bucks or something.. put between your moca and pfsense.. Now you can have your AP plugged into that for vlan 10 and 100, and then that other device only on vlan 10..
-
"good practice" generally means - We recommend this way because if you do it another way you may lose something ( functionality, security, etc) they aren't "hard" rules.
If it was a limitation of the platform, that's fine. I'm ok with that. but to say hosting multiple l3 on the same l2 is not a good idea... is basically saying all L3 switches aren't a good idea which is not true in the least.
For ANYONE in the future (and there are a lot of you through my googling....) I got it to work using the following methodology (vlans below were just testing and not representative of my end state)
1. create vlans for each interface you want in the bridge
igc0 (lan 1) -> VLAN_IGC0_200
igc1 (lan 2) -> VLAN_IGC1_200
igc4 (unused port) -> VLAN_IGC4_200
2. Go to interface assignments and add your vlans, after they're added go into each one and enable it give it a good description (gui doesn't like the '.' char in descriptions
igc0 -> enable interface -> INTERFACE_igc0.200
igc1 -> enable interface -> INTERFACE_igc1.200
igc4 -> enable interface -> INTERFACE_igc4.200
3. Go to bridge, add a bridge and include all your interfaces
Member interfaces -> INTERFACE_igc0.200,INTERFACE_igc1.200,INTERFACE_igc4.200
description -> BRIDGE_VLAN200
4. Go back to interface assignements and add BRIDGE_VLAN200, then enable, then give ip address
enable -> description INTERFACE_BRIDGE200 -> ip address 10.10.200.1/24
5. go to firewall rules, INTERFACE_BRIDGE200, add rules (i'm doing permit any any for testing)
Because my usecase requires multiple vlans I went ahead and ADDED vlan 110 the same exact way with the same exact ports.
- So now my pfsense device is hosting 10.10.200.1/24 on vlan 200 and 10.10.110.1/24 on vlan 110
- i've ip'd my laptop with 10.10.200.2/24 and 10.10.110.2/24
- in windows I opened 2 commands prompts with
ping -t 10.10.200.1andping -t 10.10.110.1 - I open network adaptor configurations and I can toggle between vlan 110 and 200 successfully
- I can swap physical ports and still ping
This will allow me to 100% replicate my setup.
The only downside I see to this is the UI is going to get cluttered with ~6 vlans and I think I need to change my names a bit more to be more intuitive but this WORKS.
Do you know if there is a way to "remove" items from the gui? like these extra interfaces. I'll never create rules for the child interfaces so they don't serve a purpose
once I convert everything over I'll do some speed tests.
-
@thisiswhatimherefor said in Having an issue configuring vlans, looking for some help.:
Do you know if there is a way to "remove" items from the gui?
Not from things like the firewall rules. They are interfaces, you could add rules to them.
One important thing to note is how the firewall rules are applied to a bridge:
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.htmlSo it filters on the bridge member interfaces by default. You would need pass rules on each member interface in the bridge.
If you switch the sysctls referenced there you can put filtering only on the assigned bridge interface. Then you only need pass rules on the bridge and rules there apply to traffic from all member interfaces.
Steve
-
thanks for the info on the bridge fw rules. As I was planning the migration I realized that I'm still kind of borked because of the basement unmanaged switch. TV / xbox can't be configured with vlan tagging directly and the pfsense can't do a PVID if i'm reading it correctly and especially in my weird bridge situation. so I'll have to put those on their own vlan and figure out how to chromecast between vlans
-
If you have a spare port you can bridge that to the VLAN to get that device onto it. But otherwise you'd need a VLAN capable switch somewhere, yes.
