VLANs - I have 4 that I think are the same, but 2 working, and 2 not.
-
I am a new pfsense user after being a long, long, time Cisco ASA guy.
I have been struggling to configure a Netgate 2100 to replace a Cisco ASA 5505 for a small business.
Under Interface
I have the LAN Interface (mvneta1) and 4 VLAN Interfaces attached(?) to mvneta1 I20, I40, I50, I60.
All Interfaces are enabled with static IPv4. 192.168.1.1/24, 192.168.20.1/24, 192.168.40.1/24 . . .
I have 4 VLANs configured (on mvneta1 as per above) V20 (tag 20), V40 (tag 40) . . .Under Switch
I am using only Port #1 - LAN1 - Port VID 1 and Port 5 - LAN Uplink - Port VID 1
VLANs are as follows:
Group VLAN tag Members
0 1 1,2,3,4,5
1 20 1t,5t
2 40 1t,5t
3 50 1t,5t
4 60 1t,5tI must admit that I found the following to be very confusing. I was used to assigning VLANS to Ports but I think what this is doing is assigning ports to VLANs?
What I "think" I have done is to assigned Port 1 to be a trunked port with VLAN1 being the untagged (native) VLAN on that port. and ALL other VLANS are also available on that port but are all tagged.
Then Port 5, which I understand to be the internal port of the switch that is "attached" to the router/firewall, I am passing VLAN 1 untagged, and all the other VLANS tagged.I could NOT find in the documentation whether the router/firewall portion of the 2100 expects the traffic to be tagged or untagged, or whether it is configurable, but VLAN 1 was initially untagged on port 5 so I left it, and when I set up VLAN 60 (the first VLAN i set up) setting it as tagged seemed to work so I set all the other VLANS to send to 5 as tagged. If anyone can point me to any docs that explain this better I would appreciate it,
I also set up DHCP on all the VLANs
I then configured a Cisco switch to match the trunking of port 1 of the 2100 (VLAN 1 untagged, the others tagged), and split out access ports on the switch with each VLAN appearing un-trunked.
Now as to my issue:
On the switch when I plug into the ports I configured for VLAN 1, 20, 40, 50, or 60 pfsense gives me an appropriate IP address for that subnet. HOWEVER, I can ONLY ping the gateway address (e.g. 192.168.60.1) on VLANS 60, 20, and 1, but am unable to get an echo reply when plugged into 40 or 50. As I am getting IPs assigned from pfsense on all ports, I'm thinking that the switch is configured correctly, and clicking between the screens I am unable to find what I have fat-fingered on the 2 VLANs that are not working. Apologies if it is a stupid mistake, but 4 hours of looking is apparently my limit before embarrassing myself by asking for help.
Questions:
- Anybody have any idea what I have done wrong, or where I might look given the symptoms?
- As this is a newly purchased Negate appliance, I was told that it comes with limited, but free support for one year. Is that correct and is this the free support. If not, where do I find that support.
I am very new to forums, so hopefully after I post this, I will figure out how to come back and look for responses. Assuming I can, should anyone need screenshots (I did not see how to include) or even a full backup of the config, I would be happy to provide.
Thanks,
-
@PhrostByte go.netgate.com will get you to the support page.
The 2100 is a bit different because it is a switch. One can isolate ports via VLAN:
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html. Then packets are not tagged outside of pfSense; it’s like they are separate ports.In general one would create a VLAN and create an interface for it which is via a port (steps 8-9 on page above). However on the 2100 it’s a switch so that’s an extra layer and I’m not sure of that process as I haven’t done it.
Are you looking to use the 4 ports as one switch?
-
@PhrostByte Did you check the firewall rules? Maybe you missed something on those two vlans.
-
I used to own Netgate 3100 and I believe it worked the same way as the 2100. What I remember from that experience is that I did not need to touch the “Switch” configuration at all when creating VLANs. I believe you modify the “Switch” configuration only if you want the ports act as discrete ports. I wasn’t concerned with "Port 5" either since it’s an internal port. When configuring VLANs, I just followed the general pfSense documentation for it and all LAN ports on my 3100 acted as “trunk” ports with VLAN 1 being native.
"I was used to assigning VLANS to Ports but I think what this is doing is assigning ports to VLANs?"
It depends of the point of view:) CISCO makes you believe that you assign VLANs to ports, but many other switch vendors make you believe that you add ports to VLANs. In general, you create a relationship between ports and VLANs.
-
Yes, what you have done there is correct. The fact you can pull a dhcp lease in the correct subnet on all 4 VLANs proves that.
I agree, not seeing a ping response on two of them looks like a missing or incorrect firewall rule on those interfaces.
Steve
-
@SteveTS: Sorry that you have not used a Netgate with a built in switch. As I think the problem is somehow with the switch config (or maybe a bug considering how long I have been looking for an error) I do not know how much help you can offer. As to "Are you looking to use the 4 ports as one switch" I am looking to configure LAN 1 as a trunked port passing all VLANs to a single switch with a comparable configured trunked port. All other LAN ports are configured to just pass VLAN 1 so I can plug in to configure.
@Jarhead: Yes, I did check the firewall rules, again, and again. HOWEVER, when rechecking them today, I HAD MISCONFIGURED them, as 2 VLANs were wrongly configured wtih "addresses" instead of "subnets". Over the 8 hours of total troubleshooting yesterday, it is amazing what you can find after getting some rest. THANK YOU!
BTW if anyone does work with the Netgate devices with the build in switches, I am still interested/curious as to how you configure the non-switch side of port 5.
Thanks all for you help.
SOLVED
-
The internal NIC, mvneta1, sees traffic from the switch on port 5 exactly as if it was an external switch.
So an interface assigned as mvneta1 directly (as LAN is by default) will see untagged traffic.
You would create VLAN interfaces on mvneta1 and assign them to see the tagged traffic arriving on each VLAN.
Since it's working I assume that's what you have done.Steve
