Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Change LAN interface in VLAN

    Scheduled Pinned Locked Moved
    webGUI
    3
    6
    307
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      azrod
      last edited by

      Hello,

      I am currently experiencing a configuration problem on my pfsense 4200.

      Here is the current setting:

      1/ WAN interface --> lagg0 (em0 & em1) 192.168.200.254 (uses interfaces 1 & 2)
      2/ LAN interface --> em2 192.168.150.254 (uses interface 3)
      3/ OPT1 interface --> em3 192.168.130.254 (uses interface 4)

      I also added 3 VLANs:
      2.2/ VLAN10 --> Em2 parent interface: em2.1 result
      2.3/ VLAN20 --> Em2 parent interface: em2.2 result
      3.2/ VLAN30 --> Em3 parent interface: em3.1 result

      I now want to have the following configuration:
      1/ WAN interface --> lagg0 192.168.200.254 (uses interfaces 1 & 2)
      2/ LAN interface --> em2.1 (VLAN10) 192.168.150.254 (uses interface 3)
      3/ LAN interface --> em2.2 (VLAN20) 192.168.120.254 (uses interface 3)
      4/ OPT1 interface --> em3.1 (VLAN30) 192.168.130.254 (uses interface 4)

      The different settings are functional except, when I modify the LAN to put VLAN10 instead, I lose access to the GUI. However, I deactivated the blocking rule.

      Is it possible to have the default LAN in a VLAN?

      What could I try?
      Thanks for you help

      A 1 Reply Last reply Reply Quote 0
      • A
        AnonymousRetard @azrod
        last edited by

        @azrod I'm no expert in VLANs, just started using them a few weeks ago. But I have a working setup with 4 subnetworks on the LAN interface.

        Three of them are VLANs and the first one is not a VLAN, which is where all untagged traffic goes. What are you doing when you say you modify the LAN to put VLAN10 instead?

        Do you want a setup where the LAN interface doesn't accept any untagged traffic? If so I'm not entirely sure how to set it up (I guess by disabling the parent LAN interface?), but in such a setup you would need to ensure the client devices themselves can set the VLAN tag for VLAN10 or VLAN20 or set up a managed switch to add the tags for you.

        Basically it would look like this:
        1/ LAN interface --> em2 (untagged/no VLAN) 192.168.140.254 (uses interface 3)
        2/ LAN interface --> em2.1 (VLAN10) 192.168.150.254 (uses interface 3)
        3/ LAN interface --> em2.2 (VLAN20) 192.168.120.254 (uses interface 3)

        Something I struggled with initially was that I was running suricata in inline IPS mode before I tried to get VLANs up and running and it turns out that doesn't really work out of the box. All VLAN tags would be stripped and no VLANs would work, but it was possible to fix by changing suricata to legacy mode or by turning off certain hardware VLAN functions on the parent interface with ifconfig.

        So on what IP are you trying to access the GUI and are you sure your packets have been tagged with the correct VLAN tag to do so?

        A 1 Reply Last reply Reply Quote 0
        • A
          azrod @AnonymousRetard
          last edited by

          @AnonymousRetard thanks for you reply

          I show you screenshot for a best understanding.

          Here is the current configuration:
          af0bcb67-1f59-4984-bc06-48f8d044ed7d-image.png

          The goal is to have this configuration:
          By modifying IGC1 by IGC1.20 (VLAN20) on the LAN interface
          e8c4754d-0f68-4225-a388-67acd55b8259-image.png

          Something like this in cli :
          ac278219-a542-4ce9-9f0b-97ea21258d7d-image.png

          However, when I make the modification of the EGC1 interface to EGC1.20 on the LAN I lose access to guy but I can ping the IP 192.168.150.254 because on the Switch I configured the good VLANs. I did a test to connect to a switch port which is not in the VLAN and indeed I do not ping anymore.

          I also added rules by accepting all traffic (Any/Any) but it remains blocked.

          Does this allow you to better understand my problem?

          A 1 Reply Last reply Reply Quote 0
          • A
            AnonymousRetard @azrod
            last edited by

            @azrod Here's a picture of my setup edited to not show more than necessary:
            3b72d90f-77ab-44af-90c4-1d88e40f6687-image.png.

            3 VLANs on the LAN interface and one untagged network. Works perfectly. But I think your setup should work as well. Strange that you can ping but not access the GUI...

            How do your firewall rules look? Maybe you should test that you can add a rule that also blocks the ping?
            Does the ping work both ways?

            Afaik the pfSense web gui should be accessible from all interfaces unless it's blocked by firewall rules.

            A 1 Reply Last reply Reply Quote 0
            • AndyRHA
              AndyRH
              last edited by

              Maybe a silly question, but are you making the changes on the interface you are changing?

              o||||o
              7100-1u

              1 Reply Last reply Reply Quote 0
              • A
                azrod @AnonymousRetard
                last edited by

                @AnonymousRetard thanks for you reply,

                I finally managed to complete my setup like this.
                66bbb74c-86a6-4079-bf3b-17e90ede9090-image.png

                To do this, you had to perform additional actions on the switch. I created 2 profiles.

                1 - With the LAN in untag and the VLAN20 which is tagged
                2 - With VLAN20 only

                Then apply profile 1 on the port where the LAN arrives and apply profile 2 on the port where I want to connect the equipment (including my PC).

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post