[Newbie] Setup VLANs - connecting clients to it?
-
Hey everyone,
so actually the plan is to:
- have multi wan from port igc0/igc1
- have port igc2 empty as backup port when third wan comes into
- igc3 as VLAN parent
- 5 VLANs to differ the attached clients into network groups (hardware, voip, vms, pcs, heartbeat server)
Actual setup:
- igc0/1 as WAN interface with DHCP in a Gateway Group
- igc3 as LAN with ip configuration (to access the ui, cause didnt got it running other way actually)
- igc3.1/3.2/3.3/3.4/3.5 vlans added and enabled their interfaces with each a /24 subnet
Whats missing:
- first thing i want to reach is - how to connect a client to one of these VLANs? For example, i'm connected to the switch which is connected to igc3 and giving my client a static configuration for the LAN (e.g. an ip in the network as /24 with the igc3 ip as gateway) which works. But when i'm changing this to e.g. an ip from the igc3.1 VLAN with /24 subnet and the igc3.1 ip as gateway, it cant get connected)
Actually, nothing else is configured.
In the past i mostly worked in Level 3 Spine Technology Networks where i wasnt in need of VLANs as they where available subnets of the LAN network and i their where no need of a VLAN setup.
Would be nice to get some help just to understand where is my hickup in this setup and what's missing - just there to get my networking skills better from time to time...
best regards
-
@traezi First, is your switch vlan capable?
You need to setup the vlans in the switch to be able to access them.
The switchport connected to igc3 will need to be a trunk port with the LAN vlan untagged and the others tagged.
Then you need to configure access ports for each vlan. This is done by changing the pvid of each port to the vlan id you want to access on that port. -
@traezi You can also tag the packets on each device but that isn’t terribly secure since a device can just change itself to a different VLAN. (Hence the managed switch)
-
@Jarhead said in [Newbie] Setup VLANs - connecting clients to it?:
@traezi First, is your switch vlan capable?
unfortunately it is not. But i ordered now a managed switch so i can learn this way. So you say this is the only reason actually and i already configured everything else correct till now from the basic view?
And for a basic setup, it's no problem, that i have all of the vlans on the same port?
@SteveITS said in [Newbie] Setup VLANs - connecting clients to it?:
@traezi You can also tag the packets on each device but that isn’t terribly secure since a device can just change itself to a different VLAN.
I will check how to do that too, so i know both ways and how to configure them.
Thanks in advance to you both. I will get back with my results.
-
@traezi said in [Newbie] Setup VLANs - connecting clients to it?:
I will check how to do that too, so i know both ways and how to configure them.
So i configured a VLAN on my client and my PfSense is able to ping the client (echo request and reply), but my Client isnt able to ping the PfSense. tcpdump on the pfsense shows the echo request from the client on the vlan interface, but no echo reply.
Is this expected with a unmanaged switch or should it work with that type of setup?
I added a Firewall Rule on the VLAN - Pass, Protocol any, Source VLAN4 subnets, Destination any but still persists.
//Edit
I checked the routing table on the pfsense with netstat -rn which shows, that the 172.19.0.0/24 and 172.20.0.0/24 are on icg3.1 and icg3.2, but the 172.21.0.0/24, 172.22.0.0/24, 172.23.0.0/24 are on icg3 which seems incorrect to me?
I've checked the pfsense GUI and cant see a difference in the setup of these VLANs. They are all assigned the same way, they are all enabled, they all have a ip configuration (subnets named above) and no upstream gateway set. Within the Interfaces -> VLANs they are all parent of the icg3.
-
@traezi said in [Newbie] Setup VLANs - connecting clients to it?:
//Edit
I checked the routing table on the pfsense with netstat -rn which shows, that the 172.19.0.0/24 and 172.20.0.0/24 are on icg3.1 and icg3.2, but the 172.21.0.0/24, 172.22.0.0/24, 172.23.0.0/24 are on icg3 which seems incorrect to me?
I've checked the pfsense GUI and cant see a difference in the setup of these VLANs. They are all assigned the same way, they are all enabled, they all have a ip configuration (subnets named above) and no upstream gateway set. Within the Interfaces -> VLANs they are all parent of the icg3.
Cant edit the post above so a new reply is needed....
Routing is fixed by a restart of the gateway. Routing table shows now correct the VLAN for each subnet. But still the gateway can ping the client while the client cant ping the gateway.
-
@traezi Did you add firewall rules to allow ICMP on each interface? pfSense defaults to no rules (deny all) except for LAN.
In my experience trying them this way, unmanaged gigabit switches will pass tagged packets but of course can’t tag them automatically or control access by port. I’ve also seen people say it’s hit or miss and some will strip tags etc.
-
I've duplicated the default allow LAN to any rule to each VLAN interface and changed the Source from "LAN subnets" to the appropiate subnet.
So to not have the switch as problem, i've connected the client directly to the igc3 port, configured the vlan with ID 4 and starting a ping to its gateway. ID 4 VLAN is 172.22.0.0/24, client has IP 172.22.0.2/24 with gateway 172.22.0.1.
When checking tcpdump on the client on the vlan interface with vlan tag filtering, i can see the traffic going out with the vlan id 4 tag to the gateway. When checking on the gateway the tcpdump on igc3 with vlan tag, i can see the echo request. When checking on igc3.4 with vlan tag i cant see that traffic. When checking on igc3 without vlan tag filter i can see that echo requests too, on igc3.4 without vlan tag filter i can see that too.
So with vlan filter only on igc3, without vlan filter on igc3 and igc3.4.
-
So i got now a TP-Link SG605E 5 Port Gigabit Smart Control Switch to manage VLANs as they should ^^ I followed some other explanations so to not getting weird i'm using now other VLAN IDs and Names.
On pfsense we created the following vlans, assigned the interfaces and used static ip4:
VLAN19: 172.19.0.1/24
VLAN20: 172.20.0.1/24
VLAN21: 172.21.0.1/24
VLAN22: 172.22.0.1/24
VLAN23: 172.23.0.1/24Each are parent of igc3 which is port 4 on the router where the switch is connected to. Also i created 2 rules for each of this interfaces:
- The default known allow all rule
- Any Source to VLAN* address Port 80 (Anti Lockout)
On the switch i enabled 802.1Q VLAN and assigned the following configuration:
VLAN ID | VLAN Name | Member Ports | Tagged Ports | Untagged Ports
1 | Default (Cant delete that so removed any assigned port)
20 | VLAN20 | 1-2 | 1 | 2
21 | VLAN21 | 1,3 | 1 | 3
22 | VLAN22 | 1,4 | 1 | 4
23 | VLAN23 | 1,5 | 1 | 5The PVID Settings which i have set as:
Port | PVID
Port 1 | 1
Port 2 | 20
Port 3 | 21
Port 4 | 22
Port 5 | 23Unfortunately, i need to set a PVID on Port 1, while PVID 1 is the default. Mostly i think thats one of my problems here....
So i've set up a Ethernet connection with static ipv4 configuration for the following while connected to port 5 of the switch:
IP | Mask | GW
172.23.0.2 | 24 | 172.23.0.1But unfortunately the ping does not reach the pfsense (host unreachable) and the ui is not reachable too.
I would really like to find my problem. I don't understand it...
-
@traezi You need to show the actual config instead of typing things out.
Show screenshots.
What you typed looks correct and should be working but if you did something other than what you typed, that would be a problem and we can only go by what you're typing instead of actually seeing it.You have port 4 on the router going to port 1 on the switch, correct?
PVID 1 on port 1 is not a problem, that would just carry your untagged traffic on igc3.
Turn on the DHCP server on all the vlans and then plug in to switchport 5, do you get an address? -
@Jarhead said in [Newbie] Setup VLANs - connecting clients to it?:
You have port 4 on the router going to port 1 on the switch, correct?
correct
@Jarhead said in [Newbie] Setup VLANs - connecting clients to it?:
PVID 1 on port 1 is not a problem, that would just carry your untagged traffic on igc3.
check
@Jarhead said in [Newbie] Setup VLANs - connecting clients to it?:
Turn on the DHCP server on all the vlans and then plug in to switchport 5, do you get an address?
I don't understand what just happened. I have switched on DHCP for all VLANs and have received a correct IP on the corresponding ports and was also able to call up the interface and reach the gateway via ping.
I then switched the DHCP servers off again, manually set IP addresses on all ports again for the client to match the port and tested... Still works.
Apart from that, I have not made any other changes.
So yes, it works now - so I seem to have understood the principle correctly after all. Shall we blame the switch? :D
BIG THANKS TO YOU! You rarely experience such patience with a newbie these days!