VLAN Problems?



  • Hi All,

    I don't know if I'm not doing this properly, or it doesn't work. Here's my situation:

    2 Interfaces, em0 (LAN - 192.168.254.1/24) and alc0 (WAN - DHCP)

    My WAP supports VLANs and multiple SSIDs. I'm trying to setup a guest WiFi network on VLAN2 and keep it separate. I created a VLAN (2) on em0 and assigned it to the OPT1 (172.16.1.1/24) interface. Setup DHCP on that network, configured my switch, and everything works perfectly.

    I was doing some reading and it seems that generally it's not recommended to use the parent interface when you have VLANs configured on it. So, I created another VLAN (1) and assigned it to the LAN interface. So:

    LAN - em0_vlan1
    OPT1 - em0_vlan2
    WAN - alc0

    The parent, em0, has nothing on it other than VLANs. The way I understand it, this is the best practice.

    When I configured it this way, I lose all connectivity on the LAN and pfSense starts doing some weird things with the interface assignments. On the console I start to lose the assignments, the IPs for the LAN interface goes away, and things don't work. If I re-setup the IP on the LAN interface and reboot it sticks, but sometimes it will say that em0 is down and other times it will look like everything is fine, but no traffic passes on the LAN.

    If I configure it back to where LAN is directly on em0 (and reboot) then things start working again.

    Is this the proper way to do it?

    Thanks!!
    Riley



  • 2.0 ain't the best version to start with when trying something new out. I would use 1.2.3

    As I read your post it sounds like you haven't configured your WAP correctly. The port you connect pfSense too needs to be set to handle tagget traffic.

    Post your WAP model, someone might have one of those and can help with it.



  • Hi,

    Have you tried a snapshot based on FreeBSD 7.x?
    Your problems sounds a lot like mine here.
    Only difference is that mine is based on a lagg link.
    It did work with the older snapshots.

    One thing i noticed that its just the traffic thats not passed, arp entries show up in the arp table.

    Greets, Marcus



  • Even without using the WAP I still lose all connectivity. Wired clients on the network can no longer see the pfSense box and pfSense can no longer ping any machines. Both ports on the switch for pfSense and the WAP are set to tagged.

    Switch is a Dell 2724 and the WAP is a 3Com 9550 dual-radio A/B/G/N.

    I haven't tried an older snapshot. I'll give that a try the next time I'm working on it.



  • @DJ-Marcuzz:

    Hi,

    Have you tried a snapshot based on FreeBSD 7.x?
    Your problems sounds a lot like mine here.
    Only difference is that mine is based on a lagg link.
    It did work with the older snapshots.

    One thing i noticed that its just the traffic thats not passed, arp entries show up in the arp table.

    Greets, Marcus

    Your issues do sound a lot like the ones I'm having. Especially with the errors saying that interfaces don't exist and not being able to reproduce.

    Riley



  • Well, good news and bad news..

    The good news: I have it working now. Most of my issues were with my switch. I have a Dell 2724 "smart" layer 2 switch that does support VLANs, but it doesn't allow you to tag ports on VLAN 1. VLAN 1 could only ever be untagged. I think it's a bug because even after setting a different PVID for a port I still couldn't do anything with the port's settings on the VLAN page. Also, you can never change the management VLAN. I thought about just setting every port's PVID to something else and using that VLAN as my LAN, but then I would never be able to manage the switch. I'd have to keep one port for management and put a PC onto it if I needed to get in.

    So, I put in another switch I had and this allowed me to tag ports for both VLAN 1 and 2.

    The bad news: VLAN support is still very finicky. I banged my head against the wall numerous times trying to figure out why something wasn't working that should have been working. Most of the time a reboot of pfSense cured the issue. For the most part, after any changes to VLANs within pfSense a reboot is in order.

    Anyways…. Anyone recommend a good, cheap switch? I need:

    • Minimum 8 ports
    • GOOD VLAN support
    • Quiet
    • Gigabit on all ports
    • Layer 3 would be cool, but way out of my price range I think ($300).

    I was looking at the HP 1810g series. Anyone have good/bad experience with them?

    Riley



  • I've been happy with the old version HP 1800-8G
    But I'm unsure you'll get what you really wanted to begin with
    like the layout on this page with the 3com
    In other words (maybe do to my own lack of knowledge) I don't see from the 3com docs the benefit of vlan support on the 3com if it can't transfer tagget traffic over the ethernet port and buying a new switch wouldn't change that afaics.



  • @Perry:

    I've been happy with the old version HP 1800-8G
    But I'm unsure you'll get what really wanted to begin with
    like the layout on this page with the 3com
    In other words (maybe do to my own lack of knowledge) I don't see from the 3com docs the benefit of vlan support on the 3com if it can't transfer tagget traffic over the ethernet port and buying a new switch wouldn't change that afaics.

    The 3Com WAP fully supports VLANs. I have everything working right now with the new switch I used to replace the Dell. It is/was the Dell that won't allow VLAN1 tagged traffic, not the 3Com WAP. Here's my config now:

    pfSense

    em0: none
    em0_vlan1: LAN - 192.168.254.1/24, DHCP enabled
    em0_vlan2: Guest - 172.16.1.1/24, DHCP enabled

    alc0 - WAN

    Switch

    1-22: VLAN1 untagged
    23 (3Com WAP) VLAN 1 and 2 tagged
    24 (pfSense) VLAN1 and 2 tagged

    WAP

    SSID: Private, Tagged VLAN1
    SSID: Guest, Tagged VLAN2

    If I connect to the private SSID then I get the proper IP addressing for that network and am able to communicate with all the other machines on my LAN. If I connect to the guest SSID then I get the proper addressing and cannot access the LAN, only Internet I've also setup a limiter for the traffic speed.

    Riley


Log in to reply