Help for vlan configuration
-
I'm getting quite confused about how to configure pfsense in a multihomed vlan environment. After trying to configure it as multihomed with a couple of nics, I decided to use a single network card acting for two vlans.
My idea is the following:- LAN interface (rl0) will serve VLAN1 (192.168.4.0/24) and VLAN44 (192.168.44.0/24)
- each vlan interface will get an ending 7 address (i.e., 192.168.4.7 and 192.168.44.7) and will serve as a gateway for the respective networks
This is how I proceed, please correct if I'm wrong.
- booted the pfsense machine, assigned interfaces thru the console, created a couple of vlans on rl0
- placed a 192.168.4.6 address for the lan interface in order to enter the web configurator
- from the web interface, Interfaces->Assign, I have created two new interfaces associated with the above vlans. I configured each interface in order to get the .7 ending address.
I think the above is correct to create the interfaces, the only doubt is about the LAN address (192.168.4.6) that could be misleading.
Now I have to configure the switch, an HP Procurve 1810, so I created the two vlan, or better the vlan 44 since the 1 is already working. This switch is connected to another one (same model) that connects all clients of the VLAN44, so I have two ports to be configured (the one pfsense is connected to and the one that connects to the other switch). I believe the port pfsense is connected to should be Tagged (T), but doing so I cannot even ping the vlan interfaces, while I can ping the LAN master address. I tried leaving the port Untagged (U) and I can ping all the addresses of all the networks (real and virtual), but only from within the VLAN1 network. The other switch is working in untagged mode for all ports.
So I'd like to know if someone can explain what I'm doing wrong and how to configure both the switch in order to get the vlans working.
I've tried to have a look at the link http://pfsense.site88.net/mysetup/index.html but the switch model is quite different and I'm not sure about how to adopt the same setup on it.
Any hint will really be appreciated.Thanks.
-
When you use VLAN interfaces on an interface such as rl0, it is important that you also not assign the parent (rl0) as another interface.
in your scenario, your WAN is whichever interface that may be (rl1?)
LAN would be vlan0 (vlan id 1), and OPT1 would be vlan1 (vlan id 44)
The ports pfSense plugs into should be a trunk port: set the default vlan for that port to "no" and tag every VLAN you want to use (1 and 44 in your case).
If you had a default vlan of 1, and vlan 1 tagged, your rl0 and vlan0 interfaces would have been on the same network and that can cause all kinds of not-fun issues.
-
If I got it right, the problem could be with the PVID 1, the default in my switches. So I created two VLANs on the switch, the PVID=4 for the 192.168.4.0 network and the PVID=44 for the 192.168.44.0 network. Then I plugged the pfsense cable of the rl0 interface, configured it to have the 192.168.4.6 address (is this right?) and the VLAN4 = 192.168.4.7 and VLAN44 = 192.168.44.7. Then I configured the switch port, trying the following combinations:
VLAN 1 (default) | VLAN 4 (192.168.4.7) | VLAN 44 (192.168.44.7) | Result Excluded (E) | Tagged T | Tagged T | None of the VLAN or LAN address was working Exluded (E) | Tagged | Untagged | Lan address reachable, none of the VLANs was reachable Tagged | Tagged | Tagged | None reachable (and switch no more reachable too!)Then I replaced the second configuration (i.e., PVID=44 untagged) and tried to ping the pfsense virtual interface from the switch itself. The switch can ping the LAN address (192.168.4.6) but none of the vlan addresses.
This lead me to think there is a problem in the switch configuration, right?
Am I missing something here? -
It should be as I described before:
rl0 is not assigned anywhere. After you set VLANs on it, forget it exists.
Interfaces > Assign, VLAN tab: setup vlans for vlan id 4, and vlan id 44 (these will show up as vlan0 and vlan1 respectively)
Under Interfaces > (assign)
LAN is vlan0
OPT1 is vlan1On your switch set VLAN 1 to be excluded, or if you have a choice, just choose not to have a default. Then set tagged for 4 and 44. There should be no VLANs on the port plugged into pfsense that are untagged; they should all be tagged.
That should work, but I haven't used HP switches much. I have a couple sitting next to me I haven't had a chance to get into yet.
-
Ok, but how can I enter the web configurator if I don't assign an address to the lan interface (rl0)?
From the console, pfsense asks me to assign at least the wan and lan interfaces, so in this case I should not give a lan assignement? -
Because vlan0 is the LAN interface, and that is where your .4.6 IP will go.
When asked for LAN assignment, give it vlan0 (which should be in the list after creating the VLANs)
-
No way, I did what you explained but when I exclude the PVID=1 and tag the PVID={4,44} into the switch the pfsense machine becomes unreachable.
I suspect it's something wrong with the switch configuration at this point… -
Where are you trying to reach the pfSense box from?
You should be using a PC plugged into a port with VLAN 4 set untagged (and no other VLANs)
-
I just configured one of my HP switches with some VLANs and got it to work on an ALIX with no issues.
Here's what my config from the HP looks like right now:
vlan 1 name "DEFAULT_VLAN" untagged 13-26 no untagged 1-12 ip address dhcp-bootp exit vlan 10 name "Main" untagged 2-5 tagged 1 ip address 192.168.20.246 255.255.255.0 exitI then plugged my ALIX into port 1, setup a VLAN interface tagged as 10, assigned that vlan0 interface as LAN, then plugged a PC in port 3 – it all worked. I did have to reboot the ALIX after creating the VLANs but that is a common issue when dealing with VLANs; Sometimes you have to reboot the router after setting them up.
-
Just in case I miss something, the web configurator of my switch appears as in the attached pictures. Please note that the pfsense machine is connected to the port 4. Now, if my configuration is ok, then I have to try it on another switch.
-
Is that correct, that VLAN 4 has no members except the trunk to the pfSense?
How are the PVIDs configured now? (screenshot?)The screenshots i posted here: http://forum.pfsense.org/index.php/topic,14918.msg78736.html#msg78736
Are for a netgear switch, but you should be able to see the basics out of them and apply to your case. -
Thanks for the suggestion, in fact I'm not sure which port must be tagged. The problem is that my switch allows a single untagged vlan on a port, and all the others must be tagged. In you example you have tagged only the pfsense port, while in my switch this is not possible since also the other vlans must be tagged.
So, what I'm going to try is to tag all the ports in all the vlans and see if it works. -
fluca - that is not what you want to do.
You do not want tagging on client ports. You only want a single VLAN for them. And for pfSense, you do NOT want an untagged vlan, only tagged.
So it should be like so:
pfSense port: Tagged 4 and 44
VLAN 4 clients: Untagged 4
VLAN 44 clients: Untagged 44They do not need untagged access to multiple VLANs, and that is impossible on any managed switch. A port can only have one default VLAN.
-
No way!
This is what I've done:- created the VLAN 4 and 44 on the switch;
- configured the switch port 4 (the one pfsense is connected to) to be Excluded from VLAN1 (default), Tagged 4 and Tagged 44;
- configured the port 20 of the switch (the one I'm connected with my laptop) to be Tagged 4 and Excluded from VLAN1 and VLAN44;
- created the VLANs on the pfsense box
- assigned the LAN interface on the VLAN4;
- rebooted the pfsense machine and checked the status of the interfaces (VLAN addresses).
From my laptop I cannot see the pfsense box and the last cannot see any piece of the network (this could be ok since only ports 4 and 20 are tagged for the VLAN4), even my laptop.
Any suggestion?
-
No way!
This is what I've done:- created the VLAN 4 and 44 on the switch;
- configured the switch port 4 (the one pfsense is connected to) to be Excluded from VLAN1 (default), Tagged 4 and Tagged 44;
- configured the port 20 of the switch (the one I'm connected with my laptop) to be Tagged 4 and Excluded from VLAN1 and VLAN44;
- created the VLANs on the pfsense box
- assigned the LAN interface on the VLAN4;
- rebooted the pfsense machine and checked the status of the interfaces (VLAN addresses).
From my laptop I cannot see the pfsense box and the last cannot see any piece of the network (this could be ok since only ports 4 and 20 are tagged for the VLAN4), even my laptop.
Any suggestion?
Point 3 is wrong.
Port 20 with the laptop connected has to be UNTAGGED. -
Point 3 is wrong.
Port 20 with the laptop connected has to be UNTAGGED.Sorry, I've miswritten: port 20 is Untagged (see screenshots).
Now, after a reboot the situation is:
LAN -> nfe0 192.168.4.7 (this is kept up just for let the network working)
VLAN4 -> rl0 192.168.4.6
VLAN44 -> rl0 192.168.44.7and this is what the pfsense box says:
# ifconfig rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:19:cb:54:c9:11 inet6 fe80::219:cbff:fe54:c911%rl0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (100baseTX <full-duplex>) status: active nfe0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:18:f3:40:38:28 inet 192.168.4.7 netmask 0xffffff00 broadcast 192.168.4.255 inet6 fe80::218:f3ff:fe40:3828%nfe0 prefixlen 64 scopeid 0x3 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 vlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:19:cb:54:c9:11 inet6 fe80::219:cbff:fe54:c911%vlan0 prefixlen 64 scopeid 0x8 inet 192.168.4.6 netmask 0xffffff00 broadcast 192.168.4.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 4 parent interface: rl0 vlan1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:19:cb:54:c9:11 inet6 fe80::219:cbff:fe54:c911%vlan1 prefixlen 64 scopeid 0x9 inet 192.168.44.7 netmask 0xffffff00 broadcast 192.168.44.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 44 parent interface: rl0</full-duplex></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></up,loopback,running,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>but if I try to connect from the LAN to the 192.168.4.6 I can't:
# route get 192.168.4.6 route to: 192.168.4.6 destination: 192.168.4.0 mask: 255.255.255.0 interface: nfe0 flags: <up,done,cloning>recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1500 -514 # ping 192.168.4.6 PING 192.168.4.6 (192.168.4.6): 56 data bytes</up,done,cloning>and the ping hangs. The firewall logs don't show me any blocked packet on such interface, so the packets are not reaching the interface, and in fact, if I try to ping the machine from the switch I see no packet coming back.
I'm starting being depressed! :-[
-
You have the same subnet on LAN and VLAN4.
Unless you're bridging them you have to move one of them to a different subnet. -
I've changed a subnet so that now interfaces are as follows:
vlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:19:cb:54:c9:11 inet6 fe80::219:cbff:fe54:c911%vlan0 prefixlen 64 scopeid 0x8 inet 192.168.45.6 netmask 0xffffff00 broadcast 192.168.45.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 4 parent interface: rl0 vlan1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:19:cb:54:c9:11 inet6 fe80::219:cbff:fe54:c911%vlan1 prefixlen 64 scopeid 0x9 inet 192.168.44.6 netmask 0xffffff00 broadcast 192.168.44.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 44 parent interface: rl0 nfe0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:18:f3:40:38:28 inet 192.168.4.7 netmask 0xffffff00 broadcast 192.168.4.255 inet6 fe80::218:f3ff:fe40:3828%nfe0 prefixlen 64 scopeid 0x3 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active</full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast>but even with such configuration it is not working (I've rebooted the machine to be sure, the switch configuration is the same as in the previous post). The switch says that the links on port 20 and 4 are active, but nothing more than that.
-
At last I did it!
I used another switch, with the same configuration, so I tagged on each vlan the port to which the pfsense box is connected, and untagged each port belonging to each vlan, and it works. So I guess it could have been not only a misconfiguration problem, but a switch one.Thanks a lot for the help.
