Green, Blue and Orange Networks



  • Hi,

    I'm having some issues with setting up my net.  What I want to do is have a green network (workstations), a blue network (wireless), and an orange network (dmz).  I have a procurve switch which supports vlan's, and my pfsense box has two nic's.

    On the pfsense, one nic is for the outside connection, and the other one is for the internal one.  What I want to do is create 3 vlan's for the different colors, and be able to get out to the net from each color.

    Here's what I've done so far…

    • setup the vlan's (vlan 102 on bge1)
    • create a new interface for vlan 102 called OPT1.  For IP configuration, I put in 192.168.102.1/24 with a gateway of 192.168.1.1.
    • For the DHCP server, I have another one setup for opt1 with all 192.168.102/24 info in it.
    • For the firewall rules, I have a rule that duplicates the lan one, but the interface is OPT1 and not LAN.

    I believe that is it.  I'm assuming that when I set my switch for vlan102 and tag my port to it, it will give me a 192.168.102 address, but it's not working.  :(  Some questions I have is under the setup of the OPT1 interface, do I have to specify it to bridge the LAN?  Do I use 192.168.1.1 for the gateway, or something like 192.168.1.5?  Do I need a static route?  I tried adding outbound NAT rules, but that didn't work either.

    Any help is appreciated.  I've tried to look for a tutorial on something like this but came back with nothing.

    Thanks in advanced!



  • I'm going to guess your problem isn't on the pfSense side, but on your switch side.

    Going on the assumption that you haven't played with vlans in the past:

    In the Procurve, you need to do several things:

    1. Setup a vlan 102 (which you did)
    2. In the vlan setup, tell it to 'tag' that vlan to the physical port going to the pfsense box.
    3. Also in the vlan setup, set the physical port you want to use for that network as 'Untagged'.
    4. Lastly, find the settings for PVID. You need to set the PVID for the computer port to 102, instead of 1.

    Leave the 'Trunk' port going to the pfsense box as a PVID of 1, and also leave it as Untagged.

    Similar procedures with the other VLANs you want to setup.



  • And if you only have two NICs (one for WAN and one for LAN) and you gonna use multiple VLANs on either you need to "TAG" all the vlans on the port you are using for the interface.

    In procurve a tagged port carries multiple vlans, a untagged port only carries one vlan



  • You are right, I have never played with vlans.  I figured that it's about time I learn about them.  :)

    I'll try the switch configurations today and see what happens.  Thanks for the information because that might be where the problem lies…

    Also, do I have to bridge the vlan on the pfsense server to the real nic in order for it to pass traffic?

    Thanks!



  • Thank you for the help.  I updated the switch firmware and followed your instructions and now it works!!  Thank you again.

    My next problem is that I can't get it to connect to anything outside of that vlan.  I get an IP from the DHCP server and I can ping other machines on that vlan, but I just can't get out.

    Thanks again for your help!



  • You mentioned setting a gateway in your OP. A LAN-type interface does not need a gateway entered. Look at how the LAN is configured.



  • @dotdash:

    You mentioned setting a gateway in your OP. A LAN-type interface does not need a gateway entered. Look at how the LAN is configured.

    This, I think, may be the issue. The only thing you need to do in the 'Interface' setup on the pfSense side (Meaning Interface Menu > OPT1 (or whatever you named it)) is set the IP for the interface itself. The routing / gateway stuff is done automagically if you haven't changed any settings anywhere else. (Such as Manual NAT settings)

    And its okay, I learned VLANs on a pair of Linksys Desktop switches a few years ago, now they're all over the place in our setup. :)



  • Thank you all for the help.  I did get it working and it was super easy.  I don't know why I over-complicate this stuff.

    I have another question about trunks, but I think I might make this into another post because it's a little off-topic.  I just wanted to say thanks for the responses because it did help out a lot.



  • You might wanna distinguish between trunks and tags.

    Trunk in procurve == Several ports trunked together for a increase in bandwidth \ redundancy.
    Tagged \ Untagged == Ways to assign a VLAN to a port on a procurve.

    I'm not too familiar with Cisco terminology but I believe that Cisco calls a tagged network with multiple VLANs for a trunk.



  • @eirikz:

    You might wanna distinguish between trunks and tags.

    Trunk in procurve == Several ports trunked together for a increase in bandwidth \ redundancy.
    Tagged \ Untagged == Ways to assign a VLAN to a port on a procurve.

    In Netgear stuff I believe it's more like:

    Tag \ Untag = Whether packets are tagged on ingress / egress
    Trunk = Port with multiple tagged VLANs
    LAG = Link Aggregation Group = Utilizing multiple physical ports for increase of bandwidth / redundancy

    I'm sure every manufacturer likes to call them different things.. doesn't hurt to hear what the other side calls it



  • Thanks all for the responses.

    You are correct, the "trunk" in the procurve is for link aggregation.  The tag / untagged definition related to vlan's.

    In the end, I got it to work.  I fat-fingered something on the server which was causing the problems.  Bottom line is that things are working great.  :)

    thanks!


Log in to reply