Need help setting up VLAN [SOLVED]



  • Hi Folks! I have become a pfSense convert since the last 3 months now and been lurking this forum with great success when I had questions with the initial install. But now I am trying to reconfigure/install my network with VLAN but need some help. Here is my situation as well as the hardware I am using…

    I have setup pfSense on a spare Thinkpad T42 which comes with one inbuilt nic. When I did my initial install, I thought that adding a second physical interface was the way to go since the usb-ethernet adapters were so cheap and I picked one up which does work now with the setup I have. The problem is it is prone to flaky behaviour which forces me to reboot the laptop once in a while or sometimes even a disconnect/connect of the cable to the usb-thernet interface fixes the issue. This leads me to believe that with continued use, I am running into issues with the particular usb-ethernet device I am using now.

    Now, the change part comes in.... I have acquired a NetGear smart switch recently with 802.1q tagging which I want to make use to setup VLANs so that I can use the only physical interface (built-in nic) on the laptop to get rid of the usb-ethernet adapter. I tried searching for posts which will point me to how it can be configured but didn't actually find anything resembling what I want to do. So, basically I want to do the following:

    ___________
    FIOS -----|smart switch|-------pfSense(Laptop)
    LAN-------|__________|

    I know it is a pretty crude diagram, but hopefully it depicts what I want to do. My questions is, how do I setup the switch and the pfSense(laptop) so that I can get by with just using the smart switch in conjunction with the one nic on the laptop with multiple VLANs? My FIOS connection is provisioned at 25/25 and since the built-in nic on laptop is a 10/100/1000 rated, it should be doable, right?

    Thank you for your time.



  • I might be totally wrong, but the minimum of physical adapters is two, which does make a lot of sense.



  • I think its a minimum of one NIC in pfSense.2.0BETA. There are cheap USB and Cardbus NICs available on eBay which could be useful if two NICs are required (e.g. because BETA software is not suitable).



  • @eirikz:

    I might be totally wrong, but the minimum of physical adapters is two, which does make a lot of sense.

    No.
    The minimum amount of interfaces is two.
    However they can be virtual.

    @OP:
    Just create two vlans on your NIC when setting up the pfSense.
    Don't assign the real interface.
    http://forum.pfsense.org/index.php/topic,14918.msg78736.html#msg78736
    Is for an FS726T but should be applicable for your switch as well.



  • Thank you, GruensFroeschli.

    That is exactly what I was hoping for. BTW, I have a Netgear GS108T, so I will give this a shot today. Thanks to all who took the time to respond!



  • Hmm….I guess it was easier said than done on my part. I cannot translate the configuration listed on the example link above for FS726T to GS108T especially since there is no distinct ports listed on the example labeled as LAN, WAN etc. I get that VLANs 1100 - 1400 should hold the clue for me but I don't understand it.

    I really have a need for 3 ports to be used on the switch, 1 for pfSense, 1 for LAN and 1 for WAN but I am getting lost in the example link config since it not only has many more ports, but the obvious difference in config screens between the 2 model of switches being used. Any pointers would be greatly appreciated!!

    Thanks.



  • I'm not in a good position to look at the setup pages of that particular switch, but there are generally two interfaces i've seen for Netgear switches that're VLAN capable.

    One has the menu on the left side, one has tabs up top.

    On the ones with the menu on the left:

    1. The VLAN menu should be easily spotted, click that.
    2. Make sure '802.11q' is selected at the top, rather than 'Port based VLAN'
    3. If / when that selection is there / setup, you should see a drop-down with a number 1 in it. Click that, then Add new VLAN
    4. Put in the number of the VLAN you want in the box to the right (remember this number, it has to match in pfsense)
    5. Repeat again for your second VLAN.
    5a. Note, you can use VLAN 1 for your LAN, and your new VLANs as your two WAN networks. It'll keep things simpler in the long run.
    6. Choose which ports you'll use for what. Generally I use the last port for pfSense, the two before that for WAN, and the rest for LAN
    7. Choose the drop-down, and pick your first VLAN
    8. Click on the boxes for the ports you want to use for your first WAN connection (figure 7, 8), for number 7, click the box until it has a U in it, for 8, until it has a T.
    9. Do the same for your second VLAN, but port 6 with the U, and again 8 with the T.
    10. Choose the VLAN number box again, except choose PVID settings
    11. Find ports 7 and 8, change the '1' in those boxes to the respective numbers on your VLANs.

    Wham. Connect everything up and you should be golden. As long as the interfaces in the 'Assign' menu on pfsense have the same VLAN tags, you'll be good to go. In this case, you want your LAN to be 'untagged', meaning NOT on a VLAN but on the physical interface, and your WANs on the two tagged VLANs

    The other type of netgear is similar in operation, just very slightly different. If you're still having issues i'll try to check back tomorrow when I have an opportunity to look up that particular interface and see if I steered you wrong. The above is all from memory so it may be slightly off.



  • I'm using the GS724T, so hopefully the config is similar.

    On the Switching:VLAN page you need to create a vlan each for your WAN and LAN. I'll call them 10 and 20, respectively. (Of course you will have created vlans 10 & 20 on pfsense already, and assigned them to WAN and LAN respectively.) Go ahead and name them WAN and LAN if you like. See screenshot 1 (My WAN and LAN are 201 and 85 here).

    Now click "Advanced" on the left menu, then VLAN Membership. In the dropdown menu for VLAN ID, choose 10. After a couple seconds the page will refresh and then click the triangle in the first orange row to expand the view. I'll assume your FIOS is plugged into port 1. So in the orange row, click port 1 until it has a "U" in it. This means that packets leaving port 1 will have their vlan 10 header stripped and the packet will be passed. Any packet without a vlan10 header will not pass that port. See screenshot 2 (My pfsense WAN vlan is plugged into port 9, modem is connected to port 1).

    Still in the orange row, and assuming your pfsense laptop is plugged into port 2, click the box for port 2 until a "T" appears in it. This means that any packet on the switch that is tagged for vlan10 can pass to that port with its vlan header intact, which is what pfsense is expecting. Click the Apply button at the bottom of the page.

    Back to the VLAN ID dropdown, choose 20. Let the page refresh. Click the first purple-on-orange arrow to see the ports. Assuming your LAN hosts are plugged into ports 3-8, click the boxes for ports 3-8 until they show a "U". Put a "T" in the box for port 2 and Apply. See screenshot 3 (My pfsense LAN vlan is on port 9, LAN hosts are on ports 13-24).

    Now pfsense is receiving packets tagged for both vlans 10 and 20 on physical port 2, FIOS is receiving untagged packets from vlan 10 on port 1, and your LAN hosts are receiving untagged packets for vlan 20 on ports 3-8.

    Now click "Port PVID Configuration" on the left menu. Click the box for port 1 and the first row should autofill some values for port 1. Change the following value:

    PVID: 10

    and click Apply.

    Click port 3 and change the following value:

    PVID: 20

    click Apply, then do the same for ports 4-8. The PVID tells the switch that untagged packets entering that port should get tagged to vlan 20 (thus putting them into communication with pfsense's LAN interface). See screenshot 4 (port g1 being my modem, port 9=pfsense WAN, port 10=pfsense LAN, ports 13-24=LAN hosts).

    That's it.

    edit: a firmware update on my switch has the web UI behaving a little better, so I updated this post with screenshots to make it a little easier (hopefully) to follow for anybody else trying to do similarly.










  • Thanks to both Jahntassa and Clarknova, I have successfully setup my network with just a smart swtch and a laptop.

    Also, thanks to all who contributed/participated on this discussion.



  • Hi, I am back again….

    With instructions/help I received from members in this forum, especially clarknova and Jahntassa, I managed to configure my Netgear GS108T switch to use with the built-in nic on my laptop and was able to pull an both a WAN and LAP ip and then assumed everything was ok. But then I got busy wih production issues at work and could not really verify that everything was working as it should. Now that I have some time to devote towards this project again, here is my issue.

    The following screen shots are from my switch followed by the screen shots from pfSense. As you can see, my pc can indeed get a lan ip from dhcp and the wan gets an ip from FIOS too. But unfortunately, I cannot browse the internet from my pc. From reading the posts on this forum with similar config(s), seems I have everything in place already. What else am I missing?

    I have attached the screenshots from my config to help figure out what else needs to be done…I am hoping I missed a small step in my settings. Can you guys help? Thanks!

    One more piece of information. My pfsense laptop is connected to port 1, FIOS to port 2 and pc to port 3 of my smart switch.

    ???
















  • Everything in the screenshots appears correct to me. Perhaps there is a problem in your firewall rules or NAT config. Can you ping internet sites from pfsense and get a response? Can you ping a LAN host? Do you have a "Pass from all to all" rule on the LAN? Is Advanced Outbound NAT disabled?



  • Here are my answers and some more screenshots.

    • No I cannot ping any internet sites from the pfsense web interface
    • The default pass for all rule on the LAN is still active
    • Advanced outbound NAT is disabled.

    Interestingly, pfsense firewall log screen is completely empty as if no traffic is passing through the firewall.










  • The only other detail I omitted here is that I need to spoof the MAC address of my WAN side because FIOS expects it. Without it, I couldn't even pull the WAN ip. But I thought this is no big deal since I can actually establish a WAN connection, just no internet access.  ;)



  • Everything you posted looks in order to me. Can you get a ping response from your WAN gateway? From the DNS servers? Immediately after pinging these try this on the console:

    
    arp -an -i em0_vlan10
    
    

    The above assumes that your WAN interface is named em0_vlan10, which it would be in 2.0beta, but it might be different in 1.2.3.

    Interestingly, pfsense firewall log screen is completely empty as if no traffic is passing through the firewall.

    Your LAN rule doesn't have logging enabled, so you won't see any logged traffic there. The only firewall logging that is done by default is for the default block rule on the WAN, so unless you disabled that, I would expect to see some blocks in the log after a short time of being connected.



  • Ok, here is what happened.

    • No ping response from the WAN gateway. 100% packet loss.
    • No ping response from DNS servers. 100% packet loss.
    • arp -an -i -em0_vlan10 yields:

    ? (173.57.84.1) at (incomplete) on em0_vlan10 expires in 19 seconds [vlan]
    ? (68.238.96.12) at (incomplete) on em0_vlan10 expired [vlan]
    ? (68.238.64.12) at (incomplete) on em0_vlan10 expired [vlan]
    ? (173.57.84.60) at <obfuscated wan="" mac="">on em0_vlan10 permanent [vlan]</obfuscated>



  • You're getting no arp resolution on the WAN, and yet you have an IP address. I don't think dhcp will work without arp resolution, so unless I'm wrong, you had it long enough to get an address, and then you lost it.

    Are you able to get internet access from the FIOS using any other device, like a computer connected directly instead of pfsense?

    You may also need to stop blocking bogons on the WAN. I seem to recall reading on dslreports that some FIOS users had bogon-listed addresses upstream of them.



  • Hmmm….That may be so but pfsense installed on the dual core power hungry pc I am trying to replace with the laptop and a smart switch works just fine with my FIOS connection. I just have the issue I have outlined here on the smart switch and laptop.

    Also, the aforementioned dual core pc works just fine with the "block bogon networks" setting checked so it has to be specific to the new config. So, if you have any other suggestions, I am willing to try those out too.



  • I would suggest trying the following.

    1. Copy the config from the working pfsense to the laptop pfsense. You will have to manually change the vlan and interface information to reflect the difference in hardware.

    2. Double-check the MAC address info on the WAN to make sure that you are using a valid MAC.

    3. On the pfsense shell do 'tcpdump -i em0_vlan10 -n' and watch packets come and go on the WAN to see what is working and what isn't. Try renewing the dhcp lease while doing this, ping the gateway, etc. Paste the output here if you want us to have a look at it.



  • Hi, finally got a chance to try the shell command you mentioned above…...with interesting results!

    With the command running in the shell constantly capturing and logging packets, I get internet access. With it not running, back to no traffic with the same symptoms as described in my previous posts e.g. not being able to ping DNS server from WAN interface etc. Somehow just logging the traffic on the shell with the command somehow fixes the issue. Does that tell you guys anything at all about what the issue might be?

    I am not sure how to copy the output of the command since I am running it in the shell. If you could tell me a few steps about copying the output and pasting it here, I could do that.

    I suppose I don't have any issues running the tcpdump command running in the shell indefinitely if there would be no adverse effects but would really like to solve it if possible.



  • Interesting. Maybe your NIC just needs more attention.

    You can copy from the shell by accessing the shell via ssh (putty if you're in Windows). You'll have to enable the ssh server in pfsense first.



  • Could you try removing Port 2 from VLAN 1?



  • To dreamslacker:

    I am not sure how. Do you mean on vlan membership mark port 2 as U, T or blank?

    To clarknova:

    Any specific sections or output of tcpdump -i vlan0 -n for anything specific? I have pasted a small sample below.

    04:43:56.833417 IP 173.57.84.60.28747 > 208.83.244.123.1194: UDP, length 49
    04:43:56.837783 IP 208.83.244.123.1194 > 173.57.84.60.28747: UDP, length 49
    04:43:59.802912 IP 173.57.84.60.21579 > 208.83.244.21.123: NTPv4, Client, length 48
    04:43:59.857742 IP 208.83.244.21.123 > 173.57.84.60.21579: NTPv4, Server, length 48
    04:44:00.765513 IP 173.57.84.60.32769 > 192.168.0.100.57920: UDP, length 32
    04:44:00.766951 IP 173.57.84.60.32769 > 192.168.0.100.57920: UDP, length 32
    04:44:01.373543 IP 173.57.84.60.24484 > 67.18.187.111.123: NTPv4, Client, length 48
    04:44:01.380244 IP 67.18.187.111.123 > 173.57.84.60.24484: NTPv4, Server, length 48



  • @hmishra:

    To dreamslacker:

    I am not sure how. Do you mean on vlan membership mark port 2 as U, T or blank?

    Mark vlan 1 membership for port 2 as blank.



  • I did but it did not work. Screenshot attached. Just ignore the pot 8 marked as U. I have tried it all blanks for Port 2 - 8, U for 1 - 8, Port 1 T and rest U, Port 1 T and rest blanks etc. and few other combinations to no avail. For vlan1, the switch does not allow me to make port 1 as blank but I have tried with both T and U.




  • I meant blanking ONLY port 2.



  • So, you meant blanking port 2 but leave the rest 1 and 3-8 as T or U? I suppose I can try both.

    I am pretty sure I have done this combination as well but I will verify again. After doing this, does each step require a reboot or restart of the laptop or switch or the pc accessing it?



  • If you're just making changes on the switch then no need to reboot anything. The changes will be effected as soon as you hit the Apply or Save button (within a few seconds, anyway). In some cases you may need to reconfigure the interfaces on the connected hosts, like renewing an IP address.



  • On second thoughts, blank both ports 1 & 2 on VLAN 1 ONLY and leave the rest as Untagged.
    No reboot is required on the switch, if it needs to, it will notify you and power cycle on its own.



  • The switch does not allow me to blank Port 1. I get a message "Can't remove port 1 from this vlan, its PVID not changed". The only allowed setting for port 1 is either U or T. The rest don't matter and I could have them blank, U or T.



  • You can't black port 1 from vlan 1 because the PVID of that port is set to 1. Change the pvid to 10 or 20, then you will be able to blank it.



  • Ok, tried that too. As before, it simply does not work without running the tcpdump command in the shell.



  • Now that I have experimented quite a bit with setting up VLAN capable switch to work with Thinkpad R61i, my question is, is this a laptop issue or switch issue?



  • That sounds like a good question for cmb.

    I guess a person could always try a different switch or different laptop to find out.



  • Hmmm…...I would try with another switch if I had one.

    But I do have another laptop which I suppose I can try running off of Live CD instead of installing it although I am not sure if my vlan/config changes will be carried over after a reboot without installing the firewall i
    in the HDD.  :-\



  • You an experiment with the LiveCD until you find a setting that actually works out.  Dump the config into XML and then head over the laptop and use the menu to install to HDD.  It should retain all the configuration settings for the install.  If not, simply restore the XML file for the HDD install.

    IMO, the problem might be a configuration issue on the switch.  Then again, we won't quite know for sure until we see how the switch configuration looks like now.



  • Finally!!! It worked. In fact I am typing this reply on the new VLAN connection. ;D

    Apparently, just spoofing the MAC address on WAN interface with VLANs does not work. At least, in my case.

    I had to manually change the em0, vla0 and vlan1 MAC address(s) to match the spoofed one after which it chugged along happily. So, nothing was wrong with the switch or laptop, just a case of non-spoofed MAC.



  • I would like to Thank All who replied/helped in this thread. Especially clarknova with the detailed example on setting up the VLANs on a Netgear switch. I setup the switch as clarknova explained and then pfsense on initial install[took me a few tries, but figured it out]. Also the last post by OP helped me finally getting working. I'm on comcast, needed the WAN[vlan0 in my case] to spoof the Real NIC's MAC address. After that all was working great, much better than my old WRT54GL running tomato. Now all I need is to setup the wireless part. Hopefully I can find a detailed thread like this one for the wireless part.

    EDIT: For the record I'm running pfSense on a Thinkpad T23 with 1GB of ram and the Netgear GS108T switch.

    THANKS AGAIN ALL! :)


Locked