VLANS… i must be doing something wrong!!



  • since there is not a soul in the building today, i decided to build a little VLAN project with pfsense.

    the pfsense box has 2 interfaces.  rl0 for wan (dhcp), and rl1 for lan (172.16.100.1/26).

    i then pulled 2 windows boxes from the boneyard.  i set one to 172.16.100.40/24, and the other to 172.16.100.80/24, and made sure they could ping each other.  then changed the .40 to /26, and then the .80 to /26.  i configured OPT1 as VLAN0, and set the ip address to 172.16.100.65/26.  i then created a rule similar to the one for the lan-net, on the opt1 interface (* vlan0-net * * * *).

    so, .40 can ping .1 (obviously), and can also ping .65.  .80 can ping nothing.

    so now that ive set the state, let me state what im trying to accomplish.

    1. 0/26 and 64/26 are plugged into the same physical (normal)switch.
    2. if i were to unplug the pfsense lan interface, i should not be able to ping from .80/26 to .40/26 (already behaving as expected)

    and my goal is:

    1. build and understand what VLANing a pfsense's interface is actually for, and is this project the right way to demonstrate it?  ultimately, im under the impression that hosts on the different subnets should be able to access each other via the vlan'd interface on the pfsense.  i think this, because as stated above, .40 can ping the LAN ip (.1), as well as the vlan0 ip (.65).


  • If you use vlans you need to have vlan capable devices at thze other end as well. This is usually accomplished by using a vlan capable switch. See http://en.wikipedia.org/wiki/Vlan for a basic understanding.



  • ah, ive read that article before, but i re-read it again.  so it looks like my project falls under subnetting instead of vlans.

    thus, is it possible to have an inside interface on a pfsense, with the ips:

    172.16.100.1/26
    172.16.100.65/26

    or, would i need to have a seperate interface, possibly bridged to LAN?  (the first multiple ips would be the preferred method, i think).



  • You can combine subnetting with vlaning and bridging. It really depends on what you want to do with your setup. Adding different interfaces to your pfSense with each one running to a seperate switch where the clients are connected your switches don't need to support vlans. Simple switches will do the job. This is most likely the cheaper solution. If you want to go with vlans you need  a switch that supports vlans. These switches are usually more expensive. Also additionally you have to configure the switch correctly (ports, trunks, permissions, etc).

    In the end you will end up somehow with a similiar setup as vlans will appear as seperate interfaces in your pfsense configuration. The main difference is that with vlans you can use the same network infrastructure (one cable for all internal subnets, one switch for all clients) at your pfSense.



  • yes, back the day, i had several 3com superstacks, and they all supported vlans.  i didnt really have a good understanding of what i was doing, but i had it working well enough that i had the far right 6 ports blocked off completly from the other 18, and used it like 2 seperate switches.

    hindsite 20/20, the vlan tagging now sheds light as to how you can have specific ports respond to more than one vlan (and also why the pfsense tags vlans as it does in the setup).


Locked