Pfsense VLANs are Confusing
-
Hello. I have read much of the documentation for VLANS and pfsense, as well as most of the threads on this forum where people have tried to configure VLANS, and yet this has not aided me in successfully constructing my own VLAN configuration, despite its simplicity. This is what I am trying to accomplish:
LAN - CORE - 2 HIGH END PCs/Xbox 360/Wireless access point - [re0]
VLAN TRUNK - TESTING/LABS - This line will trunk VLAN's 10, 15, 20, 25 to my Cisco Catalyst 3500XL [OPT1/dc0]
WAN [rl0]
Switch is set up to have port 1 in trunking mode. This is connected to dc0/OPT1.
Ports 5-10 - VLAN 10,
Ports 10-15 - VLAN 15 etc.I do not get network access when connected to any ports.
I was under the impression it should look something like this: (screen-shot from a tutorial)
pfsense really does not make trunking and/or VLANS very easy. Any help would be greatly appreciated.
-
Are the shots from two different attempts as the parent on the last shot shows sis0 as parent?
If not it's probably a driver issue, if you can replace it with a intel nic? -
Actually the last shot there is from a tutorial I found, one of very very few. I was trying to point out that I was under the impression that after assigning VLANs and a reboot the VLANS would show up on the Interface Assignment tab, and I would be able to assign DHCP to them, etc. This is not happening with my setup.
I do not have the opportunity to replace the NICs in my pfsense box with intel ones currently due to budget constraints. I have a mixture of NICs in there at the moment, mostly ones from older PCs that I have accumulated throughout the years & one Rosewill gigabit. I do however have two SUN quad PCI NICs I was thinking about adding, but I am a little uncertain about them as well. If the issue is the NICs then I might have to scrap the VLAN idea. (for now ;)) I just got a CISCO router today anyway, but I was just trying to avoid having another piece of hardware drawing power.
-
Under the same page - Interface: Assign, you have to click the + sign to add one more interface for each VLAN.
You do not set the Opt1 to dc0, set it to one of the VLANs. Then add more interfaces and assign them to the remaining individual VLANs.
Each of these interfaces can then be assigned their own subnets and addresses.
-
Hey. Thanks a million! ;D I should have been able to figure that out…I guess that is what I get for trying to do this on so little sleep. I am going to try to reconfigure this and see if I can get it all working. Hopefully this thread will help others who are stuck with this.
EDIT: Maybe you can take a look at my RULES and see if I have them set up correctly. My guess if anything they are excessive:
-
So I configured everything as you said and still no go. I am thinking this is either a problem with my switch configuration, or a NIC problem at the moment.
PFSENSE CONFIG:
SWITCHPORT TRUNK:
I removed all the VLANs except 10 and 15 to simplify this. Any help would be much appreciated.
-
Your rules are somewhat excessive.
You just need the following rule for each VLAN:
Allow
Protocol: ANY
Source: <vlan subnet="">Destination: ANYTake a look at the first LAN rule. Also, you will need to clone the default NAT rule for each VLAN subnet that needs to access the internet.</vlan>
-
Okay thanks. I haven't messed around with this for a couple days. I kept interrupting my home network and I have people that depend on it daily, but I built a new pfsense box to hopefully be able to test this. The only question I have now is client NICs. Do you need to have VLAN-capable network cards on the clients? (you can manually go into the configuration of the CLIENT NIC and set the VLAN tag). I just have generic realtek NICs on my clients, so I am wondering if that is the issue.
-
Your hosts don't need any vlan configuration. If you have hosts plugged into ports 11-15 on the switch and you want them to be on vlan 15, you simply set 'switchport access vlan 15' on fa0/11 – fa0/15 in the 3500.