Setting UP VLAN in pfSense 2.0?
-
Hi, i'm having a hard time setting up VLAN's on a Alix 2d3 with pfsense 2.0 and a Netgear FS728TP. What i would like to create is two separate VLAN's one for DATA and one for VOICE, DATA will be in the 192.168.1.0/24 subnet and VOICE will be in the 192.168.2.0/24 subnet. they both need access to the internet. My WAN interface is VR1 and my LAN interface is VR0. Can someone explain a little bit how to sent them, i have tried creating VLAN20 for VOICE on interface VR0 and VLAN10 for DATA on VR0 too. Does i need to delete the ORIGINAL LAN (VR0) interface ? because right now it's doesn't work at all.
-
Don't mix untagged and tagged traffic on the same parent interface.
Leave WAN on vr1
Delete LAN on vr0
–> Create DATA as vlan on vr0
--> create VOICE as vlan on vr0Then connect the vr0 interface to the switch.
Configure the VLANs on the switch as tagged on the port going to the pfSense. -
If my DATA VLAN is ID 10 and VOICE VLAN is ID 20, does i configure the port going to pfSense as tagged for both VLAN 10 and 20 ? and all other port as untagged for VLAN 10 and 20 and add the default VLANID if not in the packet to the VLAN 10?
-
Yes you should configure vlan10 and vlan20 as tagged on the port going to the pfSense and all other ports related to vlan10 and 20 as untagged.
Don't use the default vlan in any way on the ports you are using.
–> Disable the default vlan. -
Does i need to attribute any LAG on those VLAN ? i have this option in the NETGEAR SWITCH and they are all on the default VLAN (1)
-
Unless you want to use lagg you don't need it ;)
-
Ok and how can i give those 2 VLAN access to the internet via my WAN port and if possible let them communicate togheter ?
-
You simply assign the created vlans on the assign page like a normal interface.
From a usability point of view there is no difference between a vlan interface and a physical interface. -
Yes Both my VLAN 10 and 20 are assigne to and interface VLAN 10 as DATAVLAN and VLAN 20 as VOICEVLAN, i have configured my switch for testing, PORT 1 is the pfSense port (vr2) that is my optional port on the netgate box, i have tagged vlan 10 and 20 and the default vlan id if not submitted by the connected device is 10 so a subnet of 192.168.10.0/24. and port 2-4 on the switch are configure as untagged 10-20, with default id to 10 too. when i connect my laptop to the port 2, i get the ip adress: 192.168.10.100 wich is just perfect, but i cannot ping the 192.168.10.1 that is suppose to be the pfsense box. i have created those rules in the pfsense VLAN firewall setting:
ID Proto Source Port Destination Port Gateway Queue Schedule Description * DATAVLAN address * * * * none Default allow VLAN10 to any rule * VOICEVLAN net * * * * none Default allow VLAN20 to any rule * LAN net * * * * none Default allow LAN to any ruleI have those rule on all LAN and VLAN interface but i'm not able to commnunicate with the pfsense box on the vlan!
-
You have as source "DATAVLAN address" instead of "DATAVLAN net".
You don't need to create all those rules on all interfaces.
Rules are only evaluated on the interface they are arriving. -
Ok so what rules should i add to the DATAVLAN and VOICEVLAN to let them access all my LAN and WAN ?
-
Start with
source: any, destination: anyThen begin to restrict according to your needs.
-
Ok, i'm still having problem to figure out what are my issue here. So here is what i need to be done if someone can help it would be really awesome.
This is for a VoIP network, i have a Asterisk server, some analog gateway and some Aastra IP phone, all thos devices support vlan tagging. The aastra phone a a PC port and i would like to be able to use it, i have a option to set wich VLAN the PC port will be on and wich VLAN de LAN port will be on.
I Would like to have
VLAN1: 192.168.0.0/24 (DATA)
VLAN2: 192.168.1.0/24 (VOICE)I use a NETGEAR FS728TP and a NETGATE with pfSense 2.0 RC1.
What i want is all device to connect automatically to VLAN1 by default since no device have VLAN tag set in them by default, i want the Asterisk server tftp server avaible from both VLAN so the phone will be able to download it's config file and set the VLAN2 and reboot to start on the VLAN2 and log on the server.
I want every device to be like that.What my question is, wich port should i set to tagged, wich port should i set to untagged and for wich VLAN ? I have a port PVID configuration page in the NETGEAR switch that i think set the default VLAN to connect if there is none set by the device. Am i wrong? So what are the VLAN membership for every port that as a device connected to it? and what are the setting for the pfSense port ? By the way, every device connected to the VLAN1 will not set the ID in the packet, the switch must default it to VLAN1. Is it doable and how please?
Thanx a lot!!
-
This sounds to me like your IP Phones already send tagged traffic to the switch.
In this case you would have to add the ports on the switch as tagged members of the VLAN.
The PVID would be set to the VLAN on which you get the config.
