[SOLVED] VLAN help requested
-
Hello All.
I've been trying to get a VLAN configured under pfSense so I can finally separate my wireless from my wired network using pfSense and a Cisco 2900XL. In theory, this should work however it doesn't and I'm quite baffled. I'm sure I've missed something but I don't know what. The xl0 interface carries with it a default VLAN (1) which works properly (I'm posting from it.) and a second VLAN (2) which does not work at all.
My layout:
(pfSense OPT1 (VLAN 2 on xl0) 192.168.1.1 -> Cisco Fa0/22 (config below)
(pfSense LAN (xl0) 192.168.0.1 -> Cisco Fa0/22 (Default VLAN. This works)My configuration for Fa0/22
interface FastEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan allMy configuration forFa0/1
interface FastEthernet0/1
switchport access vlan 2Now here's the weirdness!
I have a test rig set up on a static IP in the same network as the OPT1 network (192.168.1.x) and set it up to ping 192.168.1.1 and it gets no response from the pfSense firewall. If I turn on the Packet Capture feature in pfSense, the test rig can ping the OPT1 interface! As soon as I turn off the packet capture, I get nothing again. ??? ???
It's safe to assume that I have no custom firewall rules set up blocking OPT1 net from hitting the OPT1 IP address aside from the default of OPT1 net:* to : allowed
I've never heard of something like this before and all my googling has not helped me in this instance. Can someone provide assistance as to what I am missing?
Thank you for your time!
-
After very intensive googling and sleep deprivation, I was able to get it to work. The issue is that there is a bug or a mishandling of traffic that results when using VLAN tagged traffic (VLAN 2) and untagged traffic (LAN) on the same physical interface.
The research turned up that in this scenario, the VLAN and the LAN interfaces should both have the same MAC address (e.g. MAC Clone) however for whatever reason they do not. This results in the interface dropping all VLAN tagged traffic due to a unique MAC being assigned to the vlan interface.
In order to get around this issue, you must force the LAN interface into promiscuous mode (promisc) and keep it that way so that the traffic does not get dropped. This is why the VLAN would only work when the packet capture was running as the packet capture puts the interface into promisc mode so it can receive all traffic.
In order to make this "permanent", you will need to install a package called "shellcmd" from the pfSense Package manager. The shellcmd package allows you to add commands to the configuration as part of pfSense's normal boot process.
Here's how to configure shellcmd:
- Login to pfSense
- Click on "Packages" under the "System" menu.
- Locate "Shellcmd" and click the "+" button to the right.
- Let the package install.
- Once complete, go to "Services", then "Shellcmd"
- Click the "+" icon to add a shell command.
- add ifconfig LAN_INTERFACE promisc to the command field, and set type to "Shellcmd" ** Replace LAN_INTERFACE with the interface pointing to your local network. Mine was xl0, yours may be different. Click on "Interfaces -> Assign" to see which interface is what.
- Once added, reboot your system via "Diagnostics -> Reboot System"
- Once the device has rebooted, create your VLAN if you haven't already and assign it to the next available OPTx interface.
- Reboot the device again to apply the VLAN configuration.
- Assign an IP to the OPTx interface from Step 9 and configure as needed.
Once completed, you should be able to configure your switch to trunk mode on the port connected to pfSense. Assign a port to your VLAN and you should be good to go!
-
Using tagged and untagged trafic in same interface isn't supported as you noticed. that is also saied many times
-
Hello Metu:
It took about a week of Google searching to finally find anything that led me to a MAC address issue with VLAN traffic. Additionally, setting up all my local network traffic on VLAN1 and reassigning the LAN interface to VLAN1 resulted in a loss of connectivity to the pfSense firewall. This solution may be unsupported, but it works well.
If it is documented somewhere, it's not in any of the official documentation or the VLAN Setup page.
-
I have no glue why it is not on the official documenting but atleast here in forums it is told several times.