Creating VLANs



  • I am new to pfsense and I have just installed 2.0

    I have been struggling with this for a few days and finally decided I need some expert help.

    Here is my scenario

    Hardware

    Intel Xeon Server Running pfsense 2.0 and FreeSwitch (Fusionpbx)
    48 port D-Link DGS3100 PoE Switch

    em0 (WAN) - Cable Internet Connection
    em1 (LAN) - Connected to port 1 on D-Link Switch

    The LAN interface has an IP address of 172.22.1.1/24
    pfsense DHCP scope is 172.22.1.10 - 172.22.1.245
    D-Link IP is 172.22.1.254

    I would like to create 3 VLANs and isolate them from each other

    1 - Default
    2 - Data Network
    3 - FreeSwitch
    4 - Wireless

    Under Interfaces, I have already created VLAN Tags

    OPT1 VLAN2 - em1 (Data - Main Network)
    OPT2 VLAN3 - em1 (FreeSwitch)
    OPT3 VLAN4 - em0 (Wireless)

    On My D-Link Switch

    VLAN

    1 - Default
    2 - Port 1 tagged, Ports 2 - 32 untagged
    3 - Ports 33 - 47 untagged
    4 - Port 48 untagged

    The VLAN IDs correspond to each other for simplicity

    I plan on installing a wireless router on port 48 as an access point with a captive portal.  I can also install a D-Link Atheros based wirless PCI card into the server if that is an viable option and bridge the wireless to the WAN (em0)

    I also have two FreeNAS boxes on ports 2 and 3 and a network printer on port 4 of the D-Link Switch

    I am pretty sure the problem is with the D-Link, but I may have missed something in pfsense.

    I have set port 1 as a tagged port on the D-Link switch and all the other ports as untagged while creating VLAN 2

    As soon as I save this scenario, I lose access to my D-Link switch, I don't even get a chance to create VLAN 3 or VLAN 4

    I have to perform a full reset of the D-Link before I can get access to the switch again.

    Any ideas what I am doing wrong?

    As a side note, is there any way to speed up DHCP?  I usually put my desktop to sleep, when I wake it up, it takes at least a minute to acquire an IP address from pfsense.  It gets really annoying and I am at the point of just statically assigning all my IPs



  • @Gee:

    Under Interfaces, I have already created VLAN Tags

    OPT1 VLAN2 - em1 (Data - Main Network)
    OPT2 VLAN3 - em1 (FreeSwitch)
    OPT3 VLAN4 - em0 (Wireless)

    On My D-Link Switch

    VLAN

    1 - Default
    2 - Port 1 tagged, Ports 2 - 32 untagged
    3 - Ports 33 - 47 untagged
    4 - Port 48 untagged

    The VLAN IDs correspond to each other for simplicity

    I am pretty sure the problem is with the D-Link, but I may have missed something in pfsense.

    I have set port 1 as a tagged port on the D-Link switch and all the other ports as untagged while creating VLAN 2

    As soon as I save this scenario, I lose access to my D-Link switch, I don't even get a chance to create VLAN 3 or VLAN 4

    I have to perform a full reset of the D-Link before I can get access to the switch again.

    Any ideas what I am doing wrong?

    Yes, your switch isn't configured properly.

    Port 1, that is, the port connected to pfSense needs to be trunked with all the VLANs.

    So,
    Port 1 must be tagged with VLANs:

    VLAN

    1 - Default
    2 - Port 1 tagged, Ports 2 - 32 untagged
    3 - Port 1 tagged, Ports 33 - 47 untagged
    4 - Port 1 tagged, Port 48 untagged

    Also, you must check your switch configuration.  I believe you must set the management VLAN accordingly since your PC is likely to be connected to Ports 2-32.  Effectively, the switch sees this as VLAN 2 traffic.  Hence, it will not allow access to the management interface.  You must add or set VLAN2 as the management VLAN.



  • Still having problems.  I had to update the firmware to get the VLAN options to work.

    Do I need to tag any ports?  Since I only have one switch (D-Link DGS-3100), I don't think I need to tag any of the packets.

    Here is what I currently have set up

    1 - Default (Ports 1-48) untagged
    2 - Network (Ports 1-32) untagged
    3 - FreeSwitch (Ports 1, 33-42) untagged
    4 - WiFi (Ports 1, 48) untagged (D-Link Router)

    Problem now is that I can still ping all the end points regardless of which VLAN I am in.

    Any suggestions?



  • seems that port 1 is trunk port, so every vlan should be tagged
    what rules you have on those vlan interfaces in pfsense



  • The DGS-3100 has a slightly more complex VLAN setup, hence, the exact steps are as follows if you want to allow all LAN ports access to the Switch configuration (in this instance, you would use a computer on Ports 2-32 or 43-47 to access the switch management):

    Go to L2 -> Asymmetric VLAN and enable it.

    Go to L2 Features > Forward & Filtering >DLF Filtering Mode:
    Select All (check the box), Select Forward all DLF packets.
    Apply.

    Go to L2 -> 802.1Q VLAN:

    Edit Default VLAN (VID 1).
    Select Ports 1 & 33-42 as non-members.
    Select Ports 2-32, 43-47 as untagged.
    Click Apply.

    Click on the Add/ Edit VLAN tab.
    Add a new VLAN with VID = 2, Name = LAN.
    Select Port 1 as Tagged.
    Select Ports 2-32 as Untagged.
    Select Ports 33-48 as Non-member.
    Click Apply.

    Click on the Add/ Edit VLAN tab.
    Add a new VLAN with VID = 3, Name = Freeswitch.
    Select Port 1 as Tagged.
    Select Ports 33-42 as Untagged.
    Select Ports 2-32, 43-48 as Non-Member.
    Click Apply.

    Click on the Add/ Edit VLAN tab.
    Add a new VLAN with VID = 4, Name = Wifi.
    Select Port 1 as Tagged.
    Select Port 48 as Untagged.
    Select Ports 2-47 as Non-Member.
    Click Apply.


Log in to reply