VLAN setup help needed
-
Currently running 1.2.3 on an Alix 3port setup.
Network is currently flat.I'm wanting to segregate network data types now though. I've decided to split based on:
-
Secured network devices (PCs/Macs, printers, APs, etc)
-
VoIP (currently only have one PAP2T adapter)
-
Video (Several DTV boxes, game consoles, Internet capable TVs)
-
Unsecured (Guest wireless, Lab Testing, DMZ, etc)
I have a couple of HP Procurve 'Smart' (Layer 2) switches that I can setup the VLANs on too.
I just need some help with the actual configuration of PFS when it comes to implementing the VLANs and configuring them.Here's what I have so far:
My first question though:
If we look directly at OPT1 (my VLAN10 setup), what do I do with the IP address here? Do I assign a /32 address? a .0/24 address? ???
Second question:
How do I specify that an interface is a trunked port? There's nothing that I see that allows me to 'allow' or 'include' VLANs onto an interface.And now, here's what my network would look like if all the VLANs were setup and working….to give you a better idea of what I'm trying to accomplish.
This is the current setup except that right now, there are no VLANs. -
-
If we look directly at OPT1 (my VLAN10 setup), what do I do with the IP address here? Do I assign a /32 address? a .0/24 address? ???
You're setting up the gateway for all devices on that network. Most likely you want a /24 subnet there, but not necessarily.
How do I specify that an interface is a trunked port? There's nothing that I see that allows me to 'allow' or 'include' VLANs onto an interface.
You did that when you created the vlan interface. A physical interface in pfsense will accept ethernet frames that are tagged for any vlan interface that is assigned and enabled on that physical interface.
-
If we look directly at OPT1 (my VLAN10 setup), what do I do with the IP address here? Do I assign a /32 address? a .0/24 address? ???
You're setting up the gateway for all devices on that network. Most likely you want a /24 subnet there, but not necessarily.
How do I specify that an interface is a trunked port? There's nothing that I see that allows me to 'allow' or 'include' VLANs onto an interface.
You did that when you created the vlan interface. A physical interface in pfsense will accept ethernet frames that are tagged for any vlan interface that is assigned and enabled on that physical interface.
Okay…understand about the trunking. That's sorta what I was hoping for.
Now, regarding the IP address field for the VLAN config:
If this is essentially the IP address of the gateway, then are we talking about the Internet Gateway? Or are you saying that whatever IP address I put here is the 'gateway' for devices on that particular subnet? If that is the case, then why wouldn't I assign a single /32 address here? -
If this is essentially the IP address of the gateway, then are we talking about the Internet Gateway? Or are you saying that whatever IP address I put here is the 'gateway' for devices on that particular subnet? If that is the case, then why wouldn't I assign a single /32 address here?
It's the latter, the address of pfsense, and the address that hosts on that network will use as their gateway. If you put /32 there then you're telling pfsense to not talk to any other device. If you put a /24 there then pfsense will talk to any of 253 other devices (those whose IP address shares the first 24 bits with pfsense).
-
Okay…understand.
Next - The option just below this is the "Gateway" address field. The 'tip' says "If this interface is an Internet connection, enter its next hop gateway (router) IP address here. Otherwise, leave this option blank."
To me, these interfaces are the gateways to the Internet. But, there would NOT be another hop (refer to my network diagram).
A little confused on this one too... ???I think after this, I just need to setup the DHCP servers for the new subnets and create any needed firewall rules.
-
If you're not sure then you don't need the gateway option. That is where you would enter the address of another host on that network if that other host was acting as gateway to some other network. The fact that pfsense is acting as gateway to attached hosts has nothing to do with that setting.
-
Subscribed…
Will be doing a similar setup in the near future, just slightly different hardware.
SO im just gonna watch this thread where it leads.However the backbone on my network will be 10GB with STP.
-
If you're not sure then you don't need the gateway option. That is where you would enter the address of another host on that network if that other host was acting as gateway to some other network. The fact that pfsense is acting as gateway to attached hosts has nothing to do with that setting.
Okay…so this is another one of the settings that if you don't put anything, normal routing occurs - in this case, if I leave it blank, it will NAT these new subnets according to the routing table. (only need to populate, like you said, if there's some other gateway that I want to specify)
...just thinking out loud here so bear with me - So my existing vr1 interface that exist already, and is configured as 192.168.0.1/24, is NAT'ing traffic to the WAN interface. These new OPTx interfaces (.10, .20, .30, .40) will just be handled the same way. Traffic ingressing these interfaces and destined to the Internet will just be NAT'd along with traffic on vr1 or the other OPTx interfaces too, according to the routing table. -
These new OPTx interfaces (.10, .20, .30, .40) will just be handled the same way. Traffic ingressing these interfaces and destined to the Internet will just be NAT'd along with traffic on vr1 or the other OPTx interfaces too, according to the routing table.
True if you have Automatic Outbound NAT enabled (it is by default). Otherwise you will have to create a rule to NAT these.
-
Alrighty then! Looks like things are working.
I have tested and confirmed working a laptop getting the appropriate DHCP lease after going through through two 'trunk' connections (I use the term loosely here becuase HP's 'trunk' != Cisco's 'trunk'). Laptop also has Internet access.….but, looks like one small issue. Example is that when the laptop is on the .10 subnet, it has access to hosts on other subnets. Firewall rule needed to correct this or a checkbox somewhere?
Otherwise, just need to setup the VLANs on the wireless and make it's working.
-
Check the firewall rules on the interface that the laptop is connected to. If you have a Pass All rule then nothing will stop it from reaching hosts on other networks.
If you want to prevent that then try creating a LOCAL alias for all your local networks and modify your Pall All rule to include the destination !LOCAL.
-
Check the firewall rules on the interface that the laptop is connected to. If you have a Pass All rule then nothing will stop it from reaching hosts on other networks.
If you want to prevent that then try creating a LOCAL alias for all your local networks and modify your Pall All rule to include the destination !LOCAL.
Makes perfect sense. I'll get that setup and retry. Thanks!