New VLAN setup
-
i would like to become familiar with VLANs.
pfsense- 2.0.1 interface configuration below:
re0- WAN- DHCP from ISP
re2- LAN- DHCP 192.168.1.0/ 24
re1- OTP1- not in use.i have an HP switch (VLAN READY) hp 1810g-8ge (J9449A)
my goal is to create a secondary network (10.0.10.0 /24) for guest access.
i would like for the guests to have access only to the internet and not the 192.168.1.0 /24 network.
for pfsense, do i create a VLAN and assign it to re2 or re1?
i am following this guide for configuring the HP switch (http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c02641368/c02641368.pdf), but before i work on the HP switch, i want to make sure pfsense is configured properly.
-
one thing i will remember is to keep 1 port on the default VLAN of the HP switch so i can still IP into it to make changes.
i assigned it 192.168.1.20
-
@tomdlgns:
for pfsense, do i create a VLAN and assign it to re2 or re1?
In the web GUI you go to Interfaces: Assign: and select the VLAN tab. Then click the '+' to add VLAN interfaces. You assign it to a parent interface which is the physical NIC it will operate on.
One thing to note is that, if at all possible, you should avoid having tagged and non-tagged traffic on the same NIC. Whilst this is technically possible it can often cause problems. So in your case use your re1 (opt1) interface for your VLANs and only for VLANs.
This may lead to the confusing situation of having two NICs connected to the switch but it shouldn't be a problem if you have the switch configured correctly! ;)Steve
-
@tomdlgns:
for pfsense, do i create a VLAN and assign it to re2 or re1?
In the web GUI you go to Interfaces: Assign: and select the VLAN tab. Then click the '+' to add VLAN interfaces. You assign it to a parent interface which is the physical NIC it will operate on.
One thing to note is that, if at all possible, you should avoid having tagged and non-tagged traffic on the same NIC. Whilst this is technically possible it can often cause problems. So in your case use your re1 (opt1) interface for your VLANs and only for VLANs.
This may lead to the confusing situation of having two NICs connected to the switch but it shouldn't be a problem if you have the switch configured correctly! ;)Steve
ok, i follow the part about creating the vlan in pfsense and assigning it to re1. i already did that, but i didnt want to post in case i was wrong. :)
i dont have the hp switch connected to the network, but are you saying that i will end up connecting both pfsense nics, re2 and re1 to the hp vlan switch and THEN connect my current switch (16 port netgear- non managed) to the hp vlan switch. my current switch at home would plug into a normal port on the hp vlan, not a tagged port on the newly created vlan (switch), correct?
i can draw a diagram if it will help…?
EDIT- current pfSense configuration...
interface- re1
vlan tag- 2
description- vlan2edit- change 20s to 2s
i cant do this on the drawing, unless i redraw and upload.
-
assuming the pfsense config is OK, do i need to setup the hp switch with the same vlan tag, in this case, 20? is that how pfsense and the hp switch will communicate?
thanks
-
here is a pic of my current setup.
NOTE- the hp switch currently has the 1 default lan and i have the switch assigned to 192.168.1.20 and that all PCs/devices on the network are pulling an ip from pfsense (192.168.1.1 /24).
-
here is a pic of what i think i need to set it up as.
NOTE- i forgot to draw on there that the hp switch will still be configured as 192.168.1.20 and that ports 7 and 8 will be part of my VLAN20 (i need to create this on the HP switch, (10.0.10.1 network).
i will statically assign the wifi router as 10.0.10.2 and disable DHCP on it and left pfsense handle DHCP.
do i have this right or did i make a wrong turn somewhere?
EDIT- if i am correct and i set this up properly, my HTPC, xbox, laptop/desktop should not change and they should remain on the 192.168.1.1 /24 network. i did not label it in the drawing, but i figured i should mention it.
-
@tomdlgns:
assuming the pfsense config is OK, do i need to setup the hp switch with the same vlan tag, in this case, 20? is that how pfsense and the hp switch will communicate?
Yes.
I think you are over complicating things, probably not helped by my description! ::)
The only reason you would need to have two interfaces connected to the HP switch is if you need untagged traffic on it. Some switches have their management interface on untagged subnet only for example.
If you don't need that then just have the HP switch connected to re1 and the Netgear switch on re2. That way you keep the VLANs separate and the swicth configuration is much less complex.
Steve
-
@tomdlgns:
assuming the pfsense config is OK, do i need to setup the hp switch with the same vlan tag, in this case, 20? is that how pfsense and the hp switch will communicate?
Yes.
I think you are over complicating things, probably not helped by my description! ::)
The only reason you would need to have two interfaces connected to the HP switch is if you need untagged traffic on it. Some switches have their management interface on untagged subnet only for example.
If you don't need that then just have the HP switch connected to re1 and the Netgear switch on re2. That way you keep the VLANs separate and the swicth configuration is much less complex.
Steve
ok, i follow what you are saying.
however, here is another part i left out…just so it doesnt get complicated.
i have the modem, pfsense box, and two switches (hp and netgear) in the utility room of my house (all centralized).
i have two other switches in other parts of my house, due to only having 1 ethernet cable running to the two rooms...
switch 1 is in my diagram, it has the xbox and htpc connected to it.
the switch NOT pictured is in a room that has another computer connected to it.
if i changed the switch that isnt pictured to a VLAN Switch, could i have one device in that room point to 192.168.1.1 and the other point to 10.0.10.1?
if the answer is yes, wouldnt i need to include the hp switch in my network like i have it in the second diagram?
obviously i would have to tag another port for vlan2 my drawing is only using 7 and 8.
if i am wrong, let me know. i'd hate to proceed forward with this if it isnt accurate.
-
Are you thinking allowing them access on the physical LAN? If you are only going to allow them on the Wifi (even the switch that is usually on the back) then you don't really need a VLAN at all. Just use re1. You can even setup reservations in DHCP for your personal wifi and allow access to you main network.
-
Are you thinking allowing them access on the physical LAN? If you are only going to allow them on the Wifi (even the switch that is usually on the back) then you don't really need a VLAN at all. Just use re1. You can even setup reservations in DHCP for your personal wifi and allow access to you main network.
not at this time, but something i might want to experiment with later.
this is being setup for testing purposes.
my goal is to create 1 physical network and 1 VLAN and allow the vlan computers to get internet access, but not communicate with the physical lan (192.168.1.1).
-
here are my pfsense settings…need to get that setup properly.
does the vlan id and vlan tag in pfsense and on my hp switch have to match?
in pfsense i am using 20, in the hp switch i have 2.
here is the hp switch setting.
in my drawing i listed ports 7,8 being part of the vlan, but i forgot that i used port8 to plug into my existing network. i am not at home right now, so i configured ports 1,2 instead (for vlan).
-
also, i am not able to DHCP this interface…wont let me.
http://i.imgur.com/WfZbc.jpg
-
vLan id must match iirc.
-
vLan id must match iirc.
ok, i can change that now.
for the small chance that it doesn't, i suppose it is good practice to keep them the same for organizational purposes.
obviously if it does matter, then i guess i should change it so it can….......work. :)
-
another quick question…
T- tagged (tagging it for the vlan i want it a part of, i get that).
U- untagged (i get that...keep it untagged so it isnt a part of that vlan).
E- exclude (i dont get this. if it is untagged isnt that basically saying...exlcude/dont tag this port...)?
vlan1 is all u,u,u,u,u,u,u,u
vlan2 (the one i made) is t,t,u,u,u,u,u,u
should i go back and change vlan 1 on the hp switch to look like:
e,e,u,u,u,u,u,u ?
-
i changed the vlan tag and description in pfsense from 20 to 2
-
@tomdlgns:
another quick question…
T- tagged (tagging it for the vlan i want it a part of, i get that).
U- untagged (i get that...keep it untagged so it isnt a part of that vlan).
E- exclude (i dont get this. if it is untagged isnt that basically saying...exlcude/dont tag this port...)?
vlan1 is all u,u,u,u,u,u,u,u
vlan2 (the one i made) is t,t,u,u,u,u,u,u
should i go back and change vlan 1 on the hp switch to look like:
e,e,u,u,u,u,u,u ?
Tagging a port means that you are going to access more than one vlan on that port so if the firewall is in port 1 then
VLAN1
t,e,u,u,u,u,u,uVLAN2
t,u,e,e,e,e,e,eI hope that makes sense.
-
@tomdlgns:
another quick question…
T- tagged (tagging it for the vlan i want it a part of, i get that).
U- untagged (i get that...keep it untagged so it isnt a part of that vlan).
E- exclude (i dont get this. if it is untagged isnt that basically saying...exlcude/dont tag this port...)?
vlan1 is all u,u,u,u,u,u,u,u
vlan2 (the one i made) is t,t,u,u,u,u,u,u
should i go back and change vlan 1 on the hp switch to look like:
e,e,u,u,u,u,u,u ?
Tagging a port means that you are going to access more than one vlan on that port so if the firewall is in port 1 then
VLAN1
t,e,u,u,u,u,u,uVLAN2
t,u,e,e,e,e,e,eI hope that makes sense.
i think so. i have to edit vlan 1 to tell it which ports are used by other vlans?
right now, port 8 is plugged into my LAN port so i can talk to it (192.168.1.1 network).
i am going to use ports 1 and 2 for vlan 2.
if i follow you, i should edit vlan 1 to look like:
vlan 1 (default from hp)
e,e,u,u,u,u,u,tvlan 2 (the one i am making to talk to pfsense opt1)
t,t,e,e,e,e,e,e
(i dont think i have it, afterall).
-
this was what i was talking about above. i onyl have 1 lan cable going to a specific room. if i have another vlan switch up there, can i have this setup? or something similar…?
