New VLAN setup
-
i would like to become familiar with VLANs.
pfsense- 2.0.1 interface configuration below:
re0- WAN- DHCP from ISP
re2- LAN- DHCP 192.168.1.0/ 24
re1- OTP1- not in use.i have an HP switch (VLAN READY) hp 1810g-8ge (J9449A)
my goal is to create a secondary network (10.0.10.0 /24) for guest access.
i would like for the guests to have access only to the internet and not the 192.168.1.0 /24 network.
for pfsense, do i create a VLAN and assign it to re2 or re1?
i am following this guide for configuring the HP switch (http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c02641368/c02641368.pdf), but before i work on the HP switch, i want to make sure pfsense is configured properly.
-
one thing i will remember is to keep 1 port on the default VLAN of the HP switch so i can still IP into it to make changes.
i assigned it 192.168.1.20
-
for pfsense, do i create a VLAN and assign it to re2 or re1?
In the web GUI you go to Interfaces: Assign: and select the VLAN tab. Then click the '+' to add VLAN interfaces. You assign it to a parent interface which is the physical NIC it will operate on.
One thing to note is that, if at all possible, you should avoid having tagged and non-tagged traffic on the same NIC. Whilst this is technically possible it can often cause problems. So in your case use your re1 (opt1) interface for your VLANs and only for VLANs.
This may lead to the confusing situation of having two NICs connected to the switch but it shouldn't be a problem if you have the switch configured correctly! ;)Steve
-
for pfsense, do i create a VLAN and assign it to re2 or re1?
In the web GUI you go to Interfaces: Assign: and select the VLAN tab. Then click the '+' to add VLAN interfaces. You assign it to a parent interface which is the physical NIC it will operate on.
One thing to note is that, if at all possible, you should avoid having tagged and non-tagged traffic on the same NIC. Whilst this is technically possible it can often cause problems. So in your case use your re1 (opt1) interface for your VLANs and only for VLANs.
This may lead to the confusing situation of having two NICs connected to the switch but it shouldn't be a problem if you have the switch configured correctly! ;)Steve
ok, i follow the part about creating the vlan in pfsense and assigning it to re1. i already did that, but i didnt want to post in case i was wrong. :)
i dont have the hp switch connected to the network, but are you saying that i will end up connecting both pfsense nics, re2 and re1 to the hp vlan switch and THEN connect my current switch (16 port netgear- non managed) to the hp vlan switch. my current switch at home would plug into a normal port on the hp vlan, not a tagged port on the newly created vlan (switch), correct?
i can draw a diagram if it will help…?
EDIT- current pfSense configuration...
interface- re1
vlan tag- 2
description- vlan2edit- change 20s to 2s
i cant do this on the drawing, unless i redraw and upload.
-
assuming the pfsense config is OK, do i need to setup the hp switch with the same vlan tag, in this case, 20? is that how pfsense and the hp switch will communicate?
thanks
-
here is a pic of my current setup.
NOTE- the hp switch currently has the 1 default lan and i have the switch assigned to 192.168.1.20 and that all PCs/devices on the network are pulling an ip from pfsense (192.168.1.1 /24).
-
here is a pic of what i think i need to set it up as.
NOTE- i forgot to draw on there that the hp switch will still be configured as 192.168.1.20 and that ports 7 and 8 will be part of my VLAN20 (i need to create this on the HP switch, (10.0.10.1 network).
i will statically assign the wifi router as 10.0.10.2 and disable DHCP on it and left pfsense handle DHCP.
do i have this right or did i make a wrong turn somewhere?
EDIT- if i am correct and i set this up properly, my HTPC, xbox, laptop/desktop should not change and they should remain on the 192.168.1.1 /24 network. i did not label it in the drawing, but i figured i should mention it.
-
assuming the pfsense config is OK, do i need to setup the hp switch with the same vlan tag, in this case, 20? is that how pfsense and the hp switch will communicate?
Yes.
I think you are over complicating things, probably not helped by my description! ::)
The only reason you would need to have two interfaces connected to the HP switch is if you need untagged traffic on it. Some switches have their management interface on untagged subnet only for example.
If you don't need that then just have the HP switch connected to re1 and the Netgear switch on re2. That way you keep the VLANs separate and the swicth configuration is much less complex.
Steve
-
assuming the pfsense config is OK, do i need to setup the hp switch with the same vlan tag, in this case, 20? is that how pfsense and the hp switch will communicate?
Yes.
I think you are over complicating things, probably not helped by my description! ::)
The only reason you would need to have two interfaces connected to the HP switch is if you need untagged traffic on it. Some switches have their management interface on untagged subnet only for example.
If you don't need that then just have the HP switch connected to re1 and the Netgear switch on re2. That way you keep the VLANs separate and the swicth configuration is much less complex.
Steve
ok, i follow what you are saying.
however, here is another part i left out…just so it doesnt get complicated.
i have the modem, pfsense box, and two switches (hp and netgear) in the utility room of my house (all centralized).
i have two other switches in other parts of my house, due to only having 1 ethernet cable running to the two rooms...
switch 1 is in my diagram, it has the xbox and htpc connected to it.
the switch NOT pictured is in a room that has another computer connected to it.
if i changed the switch that isnt pictured to a VLAN Switch, could i have one device in that room point to 192.168.1.1 and the other point to 10.0.10.1?
if the answer is yes, wouldnt i need to include the hp switch in my network like i have it in the second diagram?
obviously i would have to tag another port for vlan2 my drawing is only using 7 and 8.
if i am wrong, let me know. i'd hate to proceed forward with this if it isnt accurate.
-
Are you thinking allowing them access on the physical LAN? If you are only going to allow them on the Wifi (even the switch that is usually on the back) then you don't really need a VLAN at all. Just use re1. You can even setup reservations in DHCP for your personal wifi and allow access to you main network.
-
Are you thinking allowing them access on the physical LAN? If you are only going to allow them on the Wifi (even the switch that is usually on the back) then you don't really need a VLAN at all. Just use re1. You can even setup reservations in DHCP for your personal wifi and allow access to you main network.
not at this time, but something i might want to experiment with later.
this is being setup for testing purposes.
my goal is to create 1 physical network and 1 VLAN and allow the vlan computers to get internet access, but not communicate with the physical lan (192.168.1.1).
-
here are my pfsense settings…need to get that setup properly.
does the vlan id and vlan tag in pfsense and on my hp switch have to match?
in pfsense i am using 20, in the hp switch i have 2.
here is the hp switch setting.
in my drawing i listed ports 7,8 being part of the vlan, but i forgot that i used port8 to plug into my existing network. i am not at home right now, so i configured ports 1,2 instead (for vlan).
-
also, i am not able to DHCP this interface…wont let me.
-
vLan id must match iirc.
-
vLan id must match iirc.
ok, i can change that now.
for the small chance that it doesn't, i suppose it is good practice to keep them the same for organizational purposes.
obviously if it does matter, then i guess i should change it so it can….......work. :)
-
another quick question…
T- tagged (tagging it for the vlan i want it a part of, i get that).
U- untagged (i get that...keep it untagged so it isnt a part of that vlan).
E- exclude (i dont get this. if it is untagged isnt that basically saying...exlcude/dont tag this port...)?
vlan1 is all u,u,u,u,u,u,u,u
vlan2 (the one i made) is t,t,u,u,u,u,u,u
should i go back and change vlan 1 on the hp switch to look like:
e,e,u,u,u,u,u,u ?
-
i changed the vlan tag and description in pfsense from 20 to 2
-
another quick question…
T- tagged (tagging it for the vlan i want it a part of, i get that).
U- untagged (i get that...keep it untagged so it isnt a part of that vlan).
E- exclude (i dont get this. if it is untagged isnt that basically saying...exlcude/dont tag this port...)?
vlan1 is all u,u,u,u,u,u,u,u
vlan2 (the one i made) is t,t,u,u,u,u,u,u
should i go back and change vlan 1 on the hp switch to look like:
e,e,u,u,u,u,u,u ?
Tagging a port means that you are going to access more than one vlan on that port so if the firewall is in port 1 then
VLAN1
t,e,u,u,u,u,u,uVLAN2
t,u,e,e,e,e,e,eI hope that makes sense.
-
another quick question…
T- tagged (tagging it for the vlan i want it a part of, i get that).
U- untagged (i get that...keep it untagged so it isnt a part of that vlan).
E- exclude (i dont get this. if it is untagged isnt that basically saying...exlcude/dont tag this port...)?
vlan1 is all u,u,u,u,u,u,u,u
vlan2 (the one i made) is t,t,u,u,u,u,u,u
should i go back and change vlan 1 on the hp switch to look like:
e,e,u,u,u,u,u,u ?
Tagging a port means that you are going to access more than one vlan on that port so if the firewall is in port 1 then
VLAN1
t,e,u,u,u,u,u,uVLAN2
t,u,e,e,e,e,e,eI hope that makes sense.
i think so. i have to edit vlan 1 to tell it which ports are used by other vlans?
right now, port 8 is plugged into my LAN port so i can talk to it (192.168.1.1 network).
i am going to use ports 1 and 2 for vlan 2.
if i follow you, i should edit vlan 1 to look like:
vlan 1 (default from hp)
e,e,u,u,u,u,u,tvlan 2 (the one i am making to talk to pfsense opt1)
t,t,e,e,e,e,e,e
(i dont think i have it, afterall).
-
this was what i was talking about above. i onyl have 1 lan cable going to a specific room. if i have another vlan switch up there, can i have this setup? or something similar…?
-
Does the switch between the two VLAN switches preserve VLAN tags? If it doesn't you probably don't want to use that configuration.
-
Does the switch between the two VLAN switches preserve VLAN tags? If it doesn't you probably don't want to use that configuration.
it is just a regular switch.
-
here is a pic of what i think i need to set it up as.
NOTE- i forgot to draw on there that the hp switch will still be configured as 192.168.1.20 and that ports 7 and 8 will be part of my VLAN20 (i need to create this on the HP switch, (10.0.10.1 network).
i will statically assign the wifi router as 10.0.10.2 and disable DHCP on it and left pfsense handle DHCP.
do i have this right or did i make a wrong turn somewhere?
EDIT- if i am correct and i set this up properly, my HTPC, xbox, laptop/desktop should not change and they should remain on the 192.168.1.1 /24 network. i did not label it in the drawing, but i figured i should mention it.
does anyone advise against this?
i am on site right now and i can config it this way and do some testing.
thanks.
-
well, you can use only one cable to hp-vlan switch, just tag port with all vlans you need and connect re1.
But if you need more then 100Mbit, you may need two interfaces.
-
well, you can use only one cable to hp-vlan switch, just tag port with all vlans you need and connect re1.
But if you need more then 100Mbit, you may need two interfaces.
ok, i do follow what your saying, but now i dont understand the purpose of a VLAN. in this scenario, i am not creating a VLAN, i am just creating another LAN.
i guess this is why i never tried to setup a vlan, everytime i try, i get going in 5 different directions and can never get down the basics.
thanks.
-
also, if there is a better way to setup a VLAN to do some practical testing, let me know and i would be glad to give that way a shot.
thanks.
-
on your switch configure:
-
wifi port with vlan 100 untaged
-
firewall port with vlan 1 and 100 tagged
on firewall configure:
-
vlan1 on re1 for lan interface
-
vlan100 on re1 for wifi interface
-
Assign dhcp range 192.168 to lan
-
Assign dhcp range 10.0.10 for wifi
After this, you will have two working networks on re1.
-
-
on your switch configure:
-
wifi port with vlan 100 untaged
-
firewall port with vlan 1 and 100 tagged
on firewall configure:
-
vlan1 on re1 for lan interface
-
vlan100 on re1 for wifi interface
-
Assign dhcp range 192.168 to lan
-
Assign dhcp range 10.0.10 for wifi
After this, you will have two working networks on re1.
ok. for the wifi port on the hp switch…i will untag that...what should i do with the rest? e?
for the firewall port, i will tag 1 and 100, but what do i with the rest...e?
-
-
The default vlan id is 1 and default configuration for all ports are vlan id 1 untag, so you do not need to do anything, just check if it's configured on your switch
-
The default vlan id is 1 and default configuration for all ports are vlan id 1 untag, so you do not need to do anything, just check if it's configured on your switch
what about vlan100?
-
vlan1
wifi vlan 100
-
change port1 vlan1 from U to T and wifi port on vlan100 toU
-
change port1 vlan1 from U to T and wifi port on vlan100 toU
ok, i am going to do that now, but this is why i am confused
"The default vlan id is 1 and default configuration for all ports are vlan id 1 untag, so you do not need to do anything, just check if it's configured on your switch"
makes it seem like i need to leave everything as is on the default vlan…but like i said, i am changing it now.
-
change port1 vlan1 from U to T and wifi port on vlan100 toU
when i go to make these changes on vlan1 it tells me i might lose web management connection.
also, is the wifi port, port 1 as well, or should i use port 2 for that?
-
change configuration with a machine connected to any port other then ports you are changing
leave port 1 for firewall machine as you are tagging vlan on it and use port 2 for the wifi router as you are not changing anything there.
when you use tagged ports, the machine/router plugged on this port must have vlan tags configured to work
when you use untag portsm the machine does not need to know that it is on a vlan.
just pay attention to do not use tag and untag on same port.
-
change configuration with a machine connected to any port other then ports you are changing
leave port 1 for firewall machine as you are tagging vlan on it and use port 2 for the wifi router as you are not changing anything there.
when you use tagged ports, the machine/router plugged on this port must have vlan tags configured to work
when you use untag portsm the machine does not need to know that it is on a vlan.
just pay attention to do not use tag and untag on same port.
vlan1
T U U U U U U U
vlan 100 (wifi)
E T E E E E E E
is what i should end up with?
-
this way:
vlan1T E U U U U U U
vlan 100 (wifi)
T U E E E E E E
port 1 firewall
port 2 wifi
-
this way:
vlan1T E U U U U U U
vlan 100 (wifi)
T U E E E E E E
port 1 firewall
port 2 wifi
ok, so once a port is tagged, it has to be marked as tagged in every vlan you create?
i just made those changes…moving to pfsense now.
-
here is pfsense setup
i am not done, i am stuck, here.
i cant set two things on re1. only one at a time.
-
Lan will be vlan1 on re1 and opt1 will be vlan100 on re1.
Disconnect re2
