VLANS
-
Ok…. I have not had a chance to look into it yet as I am waiting for the smart switch and access points.
But here is a quick question.
I have a location that will have corp users needing access to the corporate network (securely) and vistors that need access to the internet and should not have access to the corp network.
Here is a diagram
I want to know if on pfSense I should leave re1 (LAN) unnumbered and create to VLANs ---- VLAN 10 Corp and VLAN 20 Vistors, or should I create 3 vlans..... and leave re1 unumbered. VLAN 10 CORP, VLAN20 Visitors, VLAN 50 Management or should I assign an IP tho RE1 and then create the VLANS??????
-
In you scenario you only will need vlans running on the real interface. The real interface won't be assigned therefore. I have exactly the same setup in a hotel with several accesspoints. The accesspoints have 2 vlans (public/management). The public vlan has no encryption and is broadcasting it's SSID. There is also a captive portal in place to redirect the guests to a login page. The management vlan runs with WPA and hidden SSID. Works like a charm.
-
Well here is what I have and I cannot ping the IPs other than 10.255.255.1
Here is the setup
PC–---AccessPort-----SRW2008MP Linksys switch ----TrunkPort----pfsense
Pfsense LAN interface is re1
re1 - IP address 10.255.255.1
VLAN10 (re1) - 10.3.3.1
VLAN20 (re1) - 10.100.100.1It may be the trunking on the linksys but I am not sure (really not impressed with the linksys)
I want to make sure that pfsense is fine as far as the vlans config goes?
-
You shouldn't use the parent interface for your VLAN trunk port for anything, in this case your re1 interface should only be hosting VLAN's. 10.255.255.1 should be a VLAN, or a different physical interface. This is true of any VLAN setup, you should never use the native VLAN, which is what re1 is on in this instance. It's a security risk because it's commonly possible to drop from a tagged VLAN to the native VLAN.
If you're going to use VLAN's, every subnet needs a dedicated one. Never use VLAN 1 for anything, for the same reason as above (it should be the default native VLAN).
Other thoughts, make sure the switch port you're connecting your dumb switches to is configured on the appropriate VLAN, and configured to tag all incoming traffic on that port with the appropriate VLAN as well. This is sometimes two configuration steps, depending on the switch.
Last, make sure it's using 802.1q trunking on the trunk port to pfsense. The pfsense side is the easy part. If you get the parent interface and the VLAN ID right, you're done. The switch side can get tricky, I'm sure that's most likely what you have misconfigured.
-
OK…
The pfSense has two nics one WAN and one LAN.
LAN = re1
Do I leave re1 unumbered and then create the vlans?
EX:
re1 - no ip address?
opt1 - (re1) - vlan10
opt2 - (re1) - vlan20I am pretty sure the switch is configured right.
-
Don't even assign the re1 interface, only assign the vlans.
-
I must be missing something.
During the intial configuration
It asks me to assign vlans [y|n] (i answer yes)
Then I create vlan 10 and assign to re1
Then I create vlan 20 and assign to re1
Then it asks the assign nic to LAN - re1
Then I assign the nic to WAN - re0The LAN interface gets configured with a 192.168.1.1 ip by default.
So I am not sure on the "don't assign the re1 interface, only assign the VLANs"
??
-
assign lan to vlan0 assign wan to re0
then when web interface is up assign opt to vlan1 -
Thanks…just before your post I did that....opt1 keeps resetting on me after I configure it??
-
Thanks…just before your post I did that....opt1 keeps resetting on me after I configure it??
sorry i dont know about that one sounds very odd. might want to try ifconfig on a console and see if you vlans look like they are configured correctly you can also check this out in the assign interfaces area of web gui under vlans
-
Yes the interfaces disappears after I enable OPT1.
I am using "1.2 BETA-1-Prerelease-snapshot-04-23-07"
-
Also once I enable VLANs I loose connectivity.
I have the swr2008MP –-- trunk ----- pfsense. Is there an issue with trunking in pfsense??
-
Whatever I have tried I cannot get vlans to work….I am wondering if it is a pfsense issue.
I am using swr2800mp linksys switch......I am sure if it is not a pfsense issue I would have been done if this was a Cisco IOS switch. :(
-
when you say trunk i assume u mean the port that pfsense is plugded into is configured as a trunked port.
i also assume that all vlans you configured in pfsense are in this trunk you setup on your switch.i am a bit old school but i add all the vlans i want to my switch then add all the tags i want pfsense to see the port pfsense is attached to.
then i might have port vlan tags on other port or tagged vlan ports on other ports or trunks that go between switch 802.1q is a standard and any cisco switchs i have worked with have been fine. -
Switch is trunked to pfsense and is tagged with VLAN10 annd VLAN20, and untagged VLAN1.
I can communicate with all devices on the VLAN10 no problem…..even when I connect the pfsense box with out any VLANs and just an assigned IP connected to an access port it is fine.
It is when I configure VLANS on the pfsense and connect it to the trunk it looses communications.
pfsense
I go to -interfaces - assign - create vlans 10 and 20
Then I go to LAN and assign VLAN10
Then I add OPT1 which is vlan20
*as I mentioned the pfsense box is connected to a trunk port that is tagged with vlan10 and vlan20.Everything breaks I can no longer get to the pfsense box?
-
sounds like the re driver might be havin problems you might want to check on the freebsd lists for issues with this or try to add the vlan on the command line and see if it works we have no trouble with vlans but only use sis and fxp nics
-
Do you have a link I can check out, and/or do you have the info on creating the vlans from command line.
Thanks!
-
Whatever I have tried I cannot get vlans to work….I am wondering if it is a pfsense issue.
No, it's not. VLAN's work fine, and are dead simple to setup. They were a ported feature from m0n0wall, worked fine initially and always have. Properly setting up the VLAN's on the switch is another matter entirely. If it's not working, it's your switch configuration.
It's possible, but unlikely, that it's related to a NIC driver bug. I may have time to look closer at this tomorrow, haven't had time to read all the info posted since my last post. At this point, my most specific suggestion is fix the switch.
-
I hope you are right….but the switch is configured correctly (swr2800MP Linksys unless there is issues with this switch).
I have set up vlans and trunks for years but on cisco equipment. I will try another type of switch today and see.
The nics in the pfSense box are realtek 8110sc.
Any other suggestions or help would be appreciated.
Again here is what I have setup.
--VLAN10 and VLAN20 swr2800mp switch--------Trunk (tagged 10 and 20) ------ pfsense (LAN = VLAN10 and opt1 = vlan 20) the minute i configure the pfsense I loose connectivity.
-
If you got a spare nic use that as lan… and re1 for the vlans only
here is a fast made wink vlan demo :)
http://www.mediamax.com/crazypark/Hosted/hmm.swf