VLAN Setup questions
-
Hi,
I recently build a pfsense box with two NICs (em0 - wan and em1 - lan) to help with our VOIP QoS issue.
The setup is pfsense -> managed switch -> phones -> PCs
By default pfsense creates LAN interface with 192.168.1.1
i created additional VLANS (VOICE - 67 and DATA - 66) and assigned them to em1 - lan interface as well as enabled DHCP on them.
created 67 and 66 VLANS the managed switch (FS728TP). i'm just playing with only two ports to check if i get the desired result.
port 28 going to pfsense box is checked as TAGGED on both VLANS.
port 2 (my test port) is checked TAGGED on VLAN 67 VOICE (i also use this tag in phones configuration so it can tag the packets with the right VLAN id) and UNTAGGED on VLAN 66 DATA. Also setting up PVID for that port to 66 gives me the desired result so when phone is connected to switch it gets 67.0/24 dhcp address and pc connected to the phone gets 66.0/24 dhcp address.
Is my understanding right that when the packets are passed as UNTAGGED to VLAN 66 DATA the ports sets the default packet header to VLAN 66 and that basically assigns everything else behind it (in my case PC) to VLAN 66 ?
Also i have a handfull of network printers, is it okay to leave them on DATA VLAN or is it advisable to create separate VLAN for them?
In this thread
http://forum.pfsense.org/index.php?topic=34739.0
GruensFroeschli says
_Don't mix untagged and tagged traffic on the same parent interface.
Leave WAN on vr1
Delete LAN on vr0
–> Create DATA as vlan on vr0
--> create VOICE as vlan on vr0Then connect the vr0 interface to the switch.
Configure the VLANs on the switch as tagged on the port going to the pfSense._What does he mean by mixing UNTAGGED AND TAGGED traffic? And also why should one delete the LAN ? Thanks in advance for any information.
-
I think the setup should be:
port 28 - tagged on both VLANS
port 2 - tagged on both VLANsThis way the VLAN tag from the phone is respected all the way to the switch and then to pfSense.
If I recall correctly, a untagged port in a VLAN is like an access port (can only be on one VLAN).
tagged ports passes the tag on. see the last post in the topic you sent. Most likely your phones are acting as switches and are already tagging packets (as mine does).But this of course depends on the managed switch maker and model. If you sent that, we can get the terminology correct.
i would leave the printers in the data vlan … most phones do not need to print.
-
thanks podilarius ill try that tomorrow
why would port 2 be tagged on both VLANs?
The PCs packets won't be tagged with the VLAN TAG only Phones configuration have the tag (67 VOICE) specified.
so PVID is set on port 2 to 66 to put any device with no tag specified to VLAN 66 DATA.i sort of followed the logic in this write up which is sort of easy to understand
http://www.alexwilliams.ca/blog/2009/01/17/segmenting-your-corporate-network-with-vlans/
-
As it says in the link blog post I would expect to have to port tagged on 67 and untagged on 66. Just check that you can't use the phone to strip the VLAN66 tags. As though it were a managed switch. This would allow you to send both VLANs tagged to the phone which would be 'nicer' in my opinion.
The reason that it is a bad idea to mix tagged and untagged traffic on a pfSense interface is that some NICs/drivers cause problems doing this. For an example of this see this epic thread. No VLAN traffic would pass as long as untagged traffic was being sent. However em(4) NICs are generally much more compliant. You may have no problems but be aware of it if issues arise.
Steve
-
Some phones tag the packets from the PC attached to them. If yours does not, then I would imagine you would be correct on your setup where you have port 2 as tagged on vlan 67 and untagged traffic to vlan 66 with the pvid to 66. If you are getting the desired results, then you already have your answers as to what your switch, phones, and NICs are capable of. The only reason to delete LAN is to remove access to the internet from the default VLAN. You can actually reasign LAN to your data VLAN if you like (in 2.1 at least).
-
A reason to delete LAN, in that particular case, is that it was a non VLAN interface on a NIC also carrying VLANs. Hence mixing tagged and non-tagged traffic.
Steve
-
i got this somehow working but im still unsure why it works the way it's set up
this is what i have that's working using these settings
pfsense 2.1BETA - NETGEAR FS728TP
LAN 10.18.65.1
DATA VLAN 10.18.66.1
VOICE VLAN 10.18.67.1now pfsense is accessed via 10.18.65.1 and switch 10.18.65.2.
you guys are saying i can merge or delete LAN so i won't be mixing traffic. how would i assign pfsense to DATA VLAN range ?
also it seems that LAN has automatically rules created to access all VLANs, another reason to geet rid of LAN ?pfsense goes to port28 on managed switch which is tagged with both (66 and 67 VLANS)
port2 is TAGGED on VLAN 67 (voice) and UNTAGGED on VLAN 66 (data) and then PVID is set to 66 (data) on that port.
the above setup works with phone getting VOICE ip and pc getting DATA ip.
I'm still trying to see how it would be possible to set it up with port being tagged on both VLANs.
When i tried that PC connected to the phone was getting ip from the LAN subnet. -
you guys are saying i can merge or delete LAN so i won't be mixing traffic. how would i assign pfsense to DATA VLAN range ?
I'm saying that is the recommended practice but if it's working OK for you then test it for while.
also it seems that LAN has automatically rules created to access all VLANs, another reason to geet rid of LAN ?
LAN has some rules aplied by default, 'Lan to any' and 'anti lockout rule'. You can just delete these rules if they don't fit your firewall setup.
pfsense goes to port28 on managed switch which is tagged with both (66 and 67 VLANS)
port2 is TAGGED on VLAN 67 (voice) and UNTAGGED on VLAN 66 (data) and then PVID is set to 66 (data) on that port.
the above setup works with phone getting VOICE ip and pc getting DATA ip.
I'm unsure how PVID comes into play here but otherwise that's what I would expect.
I'm still trying to see how it would be possible to set it up with port being tagged on both VLANs.
When i tried that PC connected to the phone was getting ip from the LAN subnet.To have the port tagged on both VLANs you phone has to be able to strip the tag from packets going to the PC and replace it on returning packets.
To prevent the PC getting a LAN IP you should set port 2 to exclude the default vlan.Steve
-
I'm unsure how PVID comes into play here but otherwise that's what I would expect.
when i tried UNTAGGED on 66 without PVID set up, the PC was getting IP from the DEFAULT LAN and not DATA VLAN, so PVID of 66 forces it to go to 66 VLAN ?
To have the port tagged on both VLANs you phone has to be able to strip the tag from packets going to the PC and replace it on returning packets.
To prevent the PC getting a LAN IP you should set port 2 to exclude the default vlan.the phones in question are Grandstream GXP2120, they only seem to have setting for Vlan Tagging, nothing else besides that in the config page, so i guess they don't support tag stripping.
-
PVID determines what VLAN any untagged frames coming into that switch port end up on. You'll virtually always want that set the same as whichever VLAN the port is an untagged member of.
-
awesome i found this thread that explains a lot about my setup and even similar hardware
http://forum.pfsense.org/index.php?topic=14918.0
only thing i'm trying to see now is how to delete lan and replace it with vlan and make pfsense and switch accessible from it as per original post and quote
_GruensFroeschli says
Don't mix untagged and tagged traffic on the same parent interface.
Leave WAN on vr1
Delete LAN on vr0
–> Create DATA as vlan on vr0
--> create VOICE as vlan on vr0Then connect the vr0 interface to the switch.
Configure the VLANs on the switch as tagged on the port going to the pfSense._how would i reassign it to a vlan or just simply delete it and only keep vlans. i tried to del lan and it locked me out. everything works ok but i guess i want to stick to the proper setup.
-
btw thanks for all the info guys. i'm learning a lot thanks to You! i hope this thread and any info / links here will help others!
