Trunking & bridging - I'm confused



  • I'm new to pfSense, and I've been reading through "pfSense, the Definitive Guide…" and looking on the web, and I still don't know how to do this.

    My appliance has three ports: re0 (WAN), re1 (which should be a trunk), re2 (which should be the LAN). I've configured several vlans (10, 20, 30...). My desire is to have all of the vlans trunked out of re1, and one of the vlans (10) also needs to be on the lan port, re2.

    First question, if I properly understand the book, QinQ is not typically needed for trunking. Is that correct, or am I not properly understanding something?

    Do I assign the vlans directly to re1, or do I need to create a virtual IF for each vlan?

    How do I assign vlan 10 which should be in both the trunk and on re2? I've been through several iterations. My first attempt (which worked until I rebooted) I had a bridge with both re2 and and the virtual IF for vlan 10. But when I rebooted, everything fell apart with an invalid configuration. Now I'm not sure what interfaces I need to create, and what needs to be assigned to which. I've found lots of info with basic setups, but nothing that helps when you try to put it all together.

    Thanks. I know this is really basic, but I just can't get it working.



  • @g4jc:

    I'm new to pfSense, and I've been reading through "pfSense, the Definitive Guide…" and looking on the web, and I still don't know how to do this.

    My appliance has three ports: re0 (WAN), re1 (which should be a trunk), re2 (which should be the LAN). I've configured several vlans (10, 20, 30...). My desire is to have all of the vlans trunked out of re1, and one of the vlans (10) also needs to be on the lan port, re2.

    First question, if I properly understand the book, QinQ is not typically needed for trunking. Is that correct, or am I not properly understanding something?

    Do I assign the vlans directly to re1, or do I need to create a virtual IF for each vlan?

    How do I assign vlan 10 which should be in both the trunk and on re2? I've been through several iterations. My first attempt (which worked until I rebooted) I had a bridge with both re2 and and the virtual IF for vlan 10. But when I rebooted, everything fell apart with an invalid configuration. Now I'm not sure what interfaces I need to create, and what needs to be assigned to which. I've found lots of info with basic setups, but nothing that helps when you try to put it all together.

    Thanks. I know this is really basic, but I just can't get it working.

    Of course, this answer may not be what you're after, but…

    I would probably let the switch(es) do the "bridging" of the VLAN's presented by re1 and re2.  The way you're going about it you're not only fighting the complexity of the setup, but also leaning heavily on the CPU of your pfSense box to do all the data transport across the bridge when the switch should be able to do that effortlessly.

    Now, I don't know what kind of switch you have, so I'll be talking in terms that may not exactly match up to the documentation in or management interface for your switch, but hopefully it'll make sense.

    I would make your single LAN (re2) port go directly to the switch natively, untagged, but internal to the switch you can translate that port to VLAN10 (may be called a "port" based VLAN.)  Your re1 "trunk" port would have the other tagged VLAN's, 20, 30, etc and the port configured for those tagged VLAN's.  At this point, once those VLAN's are defined in the switch, they can go anywhere including having all of them tagged on a single port to trunk to another switch or they can be untagged native ports.  If you need that other "LAN" port on VLAN10 for something in particular, you can simply just get that off the switch as a native port.



  • Thanks for the reply, matguy. Your answer would be my first choice, if I had a layer 3 switch. The trunk is going directly to VMWare ESXi, so there is no physical layer 3 switch anywhere. But I might have to bite the bullet and buy one…

    I did a factory reset and started over. Trunking is still messed up, but at least the lan port is working now. The problem is, I'm not sure if the Trunking issue is with pfSense or ESXi.

    Thanks for your reply.



  • I think I get it now, that's still workable without bridging as long as your ESXi box has multiple interfaces.

    So, if I understand correctly, you're doing a physical pfSense box with 3 interfaces and an ESXi box, maybe with multiple interfaces.

    So, put the WAN on re0, LAN as re2 without VLAN assignment in to a standard switch.  VLANs 20 and 30 (and etc., if applicable) on re1.  Cable re1 with VLANs directly in to ESXi with their VLAN tags specified in port groups on a single vSwitch in ESXi.  Cable from your switch that re2 is connected to back to another port on your ESXi box as another vSwitch.  You'll still have your "LAN" and VLANs available in ESXi and "LAN" as un-tagged physical access from a standard switch.

    Adding a standard port to your ESXi box, assuming it doesn't have an extra, might be cheaper than a switch that supports VLANs.

    {Edited a typo and adding clarifying wording}



  • @g4jc:

    …The problem is, I'm not sure if the Trunking issue is with pfSense or ESXi.

    Thanks for your reply.

    I would wonder, a bit, if the direct cabling isn't working with auto-uplink, or both sides are trying to negotiate uplink states (aka: auto mdi-midix) and failing.  Or, are you using a crossover cable that isn't playing nice?  Test the link without VLANs first, to make sure that the physical connection is working, then add VLANs.


Locked