• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Need help with Configuration of VLAN with Netgear Switch

Scheduled Pinned Locked Moved General pfSense Questions
4 Posts 4 Posters 5.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    justinoreilly
    last edited by Feb 11, 2013, 12:54 AM Feb 11, 2013, 12:50 AM

    Hello Everyone, Hope you are enjoying your weekend!

    Being the teenager I am I decided to play with severs today.

    I have ran into a problem I just cant seem to solve, id like to have my VM Lab on its own LAN but I am not sure how to do it with the hardware I have.

    Currently I have it setup like this. Internet>pfSense box(DELL PE1950)>NetGear Managed Switch(M4100)>6 nic Connections to Dell PE 2950
    Id like to have it something similar to the following.

    Internet>pfSense Box(nic0)>nic1 to switch for main network
    nic2 to vlan section of switch for vm network.

    How would i go about setting this up would i somehow be able to route it so that hostnames work
    EX: blah.example.com goes to ip in vlan

    any help would be appreciated.

    1 Reply Last reply Reply Quote 0
    • M
      msi
      last edited by Feb 11, 2013, 6:58 AM

      Hi,  would have loved to have such equipment as teenager when I was sone ;D

      There are a couple of steps and considerations to make - get yourself familiar with that as there are couple of ways to do it (and they might not be wrong) :)

      In first step you'll (likely) want to add a VLAN to your internal interface on pfSense (your nic1), bring the interface up and add rules so your other network has access to the internet or for inter-VLAN routing you'll want to add rules from your internal to the VM network too. That said: By default everything will be blocked on this new interface (possible first called 'opt1')

      Netgear's a bit messy with naming, M4100 seems to be a same as GSM5212, thus it's a fully managed L2(+) switch which has console access over serial Telnet or SSH - good for you :) Get the Admin and the CLI manual - they are not the best (compared to Cisco or Procurve), but the admin manual gives some good examples about VLAN configuration whil the CLI manual contains all available commands. I'd prefer the CLI over their sluggish Web GUI. Additionally their syntax is very close to Cisco (love it, hate it…).

      In general you will want in this order:

      • to define VLANs

      • add participation for the particular VLANs on the required port or port range

      • Define which or if a VLAN is transported tagged on this port (802.1q)

      • Set the PVID to the VLAN ID that shall be transported untagged - so the switch knows in what VLAN it puts an untagged packet arriving on this port

      I got bitten by the PVID setting a couple of times, since the default PVID for all ports is set to 1.
      On a couple of Netgears I had to 'vlan participation exclude 1' to really get rid of the default VLAN 1 participation.

      You might want to look into port-channels (Netgear) or LAG (FreeBSD/pfsense) to aggregate your physical ports into one larger pipe and do lots of VLAN tagging where your netgear separates back all things.
      I do this with Netgears and pfSense - and it works. For your VM host: Depends on your environment the ports on which the VMs will go out of the box will need to be configured at least on the switch side to be in your VM LAN (likely untagged with PVID of your VM lan)

      1 Reply Last reply Reply Quote 0
      • S
        suicidegybe
        last edited by Mar 25, 2013, 3:58 AM

        So what rules do you have to set to give vlans internet access, and how would you grant access from one vlan to another.

        I don't mean to highjack this post but this is exactly what I'm trying to do too.

        I have this right now: internet-pfsense-netgear gs724t-rest of network(data,voice,tv)

        What I would like to do is separate data, voice, and tv out to their own vlans. I set three vlans on my pf sense box and generally understand how to configure the switch. But my issue is that I have two devices that need access to two separate vlans. My servers have the same need but only because the vm's need a different vlan so I will just tag the vm vlan and leave the host to be tagged by the switch, or is this not the way to do it? How would I access say the web gui for my PBX server if it is on a different vlan than say my work station? Is this configured through rules if so how? Same for all rdp type services. I would like to be able to manage all my devices from my work station but not be on all vlans?
        Thanks

        1 Reply Last reply Reply Quote 0
        • E
          echoranger
          last edited by Mar 28, 2013, 8:31 PM

          @suicidegybe:

          So what rules do you have to set to give vlans internet access, and how would you grant access from one vlan to another.

          I don't mean to highjack this post but this is exactly what I'm trying to do too.

          I have this right now: internet-pfsense-netgear gs724t-rest of network(data,voice,tv)

          What I would like to do is separate data, voice, and tv out to their own vlans. I set three vlans on my pf sense box and generally understand how to configure the switch. But my issue is that I have two devices that need access to two separate vlans. My servers have the same need but only because the vm's need a different vlan so I will just tag the vm vlan and leave the host to be tagged by the switch, or is this not the way to do it? How would I access say the web gui for my PBX server if it is on a different vlan than say my work station? Is this configured through rules if so how? Same for all rdp type services. I would like to be able to manage all my devices from my work station but not be on all vlans?
          Thanks

          Determine what network addresses you want to use for each VLAN, create the necessary VLANs on your switch, apply them to the ports for devices you want on each VLAN, setup your trunk port on your switch, then create the VLAN interfaces in pfSense. Once you create the VLANs in pfSense you can go to the (assign) option under the Interfaces tab and create new interfaces for each VLAN. Then just assign an IP address on each new VLAN interface to your pfSense box, using an address from the network you want to use for that VLAN. At this point these new interfaces will be available under your Filters, so you can allow/deny traffic to/from each of your different VLANs from your LAN. It sounds like you want to allow your LAN to access your VLANs but not the other way around. In that case, just create block or reject rules on each new VLAN that prevent those networks from accessing your LAN.

          To access the pfSense web interface from a device on that VLAN just open a browser or SSH session to the IP you assigned to pfSense on that VLAN. By default the filters will allow access to the web interface from each VLAN unless you disabled the anti-lockout option on the Advanced setup screen.

          This page describes most of the setup quite nicely: http://doc.pfsense.org/index.php/Multi-WAN_using_VLANs_with_pfSense

          Just note that site is for using Multi-WAN which isn't what you're after, so ignore the parts about assigning gateways for each VLAN as you're only creating LAN-type VLANs, not WAN-type (you only have a single WAN, so you only want a single gateway in pfSense). Good luck!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received