VLAN Question, complete newbie [updated]

cmcdonald

So I'm trying to do some segmentation on my network and implement VLANs.

I have a managed switch that comes default with every port untagged, VLAN ID 1.

I thought, in theory, if I simply create a vlan in pfense, assign it to my lan interface (attached to the managed switch), everything should still work. What am I missing here?

wallabybob

When you configure a VLAN interface in pfSense you are effectively telling the kernel to give to the VLAN interface every packet arriving on the parent interface with a VLAN tag whose ID matches the VLAN ID configured in the VLAN interface. Hence for the VLAN interface to "work" the switch must provide suitable VLAN tags.

You said you want to segment your network. Suppose you have two segments and assign them VLAN tags 10 and 20. (Keep away from the "default" VLAN tag.) The switch port connected to pfSense needs to be configured as a "trunk" port, expecting VLAN tags on input and providing VLAN tags on output (so pfSense will see the VLAN tags). It also needs to be configured as a member of VLANs 10 and 20 so it will give traffic on those VLANs to pfSense.

Then you need to configure (probably as "untagged") the ports connecting to the client systems as  members of the appropriate VLANs.

If this doesn't address your issue please provide more detail on what you configured, what you expect to happen and what doesn't happen.

NOYB

Nope.  That won't work.

pfSense VLAN is tagged and the switch port it is connected to must be configured as tagged member of that VLAN.

As a fairly simple example consider this:

Switch ports 1-6: PVID 1, Untagged Member VLAN 1 (typical default)

Switch port 7: PVID 1, Untagged Member VLAN 1, Tagged Member VLAN 99 - Connected to pfSense
Switch port 8: PVID 99, UnTagged Member VLAN 99 - Connected to ISP.

pfSense WAN configured as VLAN ID 99, LAN (default config, no VLAN) - Connected to switch port 7.

cmcdonald

Thank you guys very much! Clearly, I had no idea what I was doing but now my traffic is flowing again. Much appreciated. I'll keep this thread updated if I have any other questions about VLANs

Just wanted to make sure that my logic is now correct.

I am lab testing a UniFi AP on a managed switch and working on trunking several vlans to the AP to assign them to different SSIDs.

Here is my basic config.

Port 1 is connected to pfSense box.
Port 2 is connected to AP

VLAN10 = Management Network
VLAN20 = Public WIFI
VLAN30 = Secure WIFI

VLANID Management    Port1    Port2  …..
10              x              T        U
20                              T        T
30                              T        T

SSID1 = VLAN20
SSID2 = VLAN30

This seems to work just fine. The AP uses the native vlan (is this the correct term?) for port 2 as the management interface for the AP. DHCP is enabled on all three vlans in pfSense and devices connecting to the different wifi networks obtain IPs successfully. It appears all is well. Now, my question pertains to inter-vlan routing. My switch is layer 2, so this will have to be done through my only layer 3 device, my pfsense box. Is this accomplished by firewall rules alone?

wallabybob

Provided everything is correctly configured, your inter-VLAN traffic will go to your pfSense box where it will be routed between the VLANs unless blocked on entry to the box by a firewall rule.