What am I doing wrong here with VLANs? - pfSense 2.0.3 and HP 1910 Switch



  • Hi all,

    Sorry to be one of these people who signs up just to ask for some help, but I've been scratching my head over this for the last few days and would really like to get some other people to sanity check what I'm doing.

    What I am trying to achieve is to get multiple VLANs routing through my single LAN interface on my pfSense firewall. I have a HP 1910 switch, and have got a couple of ports on it tagged for VLAN 2. On pfSense I have created a new VLAN (tagged as 2) and assigned it to the LAN interface. I have then created a new interface using this VLAN and assigned it a static IP address of 10.0.2.1/24 (the subnet for the LAN is 10.0.0.0/24). Both have a DHCP scope assigned to them.

    When I plug a laptop into a port with no VLAN assignation is gets an IP in the 10.0.0.0/24 range, as I would expect.

    However, when I plug a laptop into one of the VLAN 2 tagged ports it fails to get any IP address. If I statically set the IP 10.0.2.3/24 with a gateway of 10.0.2.1 and try to ping the gateway I get "Destination host unreachable".

    So I'm rather stumped as to what I have done wrong. Here's some screenshots to show my configuration which will hopefully help to illustrate what I have done. Any help or suggestions are much appreciated. :-)










  • Hi,

    Port 1+2 are displayed as trunk ports. As far as I know trunk ports these ports accept tagged VLANs.
    A trunk port which has VLAN2 tagged and VLAN1 (default VLAN - better never use it) as untagged.

    On pfsense VLAN1 is always untagged and VLAN2 is tagged (you did that). Then you connect pfsense and HP switch through the trunk port.

    Now you must configure another port on the switch - lets say port 8 to be an untagged Port for VLAN2.

    So I would suggestthe following:

    • Never use VLAN1 which is the default VLAN on pfsense and on many switches.
    • If you need two VLANs or more then create them on pfsense like VLAN 2+3 or 10+20.
    • Assign both new created VLANs on pfsense an interface on em1
    • On the HP switch configure port 1 as a tagged member of VLAN2+3 or 10+20
    • On the HP switch configure port 8 as an UNtagged member of VLAN2 or 10
    • On the HP switch configure port 9 as an UNtagged member of VLAN3 or 20
    • Connect pfsense em1 NIC with HP switch port 1
    • assign different IP address subnets for the two new VLAN interfaces on pfsense
    • enable DHCP server on both two new VLAN interfaces
    • set allow "any to any" firewall rules on the two new pfsense VLAN interfaces
    • connect a computer to the HP switch and test your setup
    • Connect a computer to the ports on


  • @Nachtfalke:

    Hi,

    Port 1+2 are displayed as trunk ports. As far as I know trunk ports these ports accept tagged VLANs.
    A trunk port which has VLAN2 tagged and VLAN1 (default VLAN - better never use it) as untagged.

    On pfsense VLAN1 is always untagged and VLAN2 is tagged (you did that). Then you connect pfsense and HP switch through the trunk port.

    Now you must configure another port on the switch - lets say port 8 to be an untagged Port for VLAN2.

    So I would suggestthe following:

    • Never use VLAN1 which is the default VLAN on pfsense and on many switches.
    • If you need two VLANs or more then create them on pfsense like VLAN 2+3 or 10+20.
    • Assign both new created VLANs on pfsense an interface on em1
    • On the HP switch configure port 1 as a tagged member of VLAN2+3 or 10+20
    • On the HP switch configure port 8 as an UNtagged member of VLAN2 or 10
    • On the HP switch configure port 9 as an UNtagged member of VLAN3 or 20
    • Connect pfsense em1 NIC with HP switch port 1
    • assign different IP address subnets for the two new VLAN interfaces on pfsense
    • enable DHCP server on both two new VLAN interfaces
    • set allow "any to any" firewall rules on the two new pfsense VLAN interfaces
    • connect a computer to the HP switch and test your setup
    • Connect a computer to the ports on

    Hey there Nachtfalke,

    I really appreciate that you took time out to reply, using your advice I figured out the problem!  :)


Log in to reply