Routing based on vlan

  • We want to plugin some hotspots in our networking. Traffic from the hotspots should go over WAN2 because of an accounting router. All traffic comes in on 1 LAN port:

    nfe0 –> LAN
    igb0 --> WAN1 --> internet
    igb1 --> WAN2 --> accounting --> internet

    The hotspot supports vlan, so I decided to give vlan a change. I tried to setup vlan, but nothing works. Here was my setup:

    I added a vlan (VLAN0) interface with nfe0 (LAN) as parent. Then I activated the new vlan in interfaces and gave this a fixed ip address.

    After that I made a firewall rule. All trafic to VLAN0 should go to gateway WAN2.

    When I setup a testlaptop with vlan I am able to ping the ip address from VLAN0, but nothing more. Without the vlan tag on the laptop, I cannot ping VLAN0

    Is it possible to use LAN for tagged (vlan) and untagged trafic? If yes, should I make an extra rule/config for untagged traffic?

    Does the WAN2 need some extra configuration?

  • Yes, I believe that a mix of tagged and untagged traffic should work. I did this for a short time when learning VLAN setup a while ago, and remember it working (now I just have configs with trunk port on pfSense that does not look for untagged).
    Why do you need a VLAN tag on the laptop? I expected that the hotspot AP device is setup to tag all the packets from devices connected to it.
    What is the real VLAN number you are using? Don't use 0/1.
    Where did you add the firewall rule? Should be to VLAN0 interface, with something like "pass source VLAN0net destination any gateway WAN2"

  • Thanks for the reply.

    I added the firewall rule as you described. I tried to get vlan on my laptop working since the Hotspot didnt work.

    I used VLAN number 20.

    Is there a way to test if any packet arrived the router?

  • Is there a way to test if any packet arrived the router?

    Diagnostics->Packet Capture
    Listen on the VLAN0 interface, then go looking on the ordinary LAN untagged interface.

  • Thank you. I will do a capture to see if any packet arrives.

  • I did a lot of testing, and it turned out that I had to leave the ethernet port from the hotspot alone, and switch on vlan on the wifi part of the hotspot.

