PfSense VM & VLAN difficulties



  • I found several topics on this with similar difficulties, but none that quite fit my situation.

    In my home lab, pfSense is running as a VM on VMware ESXi.  The VMware network config is very basic:  1 LAN switch to which all VMs are connected and 1 WAN switch to which only the pfSense VM is connected (each of these correlates to a dedicated port on a 4-port Intel NIC).

    All of my physical devices plug into an HP Procurve 1810-8G v2 switch.  There are two VLANs; the default '1'  (I know, I'll change it later once I get this working) & '20'.  Every device is untagged on VLAN1 except for port 7, which is untagged on VLAN20 & tagged on VLAN1 (this should probably be untagged in the end, but I tagged it for troubleshooting purposes); I have a laptop connected to that port via an Intel i-217-V NIC.  The VMware box (and thus the pfSense VM) is connected to port 1, which is also tagged with VLAN20.

    pfSense has VLAN 20 with a parent interface of the LAN NIC.  An Optional interface is tied to that VLAN.  That Optional interface runs on 192.168.20.1/24.  The main LAN interface is 192.168.1.1/24.  I have created an ANY<–>ANY rule for VLAN20.  I created the same rule for the LAN just in case.  pfSense has a DHCP server setup for VLAN20, though I have tried setting a static IP on the laptop as well in case that wasn't working properly.

    Any machine on VLAN1 (192.168.1.1/24) can ping the default gateway of VLAN20 (192.168.1.1).  However, the laptop plugged into port 7 of the switch receives no network traffic at all (except for the switch's LLDP multicast packets).  Switching the laptop's port (7) to untagged on VLAN1 brings it right back onto the network.

    What am I missing here?  I am happy to supply more information, just let me know what you'd need.

    Edit:  Adding some screenshots of the configs for reference:

    Imgur Album:
    http://imgur.com/a/R9Lyy


  • Netgate Administrator

    You've already said you know but I'm going to say it anyway:  ;)
    Don't ever use '1' as a VLAN tag. The switch uses that internally to represent what would otherwise be untagged traffic. If you use it as a real tag things get unpredictable.
    Try to avoid having tagged and untagged traffic on the same NIC. If you want to use your switch to divide the traffic between two interfaces it's better to have to VLAN interfaces than to have one VLAN and one untagged.

    In your setup port 1 is your 'trunk' port (a Cisco term but almost universally used). It's not configured as such though.
    You should have VLAN_20 tagged on port 1, untagged on port 7 and excluded/unused from all other ports.
    VLAN_1 should be untagged on every port except 7 where it should be excluded.

    You might also consider handling the VLANs in ESXi rather than passing them through to pfSense. Some people have found that to be a better solution.

    Steve



  • If you are trying to use tagged interfaces in a VM you need to have your vSwitch in vSphere set to vLAN 4095.



  • @stephenw10:

    You've already said you know but I'm going to say it anyway:  ;)
    Don't ever use '1' as a VLAN tag. The switch uses that internally to represent what would otherwise be untagged traffic. If you use it as a real tag things get unpredictable.
    Try to avoid having tagged and untagged traffic on the same NIC. If you want to use your switch to divide the traffic between two interfaces it's better to have to VLAN interfaces than to have one VLAN and one untagged.

    In your setup port 1 is your 'trunk' port (a Cisco term but almost universally used). It's not configured as such though.
    You should have VLAN_20 tagged on port 1, untagged on port 7 and excluded/unused from all other ports.
    VLAN_1 should be untagged on every port except 7 where it should be excluded.

    You might also consider handling the VLANs in ESXi rather than passing them through to pfSense. Some people have found that to be a better solution.

    Steve

    Yeah, I know.  I've never setup VLANs on an HP switch nor on pfSense, so I figured I'd try to change as little as possible at first until I get it working.  My goal here is to be able to restrict traffic based on the port it's plugged into on the switch, then control that flow/access with pfSense.  I have a project coming up where some A/V equipment will be plugged into the same switch as servers/workstations; I'll want to separate that traffic out onto its own VLAN.  That's what I'm trying to simulate here.

    I will set port 7 to be untagged on VLAN20 and excluded from the other VLAN.  All other ports are excluded from VLAN20 and untagged on VLAN1.  As you advised, port 1 is untagged on VLAN1 and tagged on VLAN20.

    I will definitely be breaking up the switches in VMware to VLAN that traffic as well.  I figured that baby steps are best for now.  Once I see this working with this basic scenario, I'll have the confidence to start carving up my traffic elsewhere.

    Thanks again, I'll report back once I get to spend some time with this on Monday.



  • @Jason:

    If you are trying to use tagged interfaces in a VM you need to have your vSwitch in vSphere set to vLAN 4095.

    Sounds like that was the little something I was missing.  I figured it had something to do with pfSense as a VM guest, just couldn't seem to find what it was.  I was planning on standing up pfSense as a physical box if I didn't have any progress by Monday, just to see if taking it out of VMware sorted out the issues; figured it would help point me in the right direction.

    I'll set the LAN switch in VMware to vLAN 4095 & see what happens.  Will report back Monday when I get to give it a shot.



  • You gentlemen are geniuses, thank you very much.  This is working as-intended now.

    Both of you, please PM me an email address or something so I can send you some beer money.


  • Netgate Administrator

    No problem, your thanks is enough.  :)
    I think Jason's catch was probably the showstopper anyway.
    Enjoy playing with pfSense!

    Steve