VLANS, Cisco, configuring oh my!
I have been running pfsense 2.1.4-RELEASE on a Watchguard Firebox for awhile and have now run into the wall of my lack of knowledge. I have 4 interfaces active which is my LAN, Wifi (connected to Ubiquiti equipment), Phone (courtesy of Asterisk), and recently cameras. All of the end devices have been connected to individual unmanaged switches with a connect from the switch connected to the pfsense interface. This is getting a little too unwieldy, so I thought I would connect all of the devices to my cisco catalyst 2950. This has been very unsuccessful.
I created VLANS on the Cisco called VLAN 5 (LAN), VLAN 10 (DMZ, although not used at this time), VLAN 120 (Wifi), VLAN 130 (Phones) and VLAN 140 (cameras). Of course there is the default VLAN 1. I assigned the various ports (4 to a VLAN group) and thought I was ready for prime-time. Needless to say, one I started things, nothing was going through the internet, and I was lucky that I hadn't written the configuration or else I wouldn't be able to post.
If someone is will willing, can you show the correct way to setup this Cisco switch. I am thinking that every thing failed because I didn't set up VLANs on the pfsense side, but I could be wrong. My thought was that I was suppose to set up the Cisco with the various VLANS, then come and create VLANS on the pfsense side, and everything would mesh properly. I use Cisco stuff infrequently, and the last time I really used any cisco eq was about 10 years ago.
Any pointers would be greatly appreciated!
you don't have to tag if you don't want too, just set vlan access
switchport access vlan 20
for the vlans you want to use. Now if they go down a trunk you would tag.
But sure if you tag, then you would have to setup the vlans on pfsense. Can you post your config you did on your ports.
Since I posted, I have made a couple of changes that seem to be working, but I am sure that I am going about this the wrong way.
LAN (re1) 192.168.5.1/24 VLAN 5
DMZ (re5) 192.168.110.1/24 VLAN 110
PBX (re3) 192.168.130.1/24 VLAN 130
CAMS (re4) 192.168.140.1/24 VLAN 140
On the Cisco side, I added the VLANs to the database
TNALsw01# vlan database
TNALsw01# vlan 5 name "LAN"
TNALsw01# vlan 110 name "DMZ"
TNALsw01# vlan 130 name "PBX"
TNALsw01# vlan 140 name "Cameras"
Then added ports to the respective VLANs
TNALsw01# conf term
TNALsw01(config)# interface FastEthernet 0/5
TNALsw01(config-if)#switchport mode access
TNALsw01(config-if)#switchport access vlan 5
and processed to do that for all ports and all vlans, so it looks like this:
VLAN Name Status Ports
–-- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/21, Fa0/22, Fa0/23, Fa0/24
5 LAN active Fa0/5, Fa0/6, Fa0/7, Fa0/8
110 DMZ active Fa0/9, Fa0/10, Fa0/11, Fa0/12
120 Wifi active
130 Phones active Fa0/13, Fa0/14, Fa0/15, Fa0/16
140 Cameras active Fa0/17, Fa0/18, Fa0/19, Fa0/20
At this point, on the pfsense side, I went to INTERFACES|(assign)|VLAN and created VLAN interfaces that reflected the above. So when I plugged my server into port 6 on the switch, lo and behold I was connected to the net (I also plugged the re1 interface into port 5 on the switch). I did notice that I am not able to connect with VLAN 1 from my VLAN 5, and for that matter don't really know to access VLAN 1 since there is nothing plugged into any port. That is somewhat problematic since I am not able to ssh into the console interface on the cisco. I got around that by just pulling out my cable from my VLAN 5 (server and interface) and plugging them into ports 1 and 2.
Cisco VLAN 1
ip address 192.168.5.2 255.255.255.0
no ip route-cache
ip default-gateway 192.168.5.1
ip http server
Does that clear up the configuration or was that TMI!
well your IP is in vlan 1 - so you would need a port that has vlan 1 access to access it yes. But if your not tagging the vlans and they are native there is no need to create the vlans in pfsense. That would only be required if you have more than 1 vlan going to a physical interface and or tagged, etc.
I would have thought at I needed the separation. Each interface is assigned on the watchguard box. For instance, the PBX is connected to the pfsense box (re3) with an IP address of 192.168.130.1. I have the PBX box with an IP address of 192.168.130.250, the analog gateway at 192.168.130.254 and a sip phone 192.168.130.251. Besides trying to consolidate all the devices on one switch, I would have thought that I would have started to do some tagging especially when I jump into doing QoS. Or am I over doing what needs to be done. I know for instance that I need to have the cameras detached because I am not trying to have all of my users trying to access and view the cameras. I further thought that the purpose of tagging was help with the prioritizing traffic. First and formost I want to consolidate all of the devices on switch (I am not doing any trunking or anything that advanced). I do need to separate the various areas, hence the DMZ, Wifi, Camera segments. But I need to make sure that I am not over complicating things!
Does pfsense have an interface for each segment, or are you using just 1 physical interface for all of these segments?
I took it from
I have 4 interfaces active which is my LAN, Wifi (connected to Ubiquiti equipment)
That you you had a different physical interface for each segment - if that is the case you can use native vlan for your ports and do not really have to tag. If your using just 1 physical interface then yeah you would tag.
As to QoS - what trunk are you running. You make no mention of a trunk where you would want to pri traffic over that trunk and need tagging, etc.
Either way is fine tag or untagged native, etc. Just it makes is cleaner and easier - atleast to me if you not having to worry about the tagging on pfsense, etc. I like physical segments over vlans personally.
I have a sim sort of setup where I have multiple segments, and I wanted to put some stuff on a different segment and didn't want to run a new run and new switch, etc. so I replaced the dumb switch I had there and trunked the 2 vlans I needed at the location and then just setup the ports on that switch as untagged for the vlans they were in - the switch tags the traffic when it goes down the trunk and then when gets to other switch tags are removed as they access the ports in those vlans, etc.
Pfsense has 2 physical interfaces connected to that switch, each interface in its own native vlan without tagging.
There are always multiple ways to skin the cat ;)
I agree with Jon here.
You are using the Cisco switch to replace four unmanaged switches. You are using VLANs internally in the switch to separate it into what is effectively four discrete switches. This should mean that there are no tagged packets entering or exiting the switch and there is no VLAN setup required in pfSense. This has the advantage that you can move ports on the switch between subnets just using a config change and that it's easy to add VLAN interfaces in pfSense if you ever need more than 6. The disadvantages of such a setup are that everything has to be in one physical location (probably not a problem for you) and that it's very easy to get the switch config wrong resulting in ports on the wrong group or communication between the subnets.