VLAN



  • Dear all !!!

    I have been running pfsense 2.1.4-RELEASE, I want to create vlan for use in my school but it doesn't work. First i have
    LAN IP = 192.168.1.2/24
    VLAN 1 = 172.16.1.254/24
    VLAN 2 = 172.16.2.254/24
    VLAN 3 = 172.16.3.254/24

    On CISCO Switch i have been configure
    port 24 = switchport mode trunk
    port 1= switchport access vlan 1
    port 2= switchport access vlan 2
    port 3= switchport access vlan 3

    but not working please help how can i do ?
    :-\ :-\ :-\ :-\ :-\ :-\ :-\



  • You have DHCP setup for each of your VLAN interfaces right?



  • You have to concider your interfaces.

    On your PF… Did you dédicate one physical interface for each subnet or did you bind all your VLAN interfaces to the LAN Interface ?

    If first choice, you should use access untaged conf on the switch for each port connected and no VLAN on PF.
    If second choice, you should use Trunk (but u'd better use General mode and define all your VLAN for the connected port) mode on the port switch on which you connect your PF LAN interface. i.e. VLAN are carried through the same physical interface (generally LAN interface).

    It looks like you didn't understood how VLAN worked and for what they are used for... Have a look on white papers or on the Definitive Pfsense guide.

    good luck



  • Thank for your best answer but i use lan interface the same on vlan interface and i use trunk mode on cisco switch 2960G and assign port for vlan that i create in PF…. but it doesn't work. i don't know why ? for dhcp server for vlan i already enabled all vlan it's seem not work the same before.



  • Switch from Trunk to General.

    Don't use tagged AND untagged VLAN on the same interface : PF Sense doen't like it and you might end up with poor throughput between VLANs. No VLAN or full Tagged VLAN.



  • @AIMS-Informatique:

    Switch from Trunk to General.

    Don't use tagged AND untagged VLAN on the same interface : PF Sense doen't like it and you might end up with poor throughput between VLANs. No VLAN or full Tagged VLAN.

    I have one question about this. What if I have a unmanaged switch? Then wouldn't a untagged VLAN be necessary if I want somebody to easily connect to my switch?



  • It's a non-sens to configure VLAN on a PF that connects to a switch that doesn't support it…
    Anyway if you configured any VLAN on the PF interface, you have to set them all to TAGged. Otherwise you will find very poor throughput performance when communicating inter VLAN.

    Concerning unmanaged switch, knows that some keeps the VLAN Tagging in IP headers, but some just drop the packet. depends on the features your small switch handles. Test with Wireshark to figure out.

    But no, do not mix tag and untagged VLAN on the same PF interface !


  • Netgate

    @AIMS-Informatique:

    Switch from Trunk to General.

    Don't use tagged AND untagged VLAN on the same interface : PF Sense doen't like it and you might end up with poor throughput between VLANs. No VLAN or full Tagged VLAN.

    Why are you telling him to switch from trunk to general then not mix tagged and untagged traffic?

    IIRC, general mode ports are Cisco's way of mixing tagged and untagged.  trunk ports are strictly tagged.

    You want to get away from using VLAN1.  That's probably causing all your problems.  VLAN1 cannot be trunked/tagged with any expectation of reasonable, consistent behavior across platforms.

    Change your VLANS to 2,3,4 or 100,200,300, or 101,102,103, or ?? - VLANs between 2 and 4094.

    Explicitly tag the traffic out of the cisco with something like

    switchport trunk allowed vlan add 100,200,300

    If your pfsense physical interface is em0, don't assign pfSense interfaces to it.  Only assign them to VLAN interfaces like em0_vlan100.



  • Why are you telling him to switch from trunk to general

    This is due to the way some switchs understand and handle this spécific Trunk mode. And no, Trunk isn't like general, as a Trunk would assume to carry and forward all VLANs, even thoses not configured. So the behavior of a Trunk is slightly different. Generally a Trunk config will be necessary if you plan to enable GVRP.
    Plus, for my point of view, it is better to know your network and set up only what needed.

    For instance, we had throughput and weird bugs (VLAN passed then blocked, then passed, then…) with Dell & HP & TP-Link L2 manageable switches, with Trunk configs on PF. Gone with General configuration.

    But maybe Cisco handles it good ? Not keen on Cisco...

    then not mix tagged and untagged traffic.

    Because you will end up with poor performances routing between VLANs (that's the case on ALIX PF + HP Switche and APU PF + HP Switch).

    If your pfsense physical interface is em0, don't assign pfSense interfaces to it.  Only assign them to VLAN interfaces like em0_vlan100.

    Very Very Very True !

    You want to get away from using VLAN1

    Yes Yes Yes and YES ! VLAN1 is very specific in Cisco world. Your VLAN 1 is concidered by Cisco as a default (or can be Management) VLAN and you can't play much with it (delete it for exemple)…
    Concider building another VLAN for your regular "DATA interface".


  • Netgate

    @AIMS-Informatique:

    Why are you telling him to switch from trunk to general

    This is due to the way some switchs understand and handle this spécific Trunk mode. And no, Trunk isn't like general, as a Trunk would assume to carry and forward all VLANs, even thoses not configured. So the behavior of a Trunk is slightly different. Generally a Trunk config will be necessary if you plan to enable GVRP.
    Plus, for my point of view, it is better to know your network and set up only what needed.

    It is true that ciscos switchports in trunk mode can carry all VLANs, but you can also limit them only to specific VLANs with "switchport trunk allowed vlan add XXX,YYY,ZZZ" like I described. This has the effect of making the trunkport only forward traffic for the allowed vlans and discarding any received frames tagged for unconfigured VLANs.