PfSense and Netgear GS724Tv4 VLAN
-
Hi
I've been using pfSense on an ALIX board to handle our multi WAN setup for quite a while now but we have expanded and taken over another part of our building that has it's own network and DSL connection with DHCP server (10.0.1.0/24). We have managed to drop a cat6 cable to this new part of the building in the hope we can join our networks together and reach each other's hosts.
This new network has a Netgear GS724Tv4 switch with VLAN capability - I was hoping to use this along with our pfSense box to connect the two subnets.
I have created a static "VLAN 10" on the netgear switch and assigned port 24 (Tagged). Ports 1-23 are untagged and assigned only to the default "VLAN 1".
On pfSense I have created the VLAN (using vr0 which is the same as my LAN) and created an interface assignment for this (OPT2) with IP address 10.0.1.254/24. I've also added a firewall rule to pass TCP/UDP from OPT2 net to LAN net. The original pfSense LAN subnet is 10.0.0.0/24.
So in theory should a host on the original network (10.0.0.0/24) now be able to ping a host on the (10.0.1.0/24) and vice/versa - or is there something else I need to configure?
Please forgive the remedial topology diagram I've attached…
-
You have no route setup.
A host on 10.0.0.0/24 will be able to ping a host on 10.0.1.0/24 because pfSense will route the packets onto it's VLAN interface which is in that subnet. However the reply will not come back from host2 because it has no route back to the 10.0.0.0/24 subnet. Because it's not on the .0.0 subnet it will send its replies to its gateway which will also not know where to send them.
You would need to add a route to host2 so that it knows it can access the .0.0 subnet via 10.0.1.254Also you probably need to add ports 1-23 as untagged on VLAN10 so that all traffic on the switch is tagged as 10 and able to reach the pfSense box. That's a bit switch dependent though and I don't have one of those.
Also you need to make sure the Netgear switch is ignoring untagged packets arriving at port 24 otherwise you might get both subnets everywhere leading all sorts of fun and games!
This is not really the right way to do this. Can the DSL router handle VLANs?
Steve
-
I don't think that'll work for you.
You probably want that Tagged 10 port going to the unmanaged switch to be untagged. I wouldn't count on that tag making it through any unmanaged gear and coming out the other side unscathed. If you want to rely on dot1q, get a dot1q switch.
Unmanaged switches will do nothing but bite you. Get a managed switch. If you can't do that, put the managed switch next to pfSense and put an untagged port out to the unmanaged switch in the other area.
I would completely ditch the DSL at the other part of the building and, if anything, get another WAN installed to pfSense. You are not going to have a way for your clients to fail over anyway without a router doing the failing over.
I would completely eliminate any use of VLAN 1 now. Just pretend it doesn't exist. Even if all your ports are untagged on VLAN2, even if you're putting an untagged VLAN2 port into an unmanaged switch, at least you can reliably tag it through to other switches and devices with other VLANs 100% of the time.
You have decisions to make as to where you want your layer 3 boundaries, if any at all. Things like SMB networks, DHCP, PXE, etc. need help getting across layer 3 boundaries, but one BIG segment sucks too. It doesn't look like you're doing anything that can't be on one switched segment, unless there are security concerns you haven't told us about.
-
Yeah this looks like a big headache.
It would almost be easier to setup a VPN via the WANs. ::)I wouldn't count on that tag making it through any unmanaged gear and coming out the other side unscathed.
This is a very good point and it's something I'm always forgetting about. I guess I've just been lucky on a number of occasions.
Steve
-
It can work. I pass multiple VLANs over MoCA here at the house. I could swear I had some powerline bridges that would eat VLAN tags. Found some free time a little later and tested specifically for that and they seemed to work fine so ???
Biggest problem with it is all your traffic, regardless of VLAN, egresses every port.
Switches are so cheap it really makes no sense to put up with unmanaged gear in the workplace. Use the expansion as an excuse to get them to cut loose with about $600 and you'll be able to get a nice set of matching, managed switches - you might even be able to get 48-port gig for that. Or get another netgear. I'm not a fan but they'll work well enough.
-
Thanks for the replies, the DSL comes into a completely different part of the building and I'd really like to keep it as it's a good connection. The trouble is it's a cable router/modem (Virgin media in the UK) and as such has no functionality for static routes or pretty much anything useful.
I can however put this router in Modem only mode so if it's possible I may just buy one of the new gigabit Alix boards and set up static routes instead of messing around with VLANs which all seem overly complex to me for what I want to achieve.
I'd like to keep the new part of the building and the old part on separate subnets so they are using their own WAN's and have their own subnets but be able to share files between hosts on the different subnets at Gigabit speed.
The original Alix board is a 2c3 (3x 10/100 NICS) will that act as a bottle neck between the two hosts if I change the topology like attached?
Many thanks for all the help.
-
I guess these days you will buy an APU, not an Alix. So you will get a bunch more throughput.
Since you are going to be routing through a pfSense somewhere to connect the 2 networks, the throughput of the pfSense will be the limiting factor for transferring data between the 2 subnets. If there is an Alix in the path anywhere then the physical limit will definitely be 100Mbps, since Alix does not have Gb ethernet.On the network topology side, it will be much cleaner and easier to control if you connect the 2 pfSense with a cable and separate little subnet. Then add a gateway on each pointing to the other and a static route to get to the network attached at the other end. Then all the clients on each subnet have a single pfSense as their gateway - no trying to mess about having 2 gateways on 1 of the subnets.
Also with a bit of thought you should be able to failover from the WAN on a pfSense to redirect across the little subnet to the other pfSense to get emergency internet if 1 of the WAN ISP goes down.
-
Yep, that ^. A separate connection that isn't in either subnet is what you really want. However that would mean you route through the ALIX box and are then limited to 100Mbps. Also since you are already using all the NICs on it you need to use VLANs to get the additional interface and hence need a VLAN switch (or luck!).
Can you swap the unmanaged and managed switches to give you VLANs where you need them?
Also as a note the APU will route at ~350-400Mbps not 1Gbps.
Steve
-
I'm now thinking of replacing the original unmanaged switch with one of the same Netgear L2+ switches (GS724Tv4) - apparently because they're both 802.1q aware the hosts on either VLAN/subnet will be able to communicate with each other…
-
Yep with that configuration you could easily setup a VLAN that only terminates at each pfSense box and use that as a dedicated connection to route the traffic.
Steve
