Adding VLAN to LAN adapter breaks management port?
x64v2.1.1 I'm new to understanding how to implement VLAN's. As I begin to define my goal, topology, and hardware implementation limits, I'm hung up on a post I read that stated if a VLAN is added to the Pfsense LAN adapter it will lock you out of the managment PfSense. Is this true or was I misinterpreting a special application?
phil.davis last edited by
If you leave your ordinary LAN as it is, and also add VLANs on that physical interface, then LAN continues to work fine as untagged traffic on that [interface|device|port].
When you plug in your VLAN switch to the port, it needs to then have a trunk port up to pfSense that handles all the VLAN tags you put in pfSense plus allowing untagged traffic (your LAN), and put the untagged traffic to some real VLAN switch port where you can see it.
Then if you want to switch pfSense LAN to be on a VLAN you should first make sure you can manage pfSense through some other VLAN/OPTn that is working fine, and mess with Interfaces->Assign of LAN while logged into the webGUI from OPTn.
I probably made that clear as mud :-\
It can be done - you just have to understand whay VLANs are where (physically and logically) at every step and convince yourself that the next thing you click will not mess up access to the webGUI.
Phil, I guess I am a bit confused. You say VLAN can be added to LAN without impacting untagged LAN traffic. You also suggest managing through a 2nd LAN as though it does or could impact. And that all untagged traffic should be put on another VLAN so I can see it. Do I need to see it? I was hoping I could add a VLAN to the LAN and all untagged and tagged traffic would go out the tagged switch port whereby only the tagged traffic would get peeled off by the switch on the other end of the trunk and route it to the appropriate edge device. Is this not how VLAN's work? I prefer the tagged and untagged would migrate the PfSense rules, shaper and limiter guessing that if putting tagged traffic on a 2nd LAN adapter it would require adding or editing more rules and limiters.
What I'm trying to do is a PfSense 1:1 Nat to an edge device having a WLAN on the same subnet as the PfSense LAN, then DMZ the WLAN adapter to an internal IP (natted). And on the PfSense end, direct the 1:1 Nat to use a public VIP as it's gateway. This is to provide game boxes with a dedicated public IP separate from all other traffic and so all ports are available to the game box negating the need to port forward the game box. The edge device is VLAN capable so, in summary, I was hoping a VLAN would carry the 2nd public IP to the edge device's DMZ without impacting other traffic.
I was hoping I could add a VLAN to the LAN and all untagged and tagged traffic would go out the tagged switch port whereby only the tagged traffic would get peeled off by the switch on the other end of the trunk and route it to the appropriate edge device. Is this not how VLAN's work?
Yes. The untagged and tagged traffic will all be sent/received on the same interface. If we're talking about em0, the pfSense interfaces would be assigned to em0 and em0_vlanX.
What your SWITCH does with the traffic is up to the switch. Typically in consumer, "web smart" switches, the untagged traffic is placed on the switch port's PVID, or Primary VLAN ID. Tagged traffic is placed on the proper VLAN.
When you start mixing tagged and untagged traffic you have to understand that practically all vendors deal with it differently.
Personally, I avoid mixing tagged and untagged traffic. Even if I only have one VLAN on an interface, I almost always set it up as tagged so, in the future, I can just tag another VLAN through without changing the port from untagged to tagged. I let the switch deal with VLAN-unaware devices using access/untagged ports.
Also, when you start tagging traffic, pretend VLAN 1 does not exist.
phil.davis last edited by
Like Derelict recommends, I would only mix tagged and untagged on the interface that pfSense is using to the VLAN switch as a transition during setup.
If physically possible, I like to have a "spare" real interface on pfSense that is setup as LAN-style (some OPTn), gives DHCP and has rule/s that allow access to the webGUI. Then I can always plug in a laptop to that physical port and manage pfSense settings. If the VLAN switch is misconfigured or broken it is embarrassing not to be able to access pfSense webGUI!
Or at least configure one of my interfaces as an ordinary non-VLAN interface, even if it has some users/clients on it.
Thanks guys for your suggestions. I'll enable the em0 adapter just in case the VLAN switch goes weird and setup igb2 for VLAN.
I'm just not having much luck getting a VLAN to work with my network. I added a VLAN10 assignment to the LAN adapter and added a VLAN10net source rule to any. I also added an x.x.15.1 gateway and route to x.x.2.5. Can someone advise where tagged and untagged VLAN's should be placed? Are they only needed at PfSense and the WiFi Station or are they also needed at the managed switches A & B and the WiFi AP? Presume the VLAN10 IP needs to be unique to all other adapter IP's. Trying to get the GameBox broke out from all other edge devices so I can ultimately route the GameBox out a PfSense Wan VIP so all ports are available to the GameBox.
I was successful using no gateway/route and a 1:1 Nat to the WiFi Station WLAN0. Was simple but it put both the PC and GameBox on the Wan VIP which exposes the PC unnecessarily. And I don't think this solution will work with multiple GameBox's at different Stations without eating up more VIP's and public IP's.
Any suggestions that help focus my test are appreciated…
PFSENSE---| ------------| ------------
|--VLAN10(x.x.10.1)--P1-| |-P2--BRIDGE(x.x.2.2)--P1-| MANAGED L2 |
| | | SWITCH B |-P2--
|---LAN(x.x.2.1)-----P1-| MANAGED L2 |-P3--DEVICE(x.x.2.3) ------------ |
| SWITCH A | |
| |-P4--DEVICE(x.x.2.4) |
-------- --------- -------- --(x.x.2.5)- WLAN0
-------- --------- --------
It looks to me like you're thinking of tagging VLAN 10 all the way to the Gamebox.
VLAN tags are layer 2. It looks like you have two layer 3 devices between pfSense and the Gamebox (The Wi-Fi gear). VLAN tags won't pass through those.
If you were to make a wireless bridge (No AP/STATION, but a bridge) it might be possible to pass VLAN tags over it. MIGHT be possible. They might not pass the tags properly.
That last "LAYER2 SWITCH" will have to be managed as well to break the tags to the different VLANs.
OR you might be able to 1:1 NAT at x.x.2.5 and x.x.15.1. In that case there would be no real need for VLANs at all. Do a 1:1 NAT from a pfSense VIP to, say, x.x.2.6, which would be 1:1 NAT on WIFI AP to an address on WIFI STATION, which would be 1:1 NAT to x.x.10.2. But there couldn't be two separate networks there.
All pretty convoluted.
Yes I was a trying to tag to Gamebox. Thought since the layer-3 devices have VIP, VLAN and the bridging of the VLAN to the LAN or WLAN they might relay VLAN packets. If I go back to the 1:1 Nat solution from PfSense VIP to AP, then DMZ the Station to reach Gamebox, I believe I would need to use 1 VIP for every Gamebox. I only have four VIP's left and don't really want to use them up for this purpose. If I could get all Gamebox's onto one VIP that would be good but I don't believe 1:1 Nat works that way.