Simple vlan help



  • My setup
    pfsense on Alix inbedded with wan and two lans
    wan-dhcp
    lan1 192.168.1.1 dhcp enabled
    lan2 opt1 192.168.3.1 dhcp enabled–--vlan3 to vlan 3 untagged port 3 on
    Nortel 450t 24 port switch.
    vlan 3 is the only port in the vlan.
    I cannot get lan 2 dhcp on vlan 3.
    I cannot ping 192.168.3.1, I cannot even ping the router ip which is 192.168.1.9
    If I add vlan 2 to vlan 1.  then I can get dhcp.
    I prefer to have this separate from the rest of the ports.
    Since I am new to vlans I am sure that I missed something simple.
    Any help would be appreciated
    CaT



  • Did you assign the vlan that you created as interface (interfaces, assign, bump the + button at the bottom of the list)? You should get a new interface for that vlan. After that you can setup firewallrules, a seperate dhcp server and so on for that vlan (it will just appear like any other interface as tab everywhere).



  • hoba,
    I set up the vlan3 on opt1. Opt1 has a dhcp server running at 192.168.3.1
    It does have to be associated to a physical nic.
    I don't remember having the option to set up the dhcp for the vlan specifically.
    I am at work now, but will check that option after work.
    I assume that option is in services–-dhcp server

    I actually thought the dhcp server I setup for opt1 which the vlan 3 is assigned to would serve the vlan.

    Still learning!
    Thanks for the response

    CaT



  • You have to assign the VLAN like a REAL interface.
    So go to Interfaces –> assign and click the small "+" on the right side below the list of the interfaces.
    Now you add the VLAN as if it were a real interface.

    (Of you course you first have to add the VLAN to the Interface on the VLAN's tab under assign)



  • I'll check it out tonight.
    About the time you think you know something, You find out you don't.

    Thanks for the response
    CaT



  • After a couple of days of rebuilding.  Seems that I corrupted the config xml file.  Anyway back to my vlan problem.
    I made a couple of ip changes and I do have the interfaces setup.
    Have opt1 physical port) with a dhcp server running at 192.168.2.1. I have vlan 3 (with dhcp server at 192.168.4.1) bound to opt1.
    another physical interface is lan serving 192.168.1.1.
    I can ping all of the interfaces including the vlans from 192.168.1.1 I can get on the internet from lan and opt1.
    I cannot get out on any of the vlans.
    I guess my question is with opt 1 serving 192.168.2.1/24. and vlan 3 serving 192.168.4.1/24 will they interfere with each other.
    On the dhcp page for vlan3 (opt3) should the gateway be set for the gateway for vlan 3 which is 192.168.4.1.
    If these assumptions are correct then I have a problem in the switch settings.

    I will try to clarify with a drawing.

    wan
                          l   
                          l
                pfsense gateway
                l                    l
                l                    l
              lan                opt1
    192.168.1.1              192.168.2.1
                                            l
                                            l
                                          opt3 (vlan3)
                                          192.168.4.1

    Thanks
    CaT



  • That's not the right way to do it. You don't want to use the real interface for anything if vlans are on it. The correct way would be to not assign the real interface at all but create 2 vlans on that opt1 and only assign these as interfaces. Then create 2 vlans on the switchport that you hook up your opt1 interface to. Then break out the vlans to different ports on your switch.



  • Sorry for not knowing. Still learning!  So i won't have an ip number or dhpc server on opt1. then bind the vlans to opt1.  How do the vlans know the route to get out of opt1?
    Thanks for helping
    CaT



  • You dont even have the physical interface as an OPT1.
    go to interfaces –> assign and remove your OPT1 (click on the small x on the right side).
    The OPT1 had in brackets a small text like sis2 or so. This is the NIC identifier.
    On the second tab create the two VLANs on this identifier. And then add the two VLANs on the first tab.

    it would look like this:

    wan
                          l 
                          l
                pfsense gateway
                l                    l
                l                    l
              lan(sis0)            (sis1)
    192.168.1.1                  /        \     
                                  OPT1      OPT2
                              VLANx          VLANy
                        192.168.2.1      192.168.4.1



  • It would be good if someone wrote a step by step guide for the newbes like me for  vlanning. Thanks for the info I will try it after i get off of work.
    Thanks again.
    CaT



  • @cat1947:

    It would be good if someone wrote a step by step guide for the newbes like me for  vlanning. Thanks for the info I will try it after i get off of work.
    Thanks again.
    CaT

    Well, that's pretty much beyond the scope of this type of community.
    That's the way it is with most open source solutions though:  you get it for free, have a community to use a sounding board, but you must possess the know-how and put in the work to get it to do what you need.  ;)

    That said, here's a good article about VLANs:
    http://blog.internetworkexpert.com/2008/01/31/understanding-private-vlans/



  • @cat1947:

    It would be good if someone wrote a step by step guide for the newbes like me for  vlanning. Thanks for the info I will try it after i get off of work.
    Thanks again.
    CaT

    As you are solving a VLAN problem right now, why dont you write this step for step guide for newbes and add it to the docs?
    (since you feel that one is needed) ;)



  • It's always better if someone with newbie status writes such a tutorial (after understanding the setup) as a more experienced user might forget some basic things or will explain it in a way a newbie might not undestand.



  • Well I cannot say that I have this problem solved yet.  I guess I just spoke out of turn.
    To my question.
    I have removed the opt1 interface and created my vlan's and bound them to the nic. You said you vlans were named sis1 and so on, mine start with vr1, vr2 so on.
    I have set up the firewall rules to pass all protocals.  I set the source to any and the destination to any.
    I set up the dhcp servers on each vlan

    I have switched out the baystack switch for a hp procurve 1700.

    I can only get vlan2 and vlan 3 to receive their dhcp. The rest of my vlans will not.

    I connect my network cable from port1 on the switch to pfsense.
    I have single port vlans configured on the switch.
    I do have port one included in each vlan.
    Should I have port 1 set as a trunking port?

    It just seems funny that I do have two vlans that work and the rest doesn't.  I have checked the configurations and they are all the same.

    Again thanks for your help!
    CaT



  • @cat1947:

    –snip--
    It just seems funny that I do have two vlans that work and the rest doesn't.  I have checked the configurations and they are all the same.

    Again thanks for your help!
    CaT

    Ok, let we assume that your pfsense computer have 3 eth (Intel) cards – fxp0, fxp1 and fxp2.
    Fxp0 is LAN port
    Fxp1 is WAN port and
    Fxp2 is eth where you will attach jour VLAN's.

    You have created VLAN1 with id 10 VLAN2 with id 20 and VLAN3 with id 30. Now you need to assign IP's to those VLAN's.
    VLAN1 – 192.168.10.254/24
    VLAN2 – 192.168.20.254/24
    VLAN3 – 192.168.30.254/24
    And activate DHCP server for this 3 VLAN's.

    Add pass rule for this 3 VLAN's (just for test) pass any protocol from all networks to all networks.

    Then let we say that you have 24 port layer 2 switch and for this exercise you are connected with serial cable to this switch and you configure this switch trough menu.

    First add 3 VLAN's with ID's 10, 20 and 30 then assign port 1-7 to VLAN 10, ports 8-15 to VLAN 20, 16 – 23 to VLAN 30. All this ports should be untagged. Port 24 need to be assigned to all 3 VLAN's as tagged (trunk). Connect port 24 with fxp2 on your comp and it must work.

    This kind of setup I have used with AlliedTelesyn, Netgear and HP Procurve switches and it works. Some switches automatically do add tags to ports according to membership some need to be told about tag (Netgear).

    You can add IP to switch and assign it to one of VLAN's so you can admin it by web or telnet but that depend on you.

    Sasa



  • thanks for the help.
    I just seem to have this problem getting these vlans going.  I usually won't give up though

    so bare with me if I ask more question.  I will  work on this this weekend and see if I can make some progress.
    Thanks
    CaT



  • Maybe just the "same" VLAN problem that the ALIX board with pfsense might have:
    http://forum.pfsense.org/index.php/topic,8736.0.html

    You could try m0n0wall 1.3b11 just to see if your problem gets solved. In my case it's working with m0n0wall, but I would like to have this problem fixed in pfsense.



  • Thanks for the reply. Ill try what Sasa wrote and if it still doesnt work. Ill give monowall a try.
    Thats all I need is a driver problem mixed in with my inexperience. 
    Thanks the help to everyone. 
    CaT



  • @cat1947:

    Thanks for the reply. Ill try what Sasa wrote and if it still doesnt work. Ill give monowall a try.
    Thats all I need is a driver problem mixed in with my inexperience. 
    Thanks the help to everyone. 
    CaT

    Hmm? I don't know about driver problem. I have tryed this with all pfSense versions and with Intel, RTL, 3Com, D-link … chipsets on eth cards and no problems emerged.
    I have tryed this also vith m0n0wall on Lucent brick platforms and it worked. So ...

    My only problem whas my expirience (inexpirience to sey the truth) with VLAN switches. Different switch - different story.

    Sasa



  • I just want to give everyone a big thanks.  Without your generous help I would not have gotten this resolved.  I went back and switched out the procurve switch with the older baystack 450 switch and I was able to make all of my vlans work.  I was never able to make it work with the Hp procurve switch.  So if anyone knows anything about the Procurve 1700 switch, I could use some help with it.  It is web managed, but the  instruction for their vlans are not very clear. I would just prefer to use it over the baystack because of the small form factor and fan less operation.

    Thanks again for all of your help.
    CaT



  • @cat1947:

    So if anyone knows anything about the Procurve 1700 switch, I could use some help with it.  It is web managed, but the  instruction for their vlans are not very clear. I would just prefer to use it over the baystack because of the small form factor and fan less operation.
    Thanks again for all of your help.
    CaT

    I can only try because I don't have HP PC 1700 and interface is (as I can see from manual) totaly diferent from "biger" models.

    So your VLAN is UP and operational now?

    Sasa



  • Sasa,
    Yes the vlan is up with the Nortel switch.  Actually I have 13 of them running. I would like to get it going with the Hp, but not entirely necessary.
    When I orginally tried the nortel  switch I had a problem in my settings on the interfaces on the pfsense box.
    I thought the switch was bad, had this new HP procurve and couldn't get it to work either.  Fixed the interface problem with everyones help, got the Nortel working but cannot get the procurve to do vlans.
    I know it is something simple. 
    Thanks again
    for your help.
    CaT



  • I have a procurve 1800-24g and a procurve 1800-8g. Maybe the webgui is similiar. I have vlans running on them with pfSense and could post some screenshots if needed.



  • Hoba,
    first how many vlans can you configure  1700/1800 to  output to one port.  After reading the book a little closer I think you can only configure 8 vlans to one trunk.  Since I am outputting 14 vlans to one port I am not sure that I can use the Procurve anyway.  Unless you can see how to do it.  In fact I wasn't able to get it working at all with the vlans
    Ill give you a run down of a typical  vlan that I tried to set up. This was after I was sure that pfsense was setup right.
    first I set up the vlans 10,20–-
    then I added the ports to the vlan
    selected the correct vlan number in the drop down box.
    I then added the ports to trunk 1.
    I never could see which port was the trunk port (the one to connect to the opt1 side of pfsense)
    I am sure that the mistake was a simple one. 
    The steps above are from memory so could be a little off.
    Thanks for the help.
    CaT



  • I hope the webguis are similiar between the 1700 and the 1800.

    You don't work with the trunks-menu at all, at least I didn't in my scenario. I only use 2 vlans on this switch (it's just for our conferenceroom) but as you can see on img1 you could add up to 64 vlans.

    • Start at vlans>vlansetup and add the needed vlans there (img1)
    • on adding it will ask you which ports should belong to that vlan (img2), just tick all the ports that should be member of this vlan. Note that port1 which is my uplinkport, is member of vlan1 AND vlan30, so to become your "trunkport" make it member of all the vlans that you create.
    • next go to vlan>vlan portconfig and configure the ports as needed (img3)

    On my switch the first port is the port that has the uplink to the pfSense, so I only allow tagged vlan traffic on that one. All other ports use non tagged traffic so depending on which port you hook up a client it will be part of the one or the other vlan.

    I hope this helps to get you started.

    EDIT: Added img4 from the overview screen as it sums up the complete configuration quite nicely.










  • hoba,
    I check it out tonight.  I believe that the error I made was to leave the vlan aware checked for all of the ports.

    I assume that the uplink port can be any port as long as it is in all of the vlans and is tagged.
    CaT



  • Correct, you could make any port an uplink port. I just picked the first one for my config.



  • Well I got the vlans working on the procurve.  I am still not quite sure what I had done wrong.  Doesnt matter now.  I only have one problem left. I changed the management vlan to my vlan 150 and changed the ip address to an address within that subnet outside of the dhcp. When I saved it I lost all connections of my vlans and couldn't access the web gui.  i am going to try an recreate the problem tomorrow.
    Any ideas.
    Thanks
    CaT



  • Not really, maybe typo or whatever when applying the ip adress or the port that you try to access it is not member of that vlan. I hope you at least have a port being member of the management vlan  ;)



  • I've tried that too. To avoid it i try not to use the default / fall back -port. The management vlan i set to a vlan that has no port assign to it.  ;)



  • That's called out-of-band management. With in-band management/signalling stuff like blueboxing was possible…



  • The management vlan that I assigned the management to has 5 ports in it and I set the ip address to the same subnet.  I am going to try it again tonight. I may have just made a typo.  At least I have the configuration backup this time so I don't have to re input everything again.
    At the moment I am running 15 vlans with pfsense on a Alix wrap box with everyone in their own subnet.
    It is a cheap alternative for a small assisted living center that has thirteen apartments.
    I believe I got this done for total of $350 US dollars. Not counting labor. 
    Second thought Does the management vlan need to be the same as the one the upload port is in.
    Again thanks for everyones help. The next time I do this it will be a lot easier.
    CaT


Locked