Are VLANS needed in the firewall setup if handled on a managed switch?



  • I have set up a PFsense firewall with a WAN interface and a LAN interface. The WAN interface is connected to a cable modem and the LAN interface is connected to a Dell Powerconnect that is managing 5 VLANS.

    100 (10.10.0.0)
    101 (10.10.1.0)
    102 (10.10.2.0)
    103 (10.10.3.0)
    200 (192.168.0.0)

    just for thoroughness I have added all of the vlan tags in the pfsense server but have not configured any as interfaces.

    I can traceroute from the LAN interface to addresses on all of the VLAN's except 200, when I try to run the traceroute on it (192.168.0.1) the firewall shows the first hop as the cable modem gateway address then all *** after that eventually timing out.

    I have confirmed that the port on the switch is set up with access to the vlan by plugging in a windows pc and pinging the address successfully however the PFsense firewall cannot ping or traceroute.

    I have confirmed that "Block private networks" and "Block bogon networks" are not set on the LAN inteface

    I have created firewall rules for the LAN adapter to allow traffic from any source/port directed to any source/port.

    What am I missing here?
    Thanks
    -Luke


  • Banned

    You need the interfaces setup to handle their own IP range and use the designated GW's.



  • Assign the VLANS in pfSense and enable the interfaces with the respective addresses then set up the DHCP server on each of those interfaces. You'll need to make sure you enable the port that is connected to the router it is configured as a trunk on each VLAN on the switch.


  • Banned

    You dont need the trunk. Just assign the same ports to difference VLAN TAGS. Then the switch can handle it easily.


  • LAYER 8 Netgate

    If you are dealing with interface eth0:

    Interfaces > (assign)

    Traffic to/from a pfSense interface assigned to eth0 will be untagged to and from the switch

    Traffic to/from a pfSense interface assigned to VLAN X on eth 0 will be tagged with VLAN X to and from the switch



  • Thanks for the input! I need to clarify, I inherited the network and am not a network guy!!! The VLAN's are already built on the switch and handled by a windows server with DHCP scopes for all but 200 (the one that i'm having trouble with)

    are the VLAN adapters required in pfSense to connect to the VLAN's (for tagging?) or are they only required if you need DHCP or special routing in place?

    again thanks for all the input, I've read almost every doc. page but haven't found a simple explanation (other than the router on a stick document) is there anything that you could point me to for a better understanding of the VLAN  settings in pfSense (is this outlined in better detail in the pfSense Definitive guide included with gold subscription?)

    Thanks again,
    -Luke


  • LAYER 8 Netgate

    Inherited a network and you're not a network guy, huh.  Must not be very important to TPTB that their network actually work.

    If you need layer 3 connectivity to pfSense on VLAN 200 then you need a pfSense interface assigned to VLAN 200 on eth0 with the proper layer3 config (ip address, netmask, firewall rules, etc.)

    If you just need connectivity from hosts on VLAN 200 to your AD DHCP on VLAN 200 then look in the layer 2 (switch) config.



  • The principle is that in pfSense you have a separate virtual network port for each VLAN. Just as if you had as many separate network cards in pfSense, each plugged directly with separate cables in those LANs. But with VLANs, you have them all in the same cable.



  • See this screen pic.




  • @Derelict:

    Inherited a network and you're not a network guy, huh.  Must not be very important to TPTB that their network actually work.

    Artecs, don't worry. You don't need to be a network guy to setup pfSense but it helps if you are willing to learn what you do need to know.

    VLANs are far easier to conceptualize if you understand why they exist.

    To expand on robi's comments…

    You have 5 LANs. In the old days, you would need 5 physical ethernet interfaces in your firewall to service them.
    VLANs enable you to collapse 5 physical networks into just 1 physical network so that only 1 physical interface is required to service them all. This cuts down on cabling and hardware and can make remote moves and changes much easier.

    VLANs do this by tagging packets with the label that you assigned to them so that they can be identified and separated later.

    If you have a physical cable plugged into a pfSense ethernet interface that is running one or more tagged VLANs, the other end of the cable should be plugged into a tagged port on a VLAN switch. It is usual to make this port a member of each VLAN that it is servicing.

    If you have a physical cable plugged into a pfSense ethernet interface that is not declared as a VLAN, the other end of the cable should be plugged into an UNtagged port on a VLAN switch. This port only needs to be a member of the one LAN that it services. Alternatively you could just use a regular Non-VLAN capable switch or even a hub!

    I hope this helps.


Log in to reply