Can't get VLAN's to work under VMWare



  • Hi!

    I have tried everything that has come to my mind, but I've been unable to make VLAN's to work. I'm using a Procurve 2900 switch and I have set port 25 as tagged for VLANs ID 1 and 4. Then, I setup a FreeBSD VM with two virtual NICS, one bridged to my LAN and the other one to the NIC connected to Procurve's port 25. In the VM I'm using ethernet1.virtualDev = "e1000" to support VLAN's.

    The real NIC's are Broadcom 5715 (onboard) and Intel 1000MT… I've tried both.

    I can access the WebUI and use it to setup two VLANs, one with ID 1 and a second one with ID 4 (vlan0 and vlan1 within pfSense). Then, I create an interface for each one and give an IP address for them (10.x.x.x/24 with different subnets each one).

    BUT... it doesn't work: I can't ping any hosts on those subnets. What am I doing wrong?

    Many thanks in advance! :)



  • Did you create rules on these "new" interfaces?

    What exactly are you trying to ping?
    Could you draw a diagram of your "logic" network?
    Does your ping destination know the route back to you?
    –> Per default pfSense doesnt NAT to OPTx interfaces, but routes.



  • Hello!

    Ok, here's more detail:

    VLAN0: VlanID1, IP subnet 10.1.20.0/24
    VLAN1: VlanID4, IP subnet 10.4.20.0/24

    To simplify, let's use only VLAN0. In that subnet I have more hosts, connected to the switch as untagged ports which belong to VLAN ID1. So, basically, they're on the same segment and you don't need routing to reach them. Then, I give IP 10.1.20.252 to pfSense VLAN0 iface and try to ping that IP from any other host within the same subnet, with no success. It seems as if the VLAN tag was ignored somewhere and pfSense was unable to identify those packets… but I don't know how to verify that point.

    Thanks!



  • dont use vid1

    @802.1Q:

    Table 9-2—Reserved VID values

    VID value(hexadecimal) Meaning/Use
    0 The null VLAN ID. Indicates that the tag header contains only priority
    information; no VLAN identifier is present in the frame. This VID value shall not
    be configured as a PVID or a member of a VID Set, or configured in any Filtering
    Database entry, or used in any Management operation.

    1 The default PVID value used for classifying frames on ingress through a Bridge
    Port. The PVID value of a Port can be changed by management.

    FFF Reserved for implementation use. This VID value shall not be configured as a
    PVID or a member of a VID Set, or transmitted in a tag header. This VID value
    may be used to indicate a wildcard match for the VID in management operations
    or Filtering Database entries.

    Buuut….
    I still dont get what you are trying to achieve.

    Could you draw a diagram of your "logic" network?



  • Hello!

    Sorry for my late reply… I thougt I was a better ascii sketcher! This has taken me some time... ;)

    The idea is to get this working using just 3 real Nics, which are virtualized in bridge mode by VMWare Server from the real hardware NICs. They don't have VLAN's defined in the host OS (Win2k3):

    Wan1        Wan2      Wan3
      |                |              |
      |    VLAN11 |              |
      |________  |  _|
        VLAN10 |  |  | VLAN12
              ManagedSwitch
          |        |
        | NIC1            NIC1 |
    pfsenseA  ---------  pfSenseB
          |    NIC3    NIC3    |
    NIC2|
          ______|NIC2
                      |    |
              ManagedSwitch
        |      |    |
      |VLAN20      |      VLAN22|
      |                |                |
      |      VLAN21|                |
      |                |                |
    DMZ1          DMZ2          LAN

    So, for NIC1 and NIC2 I must define the VLANs with the same IDs as for the rest of the hosts on each VLAN. I don't mind the ID itself, as I can use almost anyone. NIC3 will be used for pfsync and cluster heartbeat.

    The problem is that after defining the VLAN's in pfSense and in the switch i get no comunication among the firewall and the hosts on any VLAN. pfSense is unable to get the MAC for any IP on those VLAN's.

    Thank you!



  • I think you'll have to define the VLANs on the host OS, then bridge virtual network interfaces in VMware to those VLANs. I have had pfSense working that way in VMware Workstation 6.0.3 on Windows XP Professional SP2 once I'd defined the VLAN network interfaces using Intel PROset (no native VLAN support in Windows XP) and set up the bridging in VMware to those network interfaces.

    It may be possible to deal with the tagging in VMware, but I doubt that the VMware virtual network interfaces have tagging support.

    It's really a VMware question at heart - can you bridge to a tagged network and have the guest OS deal with the tagging, or not. I suspect the answer might be that you can't.



  • Hi!

    Yes, I could use VLANs directly in the host OS… but that I way I would have a 4 NIC limit in the VM and I would like to use at least 5 of them... That's why I need to use VLAN's directly inside the pfSense VM.

    Obviously, the VMWare Virtual Network layer has to be able to pass ethetnet packets unmodified to the VM, so it can deal with them. I'm going to set a Windows VM with an Intel virtual NIC and install Intel ProSet in it, so I would be able to define VLAN's directly on the guest OS.

    I'll update the thread later...
    Thanks!



  • Hi!!

    I've been reading a lot but couldn't solve this problem yet, because aparently VLAN tagging passthrough from the NIC to the vNIC is an unsupported feature in VMWare GSX/Server: http://communities.vmware.com/message/297176#297176

    So I've ended up setting up the VLANS directly on the host and connecting 4 vNICs to them. I'm limited, but I've found a way to overcome those limitations by changing my setup and using Port Forwarding from Inet to my servers…

    Regards!



  • Kinda late I know…but if you are using ESX...you just use VGT to allow VLAN Tagging through to the guest OS (pfSense). To do this, you setup a Virtual Switch with a VLAN ID number of 4095 - this means that all VLAN info will bypass the standard VMware and be passed right through to the guest.

    I use this instead of Virtual IPs because these IPs are pingable (the Virtual IP ones are not because of the way that ESX handles the CARP stuff from pfsense)

    I am doing this here with great success.

    Also, I would recommend changing your NIC to use the e1000 adapter instead of the standard one.

    Jim


Log in to reply