VLAN Help
-
Hello I am configuring a VLAN and have been following tutorials found in order to configure it. I will try and be as clear as possible to what my setup is:
PFsense 2.2 (virtualized on ESXI 5.5)
Dlink Smart Switch DGS-1100-24P
VLAN ID 10
Here is I have done:
I created a VLAN Interface and assigned it to the same adaptor as the LAN. I enabled the VLAN Interface and assigned it a 10.10.10.1/24 IP.
I enabled DHCP for VLAN 10 with a range of 10.10.10.100-10.10.10.200.
I created VLAN 10 in ESXI and it is on the same adaptor as the LAN in ESXI.
I created VLAN 10 on the Dlink DGS-1100-24p.
PFsense is plugged into port 1 on the dlink. I tagged port 1 in VLAN 10.
My Laptop is plugged into Port 24 of the Dlink. I untagged port 24 in VLAN 10.
I created a Firewall rule.
I am providing screen shots of my setup.
I am able to get a DHCP address from PFsense for VLAN 10. I get 10.10.10.100 with a default gateway 10.10.10.1
Problem: I do not have Internet.
I cannot ping the VLAN default gateway of 10.10.10.1
From PFsense I cannot ping 10.10.10.100
I appreciate any help you can provide.
Bill![VLAN Interface First.png](/public/imported_attachments/1/VLAN Interface First.png)
![VLAN Interface First.png_thumb](/public/imported_attachments/1/VLAN Interface First.png_thumb)
![VLAN Interface.png](/public/imported_attachments/1/VLAN Interface.png)
![VLAN Interface.png_thumb](/public/imported_attachments/1/VLAN Interface.png_thumb)
![VLAN DHCP Setup.png](/public/imported_attachments/1/VLAN DHCP Setup.png)
![VLAN DHCP Setup.png_thumb](/public/imported_attachments/1/VLAN DHCP Setup.png_thumb)
![VLAN Firewall Rule.png](/public/imported_attachments/1/VLAN Firewall Rule.png)
![VLAN Firewall Rule.png_thumb](/public/imported_attachments/1/VLAN Firewall Rule.png_thumb)
![DLINK Port 1.png](/public/imported_attachments/1/DLINK Port 1.png)
![DLINK Port 1.png_thumb](/public/imported_attachments/1/DLINK Port 1.png_thumb)
![Dlink Port 24.png](/public/imported_attachments/1/Dlink Port 24.png)
![Dlink Port 24.png_thumb](/public/imported_attachments/1/Dlink Port 24.png_thumb) -
PFsense is plugged into port 1 on the dlink.
How is pfSense plugged into anything if it's a virtual?
-
My apologies for the miscommunication.
EXSI is plugged into Port 1of the Dlink.
PFsense is attached to the network adaptor that is plugged into port 1 of the dlink.
Bill
-
You have not given any description about how you configured your WAN. Only your LAN.
You should be able to ping 10.10.10.1. What firewall rule did you create on LAN.
You do not need to tag the interface in pfSense if you are just adding an interface to the vSwitch that is tagged on VLAN 10 to the switch.
The only time you would need to tag the port in pfSense is if you were sending VLAN 4095 (All VLANs tagged in ESXi) to pfSense.
What I don't understand is how you are getting DHCP. That indicates Layer 2 is OK. Sure there's not another DHCP Server available to VLAN10?
I also don't know WTF all those VLAN options are in your switch. What is a "Hybrid untagged VLAN" etc.
You want to tag vlan 10 to ESXii, nothing more, nothing less.
-
So currently I have the WAN configured and working without a VLAN involved.
I am in the beginning stages of creating VLAN's.
I have not created any additional rules under the LAN for VLAN 10.
That is pretty much all I did was tag the port going to PFsense/ESXI. I had to untag the port that my laptop is plugged into to get the DHCP.
I don't think I conveyed that I tagged a port in PFsense, if I did I am sorry for the miscommunication.
-
"I created VLAN 10 in ESXI and it is on the same adaptor as the LAN in ESXI."
Huh?? So create your vlan on pfsense interface that vlan is going to be on. What did you do with your vswitch in esxi? Did you change it to trunk mode? You have to allow for the vlan or vlans you want in 2 switches since you really have this with esxi
pfsense - vnic – vswitch -- esxihostnic -- realswitch - realdevice
so both your vswitch and your realswitch have to allow for whatever vlans your going to be using.
Curious were you created vlan 10 in esxi??
-
I don't think I conveyed that I tagged a port in PFsense, if I did I am sorry for the miscommunication.
Right here you did. Interface Perk is tagged to the vSwitch:
-
You do not need to tag the interface in pfSense if you are just adding an interface to the vSwitch that is tagged on VLAN 10 to the switch.
I am a little confuse by this statement. I had to create the vlan in pfsense. In order to setup a dhcp server for that vlan, it had to be assigned to an interface. The tutorials I have followed in order to set this up told me to assign the vlan to the same interface as the LAN. I appreciate your time looking at this.
I attached a screenshot for what I have done in ESXI
-
vmnic2 is connected to a switch port. What VLANs are on that switch port?
vmnic3 is connected to a switch port. What VLANs are on that switch port?
I would not be using untagged interfaces (em0, em1) in the pfSense VM. I would tag everything. That would mean new VLANs for WAN and LAN.
-
vmnic2=ISP modem (provides internet)
vmnic3=port 1 of the dlink switch. VLAN 10 is tagged, vlan 1 (default vlan that is created by the factory) is untagged.
Thanks for taking the time
Bill -
what is the point of the port group with a vlan 10 with nothing in it??
Why would you set 4095 on your WAN? Your not running multiple vlans over that are you?
This not rocket science..
I showed you the vswitch and port group that pfsense wlan vnic is attached is set with 4095. Yes there multiple vlans on this with their own IDs - see pfsense interfaces. Then the switch port that is connected to physical nic in the esxi host is trunked.. It is that simple.. Then ports that are in those specific vlans on the switch are in those vlans..
interface gigabitethernet3
description "esxi wlan"
switchport trunk allowed vlan add 100,200,300
switchport trunk native vlan 20
-
I understand this is not "Rocket Science".
That was a change I made after I saw your screen shot. I thought what the hell nothing else I am trying seems to make a difference. Nothing has changed. I was hoping some people might have a few ideas as to why I can get dhcp from vlan 10 but I cannot ping the dafault gateway. Nor do I have internet on Vlan 10.
I have attempted several different firewall rules. I just thought that people that have a lot of experience and have setup vlans before would provide some suggestions to help me out. Maybe even help me troubleshoot the issue to help me determine if I did something incorrect in PFsense.
This is my setup:
pfsense - vnic – vswitch -- esxihostnic -- realswitch - realdeviceIt has been that way since I first posted the problem.
I currently have a 192.168.2.0/24 network that can access the internet fine through PFsense. The switch still has the default vlan "1". I am currently attempting to transition to vlans. My end goal will be to have a minimum of 2 vlans:
vlan 10 w a subnet of 10.10.10.0/24
vlan 20 w a subnet of 10.10.20.0/24
Right now I am only concentrating on vlan 10.
-
exactly that is how pretty much every single setup would be using esxi
pfsense - vnic – vswitch -- esxihostnic -- realswitch - realdevice
So what is your configuration of the realswitch port that is connect to the esxihost nic? What is the configuration of the real switch port that is connected to your client you want to be in vlan 10..
I posted my config on my trunk port that connects esxi host to switch. Here is config of for example port connected to my son's ps3 that I have in its own vlan
interface gigabitethernet7
description "ps3 powerline"
switchport mode access
switchport access vlan 100
!So lets follow the packet.. devices sends broadcast dhcp discover -- hey dhcp server can I have an IP.. So that hits real switch port. That is in access mode vlan 100 in my setup. Now these packets that go down a trunk will be TAGGED with 100.. And since its broadcast will go to every other port that is in vlan 100.
So it goes down the trunk that allows vlan 100, this hits the esxi nic, then the vswitch.. Vswitch that is set for 4095 is like a trunk and does not strip the tag.. So now it hits pfsense vnic with tag 100.. So this goes to the vlan 100 interface. Dhcp server sees this and send back offer that goes back the same path.
So we need to know what the setting are on your real switch for the port connected to your esxi nic and the port connected to your device. If you don't allow the trunk to your esxi or don't have the vlan setup on the port connected to your device then no your dhcp discover will never get to your dhcp on your vlan or would go to just say the dhcp server running on the native or physical network without any tagging, etc.
-
My first post included 2 screenshots that show the config of the 2 physical ports being used.
Dlink Port 1 is the port my esxi host is connected to. The screenshot shows that the port in "tagged" in vlan 10 and untagged in vlan 1 (default vlan). The post and screen shots also show the vlan interface I created and enabled in PFsense (including settings).
Dlink port 24 is the port my laptop is connected to. This screenshot shows that the port is "untagged" in vlan 10 and 1.
Both screenshots shows the "native" vlan for the port.
I provided a screenshot of the firewall rule I created. The firewall rule was created on interface vlan 10.
I did not any additional firewall rules under the following interfaces:
"WAN"
"LAN"
"Floating"Bill
-
Yeah and those are not correct.. So you have your port connected to port connected to esxi no tagged at all.. And in a native vlan 1.. Not sure what hybrid vlan is? So if that packet leaves the port going to the vswitch without a tag how would pfsense know to pick it up on its vlan interface ?? Would have to look up the manual for that switch..
And then your port on your laptop is native vlan 10, but there is no tagging.. So where does it get tagged 10 so that switch sends it down port to esxi tagged? You could prob tag it on the interface in your laptop.
-
To tell you the truth I am not sure what the Dlink "Hybrid" vlan is. Their documentation is pretty sparse. I did look at other mode but they did not work. They also offer access mode and trunk mode. Access mode seemed to offer either tagged or untagged (not both). Trunk mode (in Dlink) terminology is not the same meaning as Cisco. From what I read I should "tag" a port when another switch/router is connected to the port. When a laptop/device is connected to a port then it needs to be untagged. This setup was the only way I could get a DHCP address in vlan 10.
Let me clarify:
Doesn't traffic get tagged on Port 1? Port 1 is tagged in vlan 10. Due to different manufacturers using terms that mean different things this can get confusing. Don't you think the traffic going to PFSense from vlan 10 is being scene as "tagged" in vlan 10 since I get a dhcp address in the range defined for vlan 10. My laptop receives a dhcp address of 10.10.10.100.
Here is a screen shot of my vswitches in esxi
So I can ping 10.10.10.1 when I am connected to the 192.168.2.0/24 network.
but
When I am connected to and receive the vlan 10 dhcp address of 10.10.10.100. I cannot ping 10.10.10.1 The default gateway.
-
So you get a dhcp address in vlan 10?? Well what are you rules on your vlan interface? When you create new interfaces there are NO rules created.. Other than when you enable dhcp it creates some hidden rules that allow access to the dhcp server.. But until you create rules your not doing anything else
So example I allow anything on ps3 network to talk to any port on pfsense ps3 address. So ping, UPnP, dns, etc.. And as long as not trying to talk to other local networks it can go there..
but your eth 1 setup is native 1 and untagged 1.. Why do you have it in there if you want it to tag 10 for traffic it sees? Should that be native 10 and tagged 10 so that traffic it sees that is untagged will get tagged as 10 that is the way I read the hypbrid setup from dlink I just looked at. Not sure why you have 1 listed in there at all if this is a access port you want in vlan 10??
I agree other makers call things different.. I have an older netgear in the living room. So the uplink to my cisco is on port 4.. So that is tagged 1 and 20.. Then ports are in untagged 1 and untagged 10.. So traffic it sees from untagged ports in the vlans with the pvid being set to the ports as 1 or 20.. Yeah yeah I know bad idea to use vlan 1… But this is home setup and not real worried about it - makes it easier for setup.
Normally vlan 1 should not be used and all ports should be removed from it, etc. Use some other vlan as your native vlan, etc.
-
I posted a screenshot of the firewall rule in the first post called "Firewall rule.png". I was trying to be as thorough as possible when explaining what I have done and what the problem is.
I have also added a rule similar to your first rule with no change. I still could not ping 10.10.10.1 nor access the internet.
Bill
-
So I change Port 1 to be native to vlan 10.
Same results. I get DHCP from vlan 10 but cannot ping 10.10.10.1 nor can I access the internet.
-
Well what I would suggest then is sniff on psense for these pings.. So you see them?