VLAN network



  • I've got two pfSense boxes configured with 3 NICs each.  One NIC is for the WAN, another for LAN, and another is for an Intranet connection that Brighthouse is providing that routes via VLAN.  On the NIC for the intranet the card supports VLAN.  I've configured the interface (10.0.7.x) and added a VLAN interface for it (10.0.8.x).

    As for rules, I add a "pass all" for the VLAN.  I've tried this setup with a "pass all" rule for 10.0.7.x and without, and it doesn't seem to make a difference.

    Then I add a static route to each pfSense.  For example, 192.168.10.0/24 -> 10.0.8.2 on one and 192.168.11.0/24 -> 10.0.8.3 on the other.

    Routing is working well.  Ping work fine.  I can ssh in to the pfSense units across the intranet connection.  It doesn't pass data if I try to connect into the GUI interface or do anything under ssh that is going to send a large amount of data.  It seems like a MTU problem.

    Bright house has their MTU set at 1536.  I tried setting the pfSense to that, but it refuses to go higher than 1500.

    Also, using tcpdump on either the parent interface or on the VLAN interface (-s 0 -vvv -n) indicated that there are no VLAN tags on the packets.  So, one question is: if I route a packet to go over an VLAN interface, won't the NIC add the VLAN tag?

    The reason for the VLAN over the Brighthouse intranet connection is because we'll be adding more locations that will be connecting to the main site.

    Thanks for the help.



  • hmm for me it looks like that the vlan part has nothing to do with pfSense. Post a diagram it says a 1000 words



  • pfSense 1
    LAN re0 192.168.10.1/24
    WAN fxp0 private
    Intranet (via BrightHouse) re1 10.0.7.1
    VLAN1 (parent re1) 10.0.8.2
    static route 192.168.11.0/24 -> 10.0.8.130
    Rules: pass all on LAN, pass all on VLAN1

    pfSense 2
    LAN re0 192.168.11.1/24
    WAN fxp0 private
    Intranet (via BrightHouse) re1 10.0.7.2
    VLAN1 (parent re1) 10.0.8.130
    static route 192.168.10.0/24 -> 10.0.8.2
    Rules: pass all on LAN, pass all on VLAN1

    The idea is for all 192.168.11.0 traffic at location 1 to go across the VLAN1 (10.0.8.x) network and visa versa for the 192.168.10.0 at location 2.  The routing is working because I can ping from one side to the other and even ssh from one side to the other.  It fails to work if I try to bring up the pfSense WebGUI across the intranet or do something that would dump a lot of data across a ssh connection.  Doing a tcpdump on the VLAN1 or the Intranet interfaces from either side doesn't show any VLAN tags on the packets either.



  • I guess there's one question that needs to be answered first: Does (can) pfSense add VLAN tags to packets sent (routed) across a VLAN interface or does it only route packets based on their existing VLAN tags.

    Thanks.



  • yes it can.


Log in to reply