Routing Traffic Between Two vLANS

whosmatt

Ok, I had a quick look at the TP-LINK config and it looks pretty simple. But you need to start with pfsense. On the physical interface connected to the switch, define your vlans with that as the parent interface. Then, set up new interfaces with those vlans (see my example above with vlan 10). Give each of those interfaces an IP address in a different subnet. It would make sense to have the vlan ID match the subnet in some way. For vlan 2 and 3, for example, maybe 192.168.2.0/24 and 192.168.3.0/24 respectively, but the actual mechanism is arbitrary; the vlan ID is just an integer between 1 and 4094.

Define the same vlans in the switch, under the 802.1Q config. Then, set the port that pfsense is connected to to carry all (both) of those vlans tagged. Other ports connected to vlan unaware devices will be untagged, and you'll generally have just one vlan assigned to those. So, a device that needs to be on 192.168.3.0/24 will be connected to a port that is in vlan 3 untagged, etc. It's pretty much as simple as that.

In pfsense, of course, you'll need to set up firewall rules on each of your vlan interfaces to allow traffic. Could be as simple as allowing any to any, or you can get really granular if you wish. Just remember that without any rules at all, no traffic will flow between subnets or to the internet.

This will help with things on the switch side: http://www.tp-link.com/resources/document/TL-SG1024DE_V1_User_Guide_Easy_Smart_Configuration_Utility.pdf

eliteassassin07

Here is what I did to correct everything…

So I configured the VLANs on the switch as follows:

Using 802.1Q I configured a total of 4 VLANs…
VLAN 1 >> This is the default VLAN on the switch and is not being used at this time
VLAN 100 >> Used for all local devices that are not included in the following two VLANs
VLAN 200 >> Used for iSCSI traffic
VLAN 300 >> Used as part of an “isolated” network

VLAN 300,
For this VLAN I “tagged” ports 1 and 9…
Member Ports >> 1 and 9
Tagged Ports >> 1 and 9
Untagged Ports >> NONE

VLAN 200,
For this VLAN I “untagged” ports 8 and 12…
Member Ports >> 8 and 12
Tagged Ports >> NONE
Untagged Ports >> 8 and 12
Note, I could not use “tagged” ports here as it appears that one of the NICs in my server is not VLAN aware. However since this VLAN is only used internally and does NOT need to communicate with the firewall this is really not an issue. I also changed the PVID settings for ports 8 and 12 to 200.

VLAN 100,
For this VLAN I “untagged” ports 1-7, 9-11, and 13-16
Member Ports >> 1-7, 9-11, and 13-16
Tagged Ports >> NONE
Untagged Ports >> 1-7, 9-11, and 13-16
Note, I changed the PVID settings for ports 1-7, 9-11, and 13-16 to 100.

Note port 1 is the uplink/trunk port on the switch that goes back to pfSense

pfSense configuration:

Since VLAN 100 is now where all of my local traffic (for desktops , laptops, and mobile devices) is located and the traffic is all untagged and using PVID 100 I did not need to change anything on pfSense as it just all routed through the default LAN interface. Only thing that I did do here is on the LAN interface under rules I created a rule that blocked all traffic from LAN to OPT1(VLAN 300).

Since VLAN 200 does not need to communicate with the firewall or internet there was nothing that needed to be configured on pfSense.

Since VLAN 300 needed to be able to communicate with the firewall and the internet I went ahead and created a VLAN on pfSense so that this could take place. I then created a rule for the OPT1 (VLAN 300) interface that blacked all traffic from OPT1 to LAN.

The above configuration appears to have effectively separated all of the network traffic like I wanted and allows me to create rules to only allow certain traffic to pass between VLAN 100 and VLAN 300.

Thanks everyone for the information!

johnpoz

your not getting it are you??

you only need tagged on the port going to pfsense.. All of the vlans would be tagged here other than the native vlan, ie your physical interface. be this 1 or 100, or 200 whatever.

All your other ports would be in the 1 vlan you want on that port as untagged.

"VLAN 300,
For this VLAN I “tagged” ports 1 and 9…"

if port 1 is connected then that is fine.. But why do you have it tagged on port 9?? Is that an uplink to another switch?

How is vlan 200 getting to pfsense if its not tagged on port 1??

Derelict

This would be:

em1_vlan100 LAN
em1_vlan200 WAN
em1_vlan300 GUEST, DMZ, etc.

VLAN-pfSense.png_thumb

eliteassassin07

@johnpoz:

your not getting it are you??

you only need tagged on the port going to pfsense.. All of the vlans would be tagged here other than the native vlan, ie your physical interface. be this 1 or 100, or 200 whatever.

All your other ports would be in the 1 vlan you want on that port as untagged.

"VLAN 300,
For this VLAN I “tagged” ports 1 and 9…"

if port 1 is connected then that is fine.. But why do you have it tagged on port 9?? Is that an uplink to another switch?

How is vlan 200 getting to pfsense if its not tagged on port 1??

I feel like something is getting lost in translation here…

For VLAN 300 I tagged port 1 which is the uplink port on the switch and tagged port 9 which is connected to my ESXi host. Port 1 has to be tagged so that pfSenese VLAN Interface can see the traffic correctly. Then on the ESXi host I have configured the virtual switch to VLAN 300 as well... So yes in a since port 9 is connected to another switch.. Probably should not have left that information out.. Sorry

As far s VLAN 200 goes... That VLAN does not need to communicate with pfSense (really I dont want it to communicate with pfSense). The only thing on that VLAN is iSCSI traffic from a FreeNAS Server to an ESXi Host, both of which are connected to the same switch and use statically assigned IPs.

johnpoz

"which is connected to my ESXi host"

Where did this esxi host come from?? Is pfsense running on your esxi host? There was no mention of any esxi host in your first post or 2nd or 3rd..

tagged ports are only used for uplink ports.. Like another switch, a router wth vlans on that interface, an AP that will have vlans on different SSIDs, sure an esxi host that will have vms that will use different tags connect to that same vswitch that physical nic is on..

You only need to tag on ports that are going to carry more than 1 vlan. Because those tags will be used on the device that is uplink to determine where that traffic should flow.

Derelict

Tag ports to devices that need to see the tag. It's that simple. That would be pfSense and ESXi.

If you put an untagged port on VLAN 100 (LAN) and connect a device to it and it gets DHCP, can query DNS, etc your VLAN and switch and pfSense are configured fine and you can concentrate on your ESXi setup.

eliteassassin07

pfSense is running on its own hardware…

"Port 9" is connected to my ESXi Host...

So I think that what you are saying is finally settling in... been ridding the struggle bus here...

I now have it configured as follows...

VLAN 100,
Untagged Ports >> 1-7, 10-11, 13-16 (PVID for these ports set to 100)
Tagged Ports >> NONE

VLAN 200,
Untagged Ports >> 8 and 12 (PVID for these ports set to 200)
Tagged Ports >> NONE, Remember though I dont want this VLAN to connect to pfSense

VLAN 300,
Untagged Port >> 9 (PVID for this port set to 300)
Tagged Port >> 1

So with this set up the only thing that is tagged is Port 1 which is the uplink port.

I believe that this is now correct...

eliteassassin07

@Derelict:

Tag ports to devices that need to see the tag. It's that simple. That would be pfSense and ESXi.

If you put an untagged port on VLAN 100 (LAN) and connect a device to it and it gets DHCP, can query DNS, etc your VLAN and switch and pfSense are configured fine and you can concentrate on your ESXi setup.

Thanks…

Yes... currently anything that I connect to ports 1-7, 10-11, and 13-16 on the switch is receiving DHCP as it should from pfSense.. iSCSI traffic on ports 8 and 12 is working as it should... And the servers connected to port 9 on ESXi are also working.

I made some changes to the way the virtual switch was configured in ESXi so that port tagging was no longer needed except for on the up link port on the switch.

johnpoz

esxi only needs tag if your going to use vms on different vlans, they your going to need multiple tags on that port.. If all your vms are going to be on the same vlan then you don't need tags.. Where is your vmkern is that he same physical nic.

Keep in mind if you want to use vlans on your vms you have to set the vswitch to 4095 so it will pass the tags on to your vms on that vswitch.

eliteassassin07

All of the VMs will be on the same VLAN. :)

VMKern/Management is on its own NIC

Thank you for all of your help…. I am sure this has been as frustrating for you as it has been for me... lol

whosmatt

Hey, off topic i know, but does that 16 port TP-LINK switch have fans?

eliteassassin07

@whosmatt:

Hey, off topic i know, but does that 16 port TP-LINK switch have fans?

No, it is fan-less.

Although it really does not appear to get all of that hot and I am using almost all of the 16 ports on there.

jahonix

@eliteassassin07:

I am sure this has been as frustrating for you as it has been for me…

Is it working now?

eliteassassin07

Yes, it is now working.

Thanks everyone!