Routing between VLANS

Jamerson

Hi Guys,
I am using Pfsense on ESXI 6.0.
I've created a VLAN20 for guest Network .
I've bought a Cisco Meraki Cloud AP MX18, created a SSID for Guest and Tag it to use VLAN 20.
on the Vswitch I've created a Trunk port VLAN 4095 and VLAN 20.
between the ESXI and AP there is a Cisco Switch also a Meraki Cloud management .
I've configured all the ports on the switch as trunk including the UP link on the switch and the port where the AP is connected.
when a user is trying to connect using the SSID guest for VLAN 20, it doesn't receive a IP of the VLAN 20 on the PFsense.

when I configure my AD to provide DHCP it works over the LAN and provide a DHCP IP
when I disable my AD DHCP and enable the PFsense DHCP, clients are not receiving a IP from the Pfsense DHCP.
any suggestions why ?

Thank you

johnpoz

So on your vswitch in esxi Im a bit confused about this statement

"on the Vswitch I've created a Trunk port VLAN 4095 and VLAN 20."

You would set the vswitch to 4095..  You would thin have a vnic interface in pfsense that is use with vlan 20 on it it..  How did you also create a vlan 20 on this vswitch, guessing that is another port group..  Can you paste screenshot of your esxi setup?

Example here is vswitch where I have ssid vlans coming in to pfsense

Jamerson

Thank you for your answer John,
attached are the screenshots of the vSwitch and Vlan on the Pfsense
thank you


johnpoz

What is the other port group?  Do you have a pfsense interface in it?

And you have 2 physical nics, what are the switch configurations for them?

So this trunkport group is the vlan vswitch that pfsense has its lan interface in.

Jamerson

@johnpoz:

What is the other port group?  Do you have a pfsense interface in it?

And you have 2 physical nics, what are the switch configurations for them?

So this trunkport group is the vlan vswitch that pfsense has its lan interface in.

So this trunkport group is the vlan vswitch that pfsense has its lan interface in.
correct
And you have 2 physical nics, what are the switch configurations for them?
yes i have two physical NIC on the pfsense on on the management side and one of the trunk port on the.
both of them are attached to a physical NIC.

thank you

johnpoz

You have 2 phy nics connected to that vswitch… How do have those configured in esxi.. And how do you have them configured in switch.. Are they a lagg, etherchannel, port group... And again you have multiple port groups on that vswitch - what is in that port group?  That is not a vmkern group..

Jamerson

@johnpoz:

You have 2 phy nics connected to that vswitch… How do have those configured in esxi.. And how do you have them configured in switch.. Are they a lagg, etherchannel, port group... And again you have multiple port groups on that vswitch - what is in that port group?  That is not a vmkern group..

Hi John,
please find the attached.
the Trunk port , has the firewall LAN attached to it ,
on the LAN I've created a VLAN20.
attached 2 is the configuration of the Vswitch 2 where the LAN and VLAN are attached too.
thank you

[Screen Shot 2016-01-11 at 9.07.13 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-11 at 9.07.13 PM.png)

johnpoz

dude HOW are you physical nics connected…. You have 2 of them connected to your vswitch that has multiple port groups on it.. And you also sharing vmkern..  So you have 1 switch port that is 4095, and then others that are just 0?..  And then your connecting that with 2 phsyical nics... Are they load sharing, port channel - what??

My don't you move that other nic to your vmkern and put it on its own vswitch.

What is the native vlan.. so your productions port group has what set 4095, 0 specific tag?

You have 2 physical nics connected.. So how is pfsense treating them?  Load sharing, failover - what, and then how do you have those 2 nics configured on your switch??

Jamerson

@johnpoz:

dude HOW are you physical nics connected…. You have 2 of them connected to your vswitch that has multiple port groups on it.. And you also sharing vmkern..  So you have 1 switch port that is 4095, and then others that are just 0?..  And then your connecting that with 2 phsyical nics... Are they load sharing, port channel - what??

My don't you move that other nic to your vmkern and put it on its own vswitch.

What is the native vlan.. so your productions port group has what set 4095, 0 specific tag?

You have 2 physical nics connected.. So how is pfsense treating them?  Load sharing, failover - what, and then how do you have those 2 nics configured on your switch??

Hi John,
the two Phsical NIC are using as team failover like showen on the attached.
on both VSwith I've created a vmkern so I can reach the host if the first vswich goes down.
I don't have a vlan for production but a lan NIC 192.168.4.0/24, the idea is sent all the traffic to the switch, and the switch will managed the traffic which vlan goes where.
Pfsense doesn't have any Load sharing failover, just a simple configuration. one 1 NIC on the WAN side and 1 on the LAN Side.
do you mean I have to create a portgroup for each VLAN ?

thank you for your answer

johnpoz

"on both VSwith I've created a vmkern so I can reach the host if the first vswich goes down"

If your vswitch goes down???  Never heard of such a thing..

"do you mean I have to create a portgroup for each VLAN ?"

dude you need to create your vlans on pfsense assign those vlans to the vnic that is connected to the vswitch that is connected to your physical nick that is in trunk or tagging mode so that the vlan information is kept and you need to set your vswitch to 4095

This takes all of 2 seconds to setup..  Not sure what your doing wrong - but the fact that you created multiple vmkerns seems like your setup is a mess..  As to your nics in team mode - what attached you never show anything about how your nics are setup.  And how are the switch ports configured that connect to those - are they in a lagg, port group, etherchannel??  What is the switch your dealing with?

I don't understand why your creating more than 1 port group on the vswitch either..  Is that port group set to 4095?  Since you have tagged physical nics connected to it??

Jamerson

@johnpoz:

"on both VSwith I've created a vmkern so I can reach the host if the first vswich goes down"

If your vswitch goes down???  Never heard of such a thing..

–I've heard such things, and I don't see what wrong could it be if the ESXI has two Management interface on two different VSwitch.
this the way we configured the ESXI.
"do you mean I have to create a portgroup for each VLAN ?"

dude you need to create your vlans on pfsense assign those vlans to the vnic that is connected to the vswitch that is connected to your physical nick that is in trunk or tagging mode so that the vlan information is kept and you need to set your vswitch to 4095

---this exactly what I did as showed on the previous screenshot, have you seen them ?

This takes all of 2 seconds to setup..  Not sure what your doing wrong - but the fact that you created multiple vmkerns seems like your setup is a mess..  As to your nics in team mode - what attached you never show anything about how your nics are setup.  And how are the switch ports configured that connect to those - are they in a lagg, port group, etherchannel??  What is the switch your dealing with?
--I've showed on the previsouly post a screenshots how the NICS are attached. probably you didn't look to the post. i'll upload it again. ( see attached )

I don't understand why your creating more than 1 port group on the vswitch either..  Is that port group set to 4095?  Since you have tagged physical nics connected to it??

--- see attached thank you

[Screen Shot 2016-01-20 at 5.55.43 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-20 at 5.55.43 PM.png)
[Screen Shot 2016-01-20 at 5.55.57 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-20 at 5.55.57 PM.png)