SG-2220 and Cisco 2960G - Virtual interfaces on pfSense not working?
-
Hi guys, running into an issue that I can't seem to figure out, because this should be so simple. This is my first foray into pfsense though, so fair warning that it might be something stupid I've overlooked!
Going to try to put it as simply as possible:
Relevant switch VLAN config:
vlan internal allocation policy ascending
!
vlan 10
name VLAN10
!
vlan 20
name VLAN20interface GigabitEthernet0/7
description pfSense-LAN
switchport trunk native vlan 20
switchport trunk allowed vlan 10,20
switchport mode trunk
!The "native VLAN" is so I can still hit the pfSense GUI even though I'm using the LAN port as a trunk, as the IP configured on that port is on VLAN 20.
The switch is currently doing basic inter-VLAN routing until I get the pf running so I've defined some virtual interfaces…boxes use them as gateways and everything is hunky dory:
interface Vlan10
ip address 192.168.1.254 255.255.255.0
!
interface Vlan20
ip address 10.0.1.1 255.255.255.0
!On the pfSense side, I have VLAN 10 + 20 defined (not much to say here, pretty much just a name and a tag number).
I added them to Interfaces and configured static IPV4 addresses and for testing purposes I set any/any/all rules on all VLANs, the LAN, WAN, and Floating rulesets.
But I can't ping either of the IPs I configured on the VLAN interfaces! Not from the switch, or any box on any VLAN. What am I missing here? This seems like it should be simple.
-
If you are using a trunk port to pfsense then the switch is not doing intervlan routing. To keep the switch doing the intervlan routing connect to pfsense using a access data port not a trunked port. If you use a trunked port to pfsense then pfsense will do the intervlan routing.
-
Just thought I'd respond to this thread to let everyone know my solution:
For some reason, if you have an IP on a physical interface that is on the same subnet as its virtual child-interface, neither IP is reachable. I killed the VIP on the same network as my physical interface and all was well. Weird. I might try removing the IP from my LAN interface and just allowing it to exist as a trunk, and then checking to see if I can ping the VIP on the subinterface. That just feels "cleaner" to me than having one vlan exist on a physical and one on a virtual…
-
You can't put the same IP subnet on multiple interfaces.