4. Help with VLAN's for Tomato Router

Help with VLAN's for Tomato Router

  • 1

    New here taking a dive into understanding and planning my configurations before I completely disconnect and re-route my configurations to validate function. I'll give you the current layout and hardware, configuration details, and problems. Then I'll lay out the intended plan of migration. I'm really hoping I can get a sanity check from some others on my plan. I'm new to VLAN's as well, I believe I understand the necessary requirements well enough, but again looking for that validation.

    Current Setup:

    • ESXi Server - 4 physical NIC's available, 1 necessary for local connectivity to the LAN, 3 available but hoping to only use 2. Various VM's running for work, home, and learning.

    • Netgear 16 port unmanaged 10/100/1000 switch

    • Asus RT-N66U running as my main wifi and router

    • ASUS is flashed with Tomato-Shibby firmware allowing much expanded features, specifically of importance: QoS, OpenVPN, Basic Firewall rulesets, Port Forwards for some external services, 3 Wifi networks with 1 being a guest network segregated from rest of internal LAN (direct to internet, deny all internal)

    • Moto Surfboard Cable Modem

    SurfBoard Modem|–------|ASUS RT|---------|Netgear16P|-------LAN Devices/ESXi
                                            /  | 
                                          /    |   
                                      SS1 SS2  SS3(Isolated)

    Planned Setup:

    • ESXi Server - 1 NIC for local LAN connectivity, 1 NIC plugged directly to Surfboard Cable Modem and mapped to a vSwitch1(WAN), 1 NIC plugged directly to WAN port of ASUS (WAN as LAN setting enabled, so acts like a LAN port) and mapped to a vSwitch2(LAN), along with a vSwitch3(DMZ) connected virtually to VM's needing to be DMZ'd

    • ASUS RT - Configured with 1 or 2 VLAN's(VLAN10/30) - depending if there is an ability on pfSense to treat all UNTAGGED traffic as a "default" VLAN id and all TAGGED traffic as is (or maybe it's better to tag it all if I can?) - Will plan to turn off DNS/DHCP, convert WAN to LAN port as described, tagged same as other LAN ports - setup 3 SSID (2.4g/5g/Guest2.4) with 2.4/5 on VLAN 10, Guest2.4 on VLAN 30 - Lastly a few devices plugged directly in to LAN ports (XBOX/Stereo) and a switch with all other devices (assuming I tag all LAN traffic through physical ports with VLAN10)

    • pfSense VM running on ESXi box, connected with 3 vNIC plugged to each vSwitch(WAN, LAN, DMZ) - Serving up DHCP/DNS on both LAN/DMZ and VLAN20 as well as OVPN Server and OVPN Client to secondary location (OVPN client setup is a learning experience in some specialized routing for convenience, not a first phase requirement) - Traffic Shaping to be configured afterward aimed at LAN/DMZ networks, probably guest later on

    • LAN(VLAN10) 192.168.10.x

    • OVPNS 192.168.20.x

    • GUEST(VLAN30) 192.168.30.x

    • DMZ 192.168.40.x

    • OVPNC 192.168.50.x

    |pfSenseVM|
                                            /    |     
                                          /      |     
                                        WAN  DMZ  LAN                    (VLAN10)
                                            \    |    /                            /
                                            \    |    /                            /
    |SurfBoard Modem|–---------|ESXi|-----------|ASUS RT|---------|Netgear16P|-------LAN Devices
                                                                      /    |   
                                                                      /    |     
                                                                    /      |     
                                                    (VLAN10)SS1  SS2  SS3(VLAN30)
                                                                      (VLAN10)

    (Best visual I could supply)

    0
  • B

    I'm just getting started with pfSense as well and used Tomato Shibby on a Netgear R7000.

    I can report the VLAN part works very well. In my scenario, I'm keeping the R7000 solely for wifi, and I have 5 SSIDs, split between the two radios.

    I used just one uplink to a port on my pfSense. On the Tomato default VLAN (1 usually), I configured my untagged SSIDs. I use two tagged VLANs, which are set up as VLAN and bridges (to hook up with the Wifi config). In the VLAN setup, I associated each one with the same port I'm using to uplink, set the VLAN ID to whatever I plan to use on pfSense, and marked it 'tagged".

    On the pfSense side, I configured the basic interface for the uplink port to assoicate with the default/untagged VLAN (and subnet). Then I defined two VLANs to match up with the VLAN ID I put in my tagged VLANs in Tomato. These are then added as interfaces and similar configuration for the subnets is completed.

    This all worked very well! I ran into issues with the DHCP Server not serving on all interfaces, which at first led me to wonder if the VLANs were the problem. A bit of troubleshooting proved the VLAN were fine. Hope this helps!

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy