Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with VLAN's for Tomato Router

    Scheduled Pinned Locked Moved Wireless
    2 Posts 2 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      1activegeek
      last edited by

      New here taking a dive into understanding and planning my configurations before I completely disconnect and re-route my configurations to validate function. I'll give you the current layout and hardware, configuration details, and problems. Then I'll lay out the intended plan of migration. I'm really hoping I can get a sanity check from some others on my plan. I'm new to VLAN's as well, I believe I understand the necessary requirements well enough, but again looking for that validation.

      Current Setup:

      • ESXi Server - 4 physical NIC's available, 1 necessary for local connectivity to the LAN, 3 available but hoping to only use 2. Various VM's running for work, home, and learning.

      • Netgear 16 port unmanaged 10/100/1000 switch

      • Asus RT-N66U running as my main wifi and router

      • ASUS is flashed with Tomato-Shibby firmware allowing much expanded features, specifically of importance: QoS, OpenVPN, Basic Firewall rulesets, Port Forwards for some external services, 3 Wifi networks with 1 being a guest network segregated from rest of internal LAN (direct to internet, deny all internal)

      • Moto Surfboard Cable Modem

      SurfBoard Modem|–------|ASUS RT|---------|Netgear16P|-------LAN Devices/ESXi
                                              /  | 
                                            /    |   
                                        SS1 SS2  SS3(Isolated)

      Planned Setup:

      • ESXi Server - 1 NIC for local LAN connectivity, 1 NIC plugged directly to Surfboard Cable Modem and mapped to a vSwitch1(WAN), 1 NIC plugged directly to WAN port of ASUS (WAN as LAN setting enabled, so acts like a LAN port) and mapped to a vSwitch2(LAN), along with a vSwitch3(DMZ) connected virtually to VM's needing to be DMZ'd

      • ASUS RT - Configured with 1 or 2 VLAN's(VLAN10/30) - depending if there is an ability on pfSense to treat all UNTAGGED traffic as a "default" VLAN id and all TAGGED traffic as is (or maybe it's better to tag it all if I can?) - Will plan to turn off DNS/DHCP, convert WAN to LAN port as described, tagged same as other LAN ports - setup 3 SSID (2.4g/5g/Guest2.4) with 2.4/5 on VLAN 10, Guest2.4 on VLAN 30 - Lastly a few devices plugged directly in to LAN ports (XBOX/Stereo) and a switch with all other devices (assuming I tag all LAN traffic through physical ports with VLAN10)

      • pfSense VM running on ESXi box, connected with 3 vNIC plugged to each vSwitch(WAN, LAN, DMZ) - Serving up DHCP/DNS on both LAN/DMZ and VLAN20 as well as OVPN Server and OVPN Client to secondary location (OVPN client setup is a learning experience in some specialized routing for convenience, not a first phase requirement) - Traffic Shaping to be configured afterward aimed at LAN/DMZ networks, probably guest later on

      • LAN(VLAN10) 192.168.10.x

      • OVPNS 192.168.20.x

      • GUEST(VLAN30) 192.168.30.x

      • DMZ 192.168.40.x

      • OVPNC 192.168.50.x

      |pfSenseVM|
                                              /    |     
                                            /      |     
                                          WAN  DMZ  LAN                    (VLAN10)
                                              \    |    /                            /
                                              \    |    /                            /
      |SurfBoard Modem|–---------|ESXi|-----------|ASUS RT|---------|Netgear16P|-------LAN Devices
                                                                        /    |   
                                                                        /    |     
                                                                      /      |     
                                                      (VLAN10)SS1  SS2  SS3(VLAN30)
                                                                        (VLAN10)

      (Best visual I could supply)

      1 Reply Last reply Reply Quote 0
      • B
        btaroli
        last edited by

        I'm just getting started with pfSense as well and used Tomato Shibby on a Netgear R7000.

        I can report the VLAN part works very well. In my scenario, I'm keeping the R7000 solely for wifi, and I have 5 SSIDs, split between the two radios.

        I used just one uplink to a port on my pfSense. On the Tomato default VLAN (1 usually), I configured my untagged SSIDs. I use two tagged VLANs, which are set up as VLAN and bridges (to hook up with the Wifi config). In the VLAN setup, I associated each one with the same port I'm using to uplink, set the VLAN ID to whatever I plan to use on pfSense, and marked it 'tagged".

        On the pfSense side, I configured the basic interface for the uplink port to assoicate with the default/untagged VLAN (and subnet). Then I defined two VLANs to match up with the VLAN ID I put in my tagged VLANs in Tomato. These are then added as interfaces and similar configuration for the subnets is completed.

        This all worked very well! I ran into issues with the DHCP Server not serving on all interfaces, which at first led me to wonder if the VLANs were the problem. A bit of troubleshooting proved the VLAN were fine. Hope this helps!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.