Help with VLAN's for Tomato Router
-
New here taking a dive into understanding and planning my configurations before I completely disconnect and re-route my configurations to validate function. I'll give you the current layout and hardware, configuration details, and problems. Then I'll lay out the intended plan of migration. I'm really hoping I can get a sanity check from some others on my plan. I'm new to VLAN's as well, I believe I understand the necessary requirements well enough, but again looking for that validation.
Current Setup:
-
ESXi Server - 4 physical NIC's available, 1 necessary for local connectivity to the LAN, 3 available but hoping to only use 2. Various VM's running for work, home, and learning.
-
Netgear 16 port unmanaged 10/100/1000 switch
-
Asus RT-N66U running as my main wifi and router
-
ASUS is flashed with Tomato-Shibby firmware allowing much expanded features, specifically of importance: QoS, OpenVPN, Basic Firewall rulesets, Port Forwards for some external services, 3 Wifi networks with 1 being a guest network segregated from rest of internal LAN (direct to internet, deny all internal)
-
Moto Surfboard Cable Modem
SurfBoard Modem|–------|ASUS RT|---------|Netgear16P|-------LAN Devices/ESXi
/ |
/ |
SS1 SS2 SS3(Isolated)Planned Setup:
-
ESXi Server - 1 NIC for local LAN connectivity, 1 NIC plugged directly to Surfboard Cable Modem and mapped to a vSwitch1(WAN), 1 NIC plugged directly to WAN port of ASUS (WAN as LAN setting enabled, so acts like a LAN port) and mapped to a vSwitch2(LAN), along with a vSwitch3(DMZ) connected virtually to VM's needing to be DMZ'd
-
ASUS RT - Configured with 1 or 2 VLAN's(VLAN10/30) - depending if there is an ability on pfSense to treat all UNTAGGED traffic as a "default" VLAN id and all TAGGED traffic as is (or maybe it's better to tag it all if I can?) - Will plan to turn off DNS/DHCP, convert WAN to LAN port as described, tagged same as other LAN ports - setup 3 SSID (2.4g/5g/Guest2.4) with 2.4/5 on VLAN 10, Guest2.4 on VLAN 30 - Lastly a few devices plugged directly in to LAN ports (XBOX/Stereo) and a switch with all other devices (assuming I tag all LAN traffic through physical ports with VLAN10)
-
pfSense VM running on ESXi box, connected with 3 vNIC plugged to each vSwitch(WAN, LAN, DMZ) - Serving up DHCP/DNS on both LAN/DMZ and VLAN20 as well as OVPN Server and OVPN Client to secondary location (OVPN client setup is a learning experience in some specialized routing for convenience, not a first phase requirement) - Traffic Shaping to be configured afterward aimed at LAN/DMZ networks, probably guest later on
-
LAN(VLAN10) 192.168.10.x
-
OVPNS 192.168.20.x
-
GUEST(VLAN30) 192.168.30.x
-
DMZ 192.168.40.x
-
OVPNC 192.168.50.x
|pfSenseVM|
/ |
/ |
WAN DMZ LAN (VLAN10)
\ | / /
\ | / /
|SurfBoard Modem|–---------|ESXi|-----------|ASUS RT|---------|Netgear16P|-------LAN Devices
/ |
/ |
/ |
(VLAN10)SS1 SS2 SS3(VLAN30)
(VLAN10)(Best visual I could supply)
-
-
I'm just getting started with pfSense as well and used Tomato Shibby on a Netgear R7000.
I can report the VLAN part works very well. In my scenario, I'm keeping the R7000 solely for wifi, and I have 5 SSIDs, split between the two radios.
I used just one uplink to a port on my pfSense. On the Tomato default VLAN (1 usually), I configured my untagged SSIDs. I use two tagged VLANs, which are set up as VLAN and bridges (to hook up with the Wifi config). In the VLAN setup, I associated each one with the same port I'm using to uplink, set the VLAN ID to whatever I plan to use on pfSense, and marked it 'tagged".
On the pfSense side, I configured the basic interface for the uplink port to assoicate with the default/untagged VLAN (and subnet). Then I defined two VLANs to match up with the VLAN ID I put in my tagged VLANs in Tomato. These are then added as interfaces and similar configuration for the subnets is completed.
This all worked very well! I ran into issues with the DHCP Server not serving on all interfaces, which at first led me to wonder if the VLANs were the problem. A bit of troubleshooting proved the VLAN were fine. Hope this helps!