pfSense and VLANs - Can you tell me what I'm doing wrong?

O

Ounelly70

n00b
Joined
Apr 19, 2012
Messages
6
Hi all,

First time poster, long time lurker (I love this forum :) )

I recently got an eeebox b202 with a single JMicron onboard NIC. I installed pfSense to the eeebox and I picked up a Netgear GS108E with vlan support. This is my first go at vlans and I would really appreciate some help.

Time Warner is my ISP and I have an Ubee modem in bridge mode - if that matters.


I have 3 vlans
1 - MGMT
10 - WAN
100- LAN ( DHCP enabled)

I have vlans on the switch configured like this (hopefully this table makes sense)


-------------------------------------Port Number------------------------------------
______|___1___|__2__|__3__|__4__|__5__|__6__|__7__|__8__|
VLAN-----------------------------------------------------------------------------------
01____|___U___|_____|_____|_____|_____|_____|__U__|_____|
10____|_______|_____|_____|_____|_____|_____|__T__|__U__|
100___|_______|__U__|__U__|__U_|__U__|__U__|__T__|_____|
-------------------------------------------------------------------------------------------

PVID__|__1____|_100_|_100_|_100_|_100_|_100_|__1__|_10__|


VLAN 01 - Untagged on Ports: 1, 7
VLAN 10 - Untagged on Ports: 8 | Tagged Ports: 7
VLAN 100-Untagged on Ports: 2, 3, 4, 5, 6 | Tagged ports: 7

PVID 1 : Ports 1, 7
PVID 10: Ports 8
PVID 100: Ports 2, 3, 4, 5, 6
============================================

The pfSense box is plugged into port 7
My modem is plugged into port 8

On the pfSense box I have:

LAN: Vlan 100 on jme0
WAN: Vlan 10 on jme0
MGMT: Vlan 1 on jme0



Lan clients get DHCP and I can get to the pfsense box and everything on my internal network without an issue. My problem is that the WAN interface will not get an IP address.

I tested the VLAN 10 setup (WAN) by taking my laptop and plugging it into port 7 in place of the pfsense box and configuring my nic to use vlan 10. I get an external ip address from my modem without issue. I assume this means that my vlan setup is right on the switch.

I just don't get where I'm going wrong. I took an apple usb ethernet adapter and plugged that into the pfsense box and I assign it to the WAN interface and plug the modem directly into the apple usb and the pfsense box gets an ip address without issue.

I would greatly appreciate any help.
 
Um, why is your modem plugged into your switch ? Why isn't it plugged into your pfsense box..
 
Sorry, guess I should have clarified- the pfsense box only has one nic and that's why I have been trying to use vlans.
 
Maybe try switching vlan 10 to untagged on 7 and vlan 1 to tagged, maybe the pfsense box just doesn't like the WAN traffic tagged.
 
Thanks for the suggestion Dragon, I'll give that a try.

DIStreamnet- the box is a net top, the only nics I can add are USB to Ethernet adapters and so far the apple one I have is a little flakey.
 
There's absolutely positively no reason you can't or shouldn't route your modem over a VLAN. It's great for situations like yours where you have limited NICs to work with and situations like mine where you have multiple VM hosts and you want to be able to switch which host the firewall is running on without having to move wires around.
 
Hi guys, untagging the wan vlan didn't work. (I also tagged the mgmt vlan) I double checked my new untagged wan connection through the switch by plugging my laptop directly into port 7 again(this time with no vlan specification) and I was able to get an external ip without a hitch. Pfsense just refuses to get an ip. I tried staticly setting it to the last ip/subnet/gateway that my laptop pulled from a direct connection with the modem, but the pfsense box just hung when I tried to add in the gateway.

Maybe the jmicron nic just isn't able to handle vlans very well? Has anybody else been able to get this to work with this type of a setup?

Here's some more detail about the modem just in case it helps- its one of those modem/router all in ones from time Warner. It's the only modem they'll let anyone use for a docsis 3.0 connection. It's setup in bridged mode and works correctly. What I find strange though is that if i connect a pc directly to it and power cycle it- the pc will first grab a private ip (192.168.100.x) then after a few moments it will pull the proper external ip. Its almost as if it takes a minute for it to switch over to bridged mode.

Do you think that this behavior might be keeping my pfsense box from getting the external ip? I did try unchecking the "block private networks" option on the wan interface, but that didn't do any good. I know that this wouldn't explain what's going on after it's already in bridged mode, but I just thought I'd throw this info out there.

Can someone tell me if my vlan setup looks correct? I have a grasp on vlans, but I'm still a newb.

Thanks again for all the help guys.
 
You probably want to do some research on the NIC to see what its capabilities really are. Maybe get rid of the management vlan completely and manage thru the LAN just to test, maybe that NIC can only do 2 vlans or something and pfsense is trying to bind the WAN last. The whole 192.168.100.x thing might be something your modem does, I've never been a fan of ubee modems, my experience with them is they suck, so that could be part of it too.
 
See if the switch has the port mode option such as "general" instead of the default "access." Also something about the switch and multicast you should research but that shouldn't be affecting it too much.
 
The setup is sound. Is the modem maybe set to a specific MAC address that it hands out adresses to? Can you change the MAC to the one of your laptop?
 
Thanks for the suggestions, I'm going out of town tomorrow for work. I'll pick back up on Tuesday- along with your suggestions, I think I'm going to try to assign all the vlan interfaces to the apple USB nic I have to rule out the jmicron nic. I googled the jmicron and all I could find was spec sheets stating that it supports vlans, I didn't really see anything about limitations. I'll dig deeper in the next few days.

I hope this works out, I'm having a really hard time trying to find a purpose for this eeebox, haha. If anyone has any ideas there, please feel free to share.

I already have a file server, separate nas, and an htpc. I originally wanted to use it as an htpc, but just haven't been convinced that it would do a good job- even if I added the crystal hd mini-pcie card.
 
Cable modems are horrible, retarded pieces of hardware that lock onto the first MAC they see and cling to it no matter what, even if it never requests DHCP and some other MAC does. That's just one brand of network stupid they have, other dumb things they do varies from brand to brand. In my cable experience ubee modems are garbage, them and RCA modems should just be thrown out the nearest window and replaced with anything else (or is ubee and rca the same thing I forget...)

The only other thing that hasn't been suggested that it might be on your end is some setting on your switch related to some sort of management or other interswitch related protocol (for me it was CDP) on the modem port catching the modems attention before the pfsense box can. If possible set it to access mode on vlan 10 with as many extra switch features as possible disabled on port 8.

If none of that works you may have to try a different brand of modem.
 
Hi guys - so tonight I was trying to assign all the vlans to the apple usb ethernet adapter. This didnt work out, even though the adapter is capable (in windows and mac osx) - apparently vlan support for it isn't supported in pfsense.

Unfortunately, the switch is very very low end and although it supports vlans, it has very few features for me to mess with or disable. (Really just vlan, qos, and port mirroring). Theres not even a proper web interface or ssh. You have to use this application that will only function with adobe air. I'll get a real switch eventually.

I tried my wan vlan with another machine and was still able to pull an external ip from the modem so I don't think I can attribute it to the modem (even though I completely agree that ubee is garbage).

So just from thinking this over again - I think it has to be a limitation with the Jmicron nic. My vlan setup is okay - the lan and mgmt vlans all work great as does the wan vlan. I feel confident that the issue the nic.

I think as a last resort I am going to put pfsense on an old laptop and see if I can get it to work.

Again - I really appreciate the help all
 
Like I said try getting rid of the management vlan, if it doesn't work you're not really out anything for trying and if it does work then you're not really out anything not having the management vlan. A management vlan is a sound idea in theory and in practice in a larger environment but other than doing it just because you can do it, it doesn't really serve much of a practical purpose in a home lab environment, esp if it's causing problems with some equipment.
 
pfSense requires VLANS to to be trunked to the pfSense interface(s)- some switches, especially low-end ones while supporting VLANS do not support trunks. My guess is this is where your issue lies.
 
I agree with TCM that the original setup is designed fine.

While cable modems are almost always configured with the equivalent of port security and only allow the first MAC they see, being on a VLAN, that should only be the server. Seeing as it works with a laptop, I don't believe it is a switch or a cable modem issue. Do perhaps confirm though that you don't have an IP set on VLAN 10 for your switch.

I'm more inclined to point the finger at pfSense -- I've had weird experiences before with pfSense trying to use LAN and WAN on a single interface.

Agree with -Dragon-. Try ditching your management VLAN, or make it tagged. Try using untagged for the WAN + cable modem, and the rest tagged.
 
Ounelly70 said:
Unfortunately, the switch is very very low end and although it supports vlans, it has very few features for me to mess with or disable. (Really just vlan, qos, and port mirroring). Theres not even a proper web interface or ssh. You have to use this application that will only function with adobe air. I'll get a real switch eventually.
Click to expand...

The GS***E series switches are a high reliability, inexpensive, barely managed switch.

Basically its a dumb switch with broadcast storm protection and some VLan capability. For $10 over the plain GS*** models and having 10X the reliability who cares.

If you want to step up and do more....look at the HP Procurve 1810 series, Dell 28XX series or Cisco SG200 series stuff.

Those switches are the next step up.
 
-Dragon- said:
There's absolutely positively no reason you can't or shouldn't route your modem over a VLAN. It's great for situations like yours where you have limited NICs to work with and situations like mine where you have multiple VM hosts and you want to be able to switch which host the firewall is running on without having to move wires around.
Click to expand...

I am trying to set up a test environment for my PFSense System... can this be done through a Ubiquiti "ToughSwitch Pro" running a port to my PFsense Box's WAN port, instead of coming straight from the Gateway/Modem?


I really had a bunch of problems trying to launch it and adjust as a deployed router. It would be great to be able to have the WAN port coming from the Switch and setting it up slowly, and carefully and run tests on it before trying to deploy it again.

Any, guidance would be great, thanks.
 
You must log in or register to reply here.
Back
Top