%$@%&^! V-LANs how do they work?

[Deimos]

I just finished building my first pfsense router, but I only have 2 NICs, I was thinking about setting up a DMZ for this one box that is dedictaed to downloading keyboard drivers, and my idea was to use V-LANs because
a) my pfsense box only has 2 NICs
b) my DL box is a VM

After a little bit of messing around, I'm completely confused.

Is anyone willing to help?

I've got an SMC L2 managed switch (V-LAN aware) and as far as I can tell, all the NICs I'm using support V-LANs

The main reason I want to set this up is that I want to put an IP Filter on the DMZ for that one box, if there is another way I can IP Filter (using the IP Filter plugin in pfsense) to just one machine, I'm all ears.

TIA

 

[dashpuppy]

Are you able to put another nic in the ( firewall ) ?

 

[aaronearles]

No need, if your nics support vlan tagging, and you have a managed switch, then you've got as many interfaces as you have switch ports...

When you configure pfsense from the console, it asks if you want to configure vlans, say yes, assign your WAN to a dedicated nic, and vlan the second nic, createa vlan id for your LAN (vlan 1 in my case) and at least one other vlan id, this will create multiple interfaces on pfsense which behave just like a physical nic would.

Now login to your switch, and assign the port number of that pfsense nic to be a member of both/all of the vlans that you assigned in the config. To keep things simple for now, take one other port and assign it to vlan2 and disable vlan awareness, so that port will act like it's physically connected to a separate network than the rest of the switch.

Throw some IPs on the interfaces in pfsense, enable DHCP for both networks, and plug something into that vlan2 port, it should get an IP.

 

[Deimos]

I followed your instructions.

I didn't setup vlans from the terminal, I set one up from the web gui just to test it.

I created 2 vlan interfaces, I then enabled one of them, named it DMZ, gave it an IP and turned on DHCP, put some allow rules in the firewall, all good so far.

then I went to my switch and created 2 vlans under the vlan membership option in the web gui, I made sure that the port (port one in my case) belonged to both vlans (every other port is a member of vlan 1 by default), and then I setup one port for vlan 2 (and made sure that it didn't belong to vlan1) to test the DMZ.

then I went back to pfsense and I assigned my LAN interface to vlan1.

that is when the shit hit the fan, I lost access to pfsense, can't get an IP from the DMZ interface either...

I tried messing about with the vlan port config but the only result I got was when I changed the option for packet type from "tagged only" to "all" about 2 packets would ping then 100% packet loss, the default option is "all"

 

[Deimos]

Here's a question, if I setup a VLAN interface, do all connections to the physical port have to be tagged? i.e. can I setup just one vlan for the DMZ and have the LAN interface connected directly to the physical port? I'm thinking that I may need to reboot pfsense once setting up the vlans for it to work properly because at one stage I couldn't get it back up after reconfiguring the interfaces on the console, I had to reboot.

 

[Deimos]

I tried rebootign after assigning the interfaces to vlan 1 and 2 but it refuses to work, I can ping the assigned IP from the console but I can't ping the switch.

 

[Deimos]

Just to be clear, do I need to untick vlan aware on the router port? thats how it looks in the help on the switch...

 

[aaronearles]

I would recommend setting them up from the console, I didn't have any luck when trying to use an existing interface and adding a vlan virtual interface to the same nic, you have to split it up and use vlan1 as lan, vlan2 as dmz, and not use eth0 or whatever your root nic is called.

No, the firewall port should be vlan aware, as there are two differenct tags running across it.

 

[berky]

what switch are you using? i recommend against using vlan 1 for setting up tagged interfaces, simply because it's sometimes treated differently than every other vlan. (pretty much all of the 'management' traffic like CDP for cisco, spanning tree, etc, are automatically assumed to be in vlan 1; and you typically can't disable it). anyway, just a recommendation.

basically, you need to have it set up like thus:

on the pfsense, you set up 2 virtual interfaces - 1 for lan (vlan 2), 1 for dmz (vlan 3). (vlan id's just an example)

on the switch, you MUST tag vlans 2 and 3 on your interface to the pfsense. then, whatever system you want in the dmz, you give it a vlan 2 interface (non-tagged). whatever you want in the lan, you give it a vlan 3 interface (again, non-tagged). the only tagged interface should be between the switch and the pfsense.

also, do NOT assign an IP to vlan 2 AND vlan 3 on the switch at the same time. you would essentially be bridging the dmz to the lan and bypassing all of your security. keep the vlans as layer 2 (no ip address), and if you want an IP on it, give it an IP out of whatever you are using as your management vlan.

 

[Deimos]

No, the firewall port should be vlan aware, as there are two differenct tags running across it.

OK but according to the switch help, if I set the port to vlan aware that means it will tag all packets:

VLAN Awareness

VLAN aware ports will strip the VLAN tag from received frames and insert the tag in transmitted frames (except PVID). VLAN unaware ports will not strip the tag from received frames or insert the tag in transmitted frames.

For QinQ application, customer port should be VLAN unaware and network port (trunk port) should be VLAN aware.

The default PVID for all ports is one, should I be changing this to another number or "none"?

The switch is an SMC8024L2, it only supports layer 2 management so as far as I can tell I can't assign any more than one IP (which is automatically VLAN1)