The pfSense Store

Author Topic: Virtual Interfaces  (Read 599 times)

0 Members and 1 Guest are viewing this topic.

Offline LIDHosting

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Virtual Interfaces
« on: October 23, 2017, 12:02:04 pm »
Hello Pfsense world,

Im very new to this and been having trouble understanding how to make this happen.

I have two nic cards. one for wan the other lan.  I have a DD-Wrt wireless router that i set to AP. all working fine.

I want to set up a Virtual Interfaces for my guess at the house on a different sub . I use 192.168.1...... which the pfsense router sets the DCHP. So i want the guess to be like 192.168.2........ what ever.

I want to be able to control there BW so they not hogging it all up. At the same time I want to be able to have my personal wireless also. on the 192.168.1.....

Could someone guide me in the right path to get this done?

Thanks


Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
Re: Virtual Interfaces
« Reply #1 on: October 23, 2017, 04:04:38 pm »
I am not familiar with DD-Wrt but you need to make sure it is VLAN capable...do some research on this.

Assuming you have a VLAN capable AP, you need to follow these steps:

1) Go to "Interfaces -> Assignment -> VLANs -> "Add button", pick the parent(aka Trunk) interface(your LAN interface), give your VLANs Tags...say VLAN 10, VLAN 20, VLAN 30, etc...put descriptions for each VLAN.
2) Go to "Interfaces -> Assignment -> Interface Assignments...you should now see "Add" buttons for each VLAN created. Add each VLAN...
3) Go to "Interfaces -> you should see each new interface in drop-down...configure each VLAN with new IP
4) Go to "Services -> DHCP Server"...enable each VLAN with a new IP and range...assuming you want each VLAN to be configured similarly to LAN
5) Treat each VLAN like a seperate interface i.e. add rules to each VLAN interface, fixed leases, possible aliases, etc...

Those VLAN Tag# you gave in step 1 are added to your VLAN capable AP so they can direct the traffic accordingly.

I haven't dome BW mangement in pfSense but I believe this is relatively easy. I would suggest you setup the seperate interfaces first then dive into BW management.

I hope that helps and good luck...not too hard.

V

(Updated with edits)
« Last Edit: October 23, 2017, 07:41:23 pm by V3lcr0 »

Offline LIDHosting

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Virtual Interfaces
« Reply #2 on: October 24, 2017, 10:00:12 am »
I am not familiar with DD-Wrt but you need to make sure it is VLAN capable...do some research on this.

Assuming you have a VLAN capable AP, you need to follow these steps:

1) Go to "Interfaces -> Assignment -> VLANs -> "Add button", pick the parent(aka Trunk) interface(your LAN interface), give your VLANs Tags...say VLAN 10, VLAN 20, VLAN 30, etc...put descriptions for each VLAN.
2) Go to "Interfaces -> Assignment -> Interface Assignments...you should now see "Add" buttons for each VLAN created. Add each VLAN...
3) Go to "Interfaces -> you should see each new interface in drop-down...configure each VLAN with new IP
4) Go to "Services -> DHCP Server"...enable each VLAN with a new IP and range...assuming you want each VLAN to be configured similarly to LAN
5) Treat each VLAN like a seperate interface i.e. add rules to each VLAN interface, fixed leases, possible aliases, etc...

Those VLAN Tag# you gave in step 1 are added to your VLAN capable AP so they can direct the traffic accordingly.

I haven't dome BW mangement in pfSense but I believe this is relatively easy. I would suggest you setup the seperate interfaces first then dive into BW management.

I hope that helps and good luck...not too hard.

V

(Updated with edits)


Thank you for your help..

So  I got up to Steps 1-3..

When I got to step 4 I got lost. I do not see the VLANS I created in DHCP Server tab.

Am I suppose to add something there as well...

Thanks

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
Re: Virtual Interfaces
« Reply #3 on: October 24, 2017, 03:30:25 pm »
Did you check the "Enable interface" at the top?

 For "IPv4 Configuration Type" did you choose "Static IPv4"?

Under "Static IPv4 Configuration" did you enter the new IPv4 Address(different to your LAN) and did you choose the "/24" from the drop down box to the right of your new IPv4?


*updates made*
« Last Edit: October 24, 2017, 03:57:13 pm by V3lcr0 »

Offline LIDHosting

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Virtual Interfaces
« Reply #4 on: October 24, 2017, 06:28:41 pm »
Did you check the "Enable interface" at the top?

 For "IPv4 Configuration Type" did you choose "Static IPv4"?

Under "Static IPv4 Configuration" did you enter the new IPv4 Address(different to your LAN) and did you choose the "/24" from the drop down box to the right of your new IPv4?


*updates made*


I used a static IP and I used /32 because it said something else using /24

I also checked the enable box ..
Im using 2.3.4_1 pfsense also..

Offline gjaltemba

  • Sr. Member
  • ****
  • Posts: 333
  • Karma: +24/-2
    • View Profile
Re: Virtual Interfaces
« Reply #5 on: October 24, 2017, 07:16:03 pm »
- Using an incorrect subnet mask, such as /32, will prevent other hosts in VLAN from finding the VLAN to use as a gateway and vice versa

https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

"I used a static IP and I used /32 because it said something else using /24"

It would help if you better define "it said something else using /24". If you are able to, I would suggest posting screen shots from steps 1-3.



Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
Re: Virtual Interfaces
« Reply #6 on: October 24, 2017, 08:32:40 pm »
Ditto, post screen shots...I'll bet its a simple setting.

Offline LIDHosting

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Virtual Interfaces
« Reply #7 on: October 25, 2017, 09:59:34 am »
Ditto, post screen shots...I'll bet its a simple setting.

First thinks guys for all your help and input... So here are some screen shots of the pf sense also the DD-WRT Ap

I got all the steps from 1-4.
I can see what you guys said now.

So heres whats next.  Im not able to get internet service from the to different  as

Physical Interface wl0 - SSID 192.168.1....  then i have a Virtual Interfaces wl0.1 SSID192.168.0.......

I gave both of these interfaces static IPs in pf sense according to there Mac address giving in DD-WRT...

Thanks

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
Re: Virtual Interfaces
« Reply #8 on: October 25, 2017, 03:26:28 pm »
I don't know DD-WRT(I use a Unifi AP pro) which had a super simple setup of VLAN SSIDs...I simply created new SSIDs and entered the VLAN Tag, Name, Password and that was it.

Not sure what "Im not able to get internet service from the to different  as" means but have you added rules to each VLAN interface?

Go to Firewall -> Rules - > LAN. Assuming you haven't changed your default rule copy that rule into each of your VLANs interfaces(Use the "copy" icon on the far right of the default LAN rule. That will allow connectivity and internet access.

Keep in mind this default rule will need to be hardened in order to keep your VLANs isolated...I posted my rules in an earlier post if you want to see how I have my network set up: https://forum.pfsense.org/index.php?topic=138623.msg757814#msg757814




Offline LIDHosting

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Virtual Interfaces
« Reply #9 on: October 30, 2017, 12:49:21 pm »
I don't know DD-WRT(I use a Unifi AP pro) which had a super simple setup of VLAN SSIDs...I simply created new SSIDs and entered the VLAN Tag, Name, Password and that was it.

Not sure what "Im not able to get internet service from the to different  as" means but have you added rules to each VLAN interface?

Go to Firewall -> Rules - > LAN. Assuming you haven't changed your default rule copy that rule into each of your VLANs interfaces(Use the "copy" icon on the far right of the default LAN rule. That will allow connectivity and internet access.

Keep in mind this default rule will need to be hardened in order to keep your VLANs isolated...I posted my rules in an earlier post if you want to see how I have my network set up: https://forum.pfsense.org/index.php?topic=138623.msg757814#msg757814


Im still trying and trying to get this to work no luck what so ever. The DCHP is just not giving out a ip for the different sum nets.....

Do I have to create a VLan for the AP that I want to have on my same network also .. I know I need one for the guess...

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
Re: Virtual Interfaces
« Reply #10 on: October 30, 2017, 09:07:51 pm »
I am starting to get out of my realm of expertise but I'll share how my setup is and maybe suggest a similar setup...open to feedback if others have a different recommendation:

My setup is as follows:

WAN - Nic1
LAN - Nic2 - connected to my AP

VLAN - 10 (LAN as the parent interface I believe this is also called the "trunk") - SSID called "Cat1" - used for IOT devices
VLAN - 20 (LAN as the parent interface) - SSID called "FBI2" - used for wife devices
VLAN - 30 (LAN as the parent interface) - SSID called "Racecar3" - used for "admin" device to access pfSense
VLAN - 40 (LAN as the parent interface) - SSID called "Horse4" - used for "work"

As you can see my devices(clients) never really access the LAN directly(except for the AP, which shows up as a lease in my)....the seperate interfaces allow for simpler rule setup...

Maybe share a screen shots of one of your VLAN interface rules in pfSense? Did you make sure that the LAN is the parent interface for your VLANs in pfSense(it defaults to WAN which won't work for your setup)? I have screwed up these 2 things before...

Some good things to check in pfSense are:
Status -> DHCP Leases....do you see your leases for any devices? Your AP clients? I assume you are looking for DHCP leases on pfSense?
Interfaces -> VLANs -> click on the pencil icon for one of your VLANs -> Parent interface: is the LAN the "Parent Interface"?
Services -> DHCP Server - "Enable"(Is there a check mark in this box?)

I can help with pfSense but I suspect its a configuration in DD-WRT...
« Last Edit: October 30, 2017, 09:28:48 pm by V3lcr0 »

Offline LIDHosting

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Virtual Interfaces
« Reply #11 on: October 31, 2017, 01:00:29 pm »
I am starting to get out of my realm of expertise but I'll share how my setup is and maybe suggest a similar setup...open to feedback if others have a different recommendation:

My setup is as follows:

WAN - Nic1
LAN - Nic2 - connected to my AP

VLAN - 10 (LAN as the parent interface I believe this is also called the "trunk") - SSID called "Cat1" - used for IOT devices
VLAN - 20 (LAN as the parent interface) - SSID called "FBI2" - used for wife devices
VLAN - 30 (LAN as the parent interface) - SSID called "Racecar3" - used for "admin" device to access pfSense
VLAN - 40 (LAN as the parent interface) - SSID called "Horse4" - used for "work"

As you can see my devices(clients) never really access the LAN directly(except for the AP, which shows up as a lease in my)....the seperate interfaces allow for simpler rule setup...

Maybe share a screen shots of one of your VLAN interface rules in pfSense? Did you make sure that the LAN is the parent interface for your VLANs in pfSense(it defaults to WAN which won't work for your setup)? I have screwed up these 2 things before...

Some good things to check in pfSense are:
Status -> DHCP Leases....do you see your leases for any devices? Your AP clients? I assume you are looking for DHCP leases on pfSense?
Interfaces -> VLANs -> click on the pencil icon for one of your VLANs -> Parent interface: is the LAN the "Parent Interface"?
Services -> DHCP Server - "Enable"(Is there a check mark in this box?)

I can help with pfSense but I suspect its a configuration in DD-WRT...


Thanks for the info.. For some reason when I create the VLans and I enable them its not showing up in the DHCP service section..

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9247
  • Karma: +1054/-308
    • View Profile
Re: Virtual Interfaces
« Reply #12 on: October 31, 2017, 07:07:25 pm »
You have to actually assign the VLAN to a pfSense interface in Interfaces > Assignments.

You then have to edit the interface, enable it, and assign the layer 3 address/netmask to it.

You will then be able to create firewall rules, DHCP servers, etc.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline LIDHosting

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Virtual Interfaces
« Reply #13 on: October 31, 2017, 09:04:37 pm »
You have to actually assign the VLAN to a pfSense interface in Interfaces > Assignments.

You then have to edit the interface, enable it, and assign the layer 3 address/netmask to it.

You will then be able to create firewall rules, DHCP servers, etc.


Thank you I did the steps you guys say but its not there heres some screen shots..


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9247
  • Karma: +1054/-308
    • View Profile
Re: Virtual Interfaces
« Reply #14 on: November 01, 2017, 12:11:42 am »
Put something other than /32 on the OPT1 interface. There is no reason to run a DHCP server on a /32 interface. Try /24.
« Last Edit: November 01, 2017, 12:16:08 am by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM