Netgate SG-1000 microFirewall

Author Topic: PFsense and VLAN's  (Read 4511 times)

0 Members and 1 Guest are viewing this topic.

Offline 0x3g3n

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
PFsense and VLAN's
« on: May 30, 2011, 07:13:21 am »
I am trying to setup PFsense and VLAN's using Cisco AP's and a Cisco switch here at work for a guest network setup. I can get an IP, but I can't do anything else(ping/login to pfsense ect..). I have created the vlan's inside PFsense. We currently have a Nomadix that is dieing and it passes the traffic just fine. Ports are tagged as 802.1Q. The SSID is setup for each Vlan, and we use VLAN1 as a mgmt vlan to access the AP's remotely. Internet comes into re0 and the switch trunkport is plugged into re2. There are more AP's plugged in, just too lazy to type them all in.

Setup:

      Internet
         |
         |(re0)
      Pfsense(2.0 RC2)
         |(re2)
         |
      Cisco 2950(port 1 trunks all vlan's to PFsense)
           |                  |                  |
           |                  |                  |
           |                  |                  |
        (AP1,vlan200)  (AP2,vlan201) (AP3,vlan202)


----

interface FastEthernet0/1
 description To Nomadix Gateway
 switchport mode trunk
 no ip address
!
interface FastEthernet0/2
 description AP 10.59.19.253 lobby
 switchport trunk allowed vlan 1,200
 switchport mode trunk
 no ip address
!
interface FastEthernet0/3
 description AP 10.59.19.252 meeting
 switchport trunk allowed vlan 1,201
 switchport mode trunk
 no ip address
!
interface FastEthernet0/4
 description AP 10.59.19.251 meeting2
 switchport trunk allowed vlan 1,202
 switchport mode trunk
 no ip address
!



Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5455
  • Karma: +90/-3
  • No i will not fix your computer!
    • View Profile
Re: PFsense and VLAN's
« Reply #1 on: May 30, 2011, 07:52:36 am »
Did you also create firewall rules allowing traffic?
If yes: please show screenshots of your rules.
We do what we must, because we can.

Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

Offline 0x3g3n

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: PFsense and VLAN's
« Reply #2 on: May 30, 2011, 08:32:01 am »
I did create rules. I created the vlan's as opt interfaces, and set the rules to allow any to any.



edit: to specify, the vlan's are in the tab they are supposed to be in assign, and I created opt interfaces with the re2_vlan201.
« Last Edit: May 30, 2011, 08:47:19 am by 0x3g3n »

Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5455
  • Karma: +90/-3
  • No i will not fix your computer!
    • View Profile
Re: PFsense and VLAN's
« Reply #3 on: May 30, 2011, 08:45:10 am »
When you say you get an IP:
Do you actually get the IP from the DHCP server configured on the VLAN or do you get it from the DHCP server on the LAN interface?

Is the re2 interface assigned as LAN interface?
You should not mix tagged and untragged traffic on the same physical interface.

I'm not really familiar with the cisco syntax, but it looks like you add vlan1 to all the used ports and allow traffic for this vlan 1.
Is that your intention? Otherwise just simply disable vlan1 and only allow the vlan you're actually using.
We do what we must, because we can.

Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

Offline 0x3g3n

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: PFsense and VLAN's
« Reply #4 on: May 30, 2011, 08:57:00 am »
re2 is the LAN interface, with DHCP being handed out from it. I do get an IP from it when connecting from the AP with vlan 201, and when I check PFsense it shows that it handed it to me. All the traffic is tagged with a vlan. With the AP's, we create a non-broadcast ssid with an IP for management purposes.

On the AP

mgmt = vlan1
guest = vlan201

on switch(see the show run above)

Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5455
  • Karma: +90/-3
  • No i will not fix your computer!
    • View Profile
Re: PFsense and VLAN's
« Reply #5 on: May 30, 2011, 10:06:32 am »
You should not use vlan1.

If you're getting an IP from the DHCP server on the LAN interface then traffic is not going to the right vlan.


How i'd do it:
re0: WAN
re2: dont assign it.
vlan99 on re2: LAN
vlan200 on re2: APx (OPT1)
vlan201 on re2: APy (OPT2)
vlan202 on re2: APz (OPT3)
etc.

vlan99 for managment.

Basically stop using VLAN1 and don't use untagged traffic at all.
We do what we must, because we can.

Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

Offline 0x3g3n

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: PFsense and VLAN's
« Reply #6 on: May 30, 2011, 10:11:13 am »
Alright, i'll give it a shot. Thanks! :)

Offline 0x3g3n

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: PFsense and VLAN's
« Reply #7 on: May 31, 2011, 03:11:24 am »
I fixed it all with a simple change...

Made the AP vlan the native vlan(example, vlan200) instead of vlan1.. everything works like a charm now.

Thank you very much for your help :)