pfSense Support Subscription

Author Topic: Virtual IP Setup for multiple subnets on one Interface  (Read 5019 times)

0 Members and 1 Guest are viewing this topic.

Offline dmitche

  • Newbie
  • *
  • Posts: 11
    • View Profile
Virtual IP Setup for multiple subnets on one Interface
« on: December 23, 2011, 11:26:02 am »
I am attempting to put an Untangle device between pfSense and our Layer 3 HP Switch. I have multiple VLANs that are controlled by the switch.

As you know, Untangle drops all VLAN tags so I cannot simply add VLANs to pfSense and have them pass through to the switch on a tagged port. I have one port from the pfSense device going to Untangle, then one port from Untangle going to our Layer 3 Switch

Here is the setup:
pfSense: 10.10.19.1/24 with DHCP
Virtual IP Address Alias on the same interface: 10.10.20.1/24
Virtual IP Address Alias on the same interface: 10.10.30.1/24

Untangle: 10.10.19.2/24
Added ARP Route: 10.10.20.3 to MAC Address of Switch
Added ARP Route: 10.10.30.3 to MAC Address of Switch
Added Static Route: 10.10.20.0/24 to route to 10.10.19.3
Added Static Route: 10.10.30.0/24 to route to 10.10.19.3

Switch-HP ProCurve 2910al (Layer 3)
VLAN 19: 10.10.19.3
VLAN 20: 10.10.20.3
VLAN 30: 10.10.30.3
IP Routing Enabled
IP Route 0.0.0.0/0 10.10.19.1

I have enabled IP Routing on the switch so that each VLAN is routed back to the pfSense over VLAN 19.

The Good:
Untangle is able to access the internet completely (but it is on the 10.10.19.x subnet)
I can ping from 10.10.20.x to 10.10.19.3 (Switch-VLAN-19)
I can ping from 10.10.20.x to 10.10.19.2 (Untangle)
So my Layer 3 routing seems to be working correctly.

The Bad:
I cannot ping from 10.10.20.x to 10.10.19.1 (pfSense)
I cannot ping from 10.10.20.x to external address (web)

I believe this comes down to a Firewall rule or NAT rule but I am stuck. Any help is appreciated.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Re: Virtual IP Setup for multiple subnets on one Interface
« Reply #1 on: December 30, 2011, 10:06:09 am »
It's looks confusing to me.

try this setup:

switch port1 untagle tag vlans 100,119,120,130
switch port2 pfsense tag vlans 119,120,130

on untagle, bridge networks in vlans 100 and 119, so every on vlan 100 that need access to vlan 119 must go via untagle

on pfsense configure vlans to fit each network (10.10.19.1/24 10.10.20.1/24 10.10.30.1/24) on it's own interface.


It may be easier to route and could setup vlans to pfsense without loosing untagle bridge.

Offline dmitche

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Virtual IP Setup for multiple subnets on one Interface
« Reply #2 on: January 02, 2012, 09:24:18 am »
Sorry Marcelloc I am not understanding what you mean.
Quote
switch port1 untagle tag vlans 100,119,120,130
switch port2 pfsense tag vlans 119,120,130
Perhaps we can stick with 19, 20, & 30 to keep thinks clear. Are you saying don't place Untangle between pfSense and the switch but rather connect both Untangle and pfSense to the switch?

Quote
It may be easier to route and could setup vlans to pfsense without loosing untagle bridge.
Would this only use Untangle to filter traffic on VLAN 100?

Quote
on pfsense configure vlans to fit each network (10.10.19.1/24 10.10.20.1/24 10.10.30.1/24) on it's own interface.
I have successfully used one interface with multiple VLANs and DHCP from pfSense to the switch. This works very well. The client would also like to use Untangle, but it seems it may not be worth the trouble.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Re: Virtual IP Setup for multiple subnets on one Interface
« Reply #3 on: January 02, 2012, 10:52:14 am »
Perhaps we can stick with 19, 20, & 30 to keep thinks clear. Are you saying don't place Untangle between pfSense and the switch but rather connect both Untangle and pfSense to the switch?
Yes, tag vlans user must see on untagle and tag vlans pfsense and untagle use on your bridge setup.

Quote
on pfsense configure vlans to fit each network (10.10.19.1/24 10.10.20.1/24 10.10.30.1/24) on it's own interface.
I have successfully used one interface with multiple VLANs and DHCP from pfSense to the switch. This works very well. The client would also like to use Untangle, but it seems it may not be worth the trouble.
You want to use untagle between all vlans or just for wan?

can you draw this setup for a better understanding?


Offline dmitche

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Virtual IP Setup for multiple subnets on one Interface
« Reply #4 on: January 02, 2012, 12:02:14 pm »
Quote
You want to use untagle between all vlans or just for wan?

can you draw this setup for a better understanding?
I would like to use Untangle for all VLANs when they access external addresses. So internal traffic doesn't need to use Untangle, but I would  like all traffic from All VLANs to go out through Untangle and then the WAN of pfSense.

Here is my picture: https://docs.google.com/a/fumcwired.com/drawings/d/1Y5QJwNvJjNwoA4GwgDuUDmpx11qcZkckQXluSB0_YxM/edit?hl=en_US

Quote
Quote from: dmitche on Today at 10:24:18 am
Yes, tag vlans user must see on untagle and tag vlans pfsense and untagle use on your bridge setup.
Untangle drops all VLAN tags when it rebuilds the packet so I cannot pass and tags to/through it :(

Thanks for your help.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9930
    • View Profile
Re: Virtual IP Setup for multiple subnets on one Interface
« Reply #5 on: January 02, 2012, 12:30:42 pm »
Untangle drops all VLAN tags when it rebuilds the packet so I cannot pass and tags to/through it :(

create three new vlans, apply it on pfsense and untagle port

then you can setup this:

workstation ----- vlan19 ------ untagle bridge ----- vlan119 pfsense
workstation ----- vlan20 ------ untagle bridge ----- vlan120 pfsense
workstation ----- vlan30 ------ untagle bridge ----- vlan130 pfsense

assign 10.10.30.1/24 on vlan 130 at pfsense
assign 10.10.20.1/24 on vlan 120 at pfsense
assign 10.10.19.1/24 on vlan 119 at pfsense