(sorry for top replying but I have gotten it to work and share my 5
cents here)
Thank you for your hints.
The problems with my setup was that pfSense GUI defaults to /32-netnask
when setting a VLAN ip address. I did not notice this at first and the
packages did not get routed as I wanted.
Once I got that sorted out the switch our office gets Internet access
via probably does some VLAN tagging too which messed up my setup. This
was remedied with switchport mode access.
A recap (and nano howto) of how to setup VLANs with pfSense and Cisco:
1. Set the port connected to pfSense to trunk
interfance FastEthernet 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
2. Optionally you can set it to not negotiate and only allow a fixed set
of VLANs for heightened security
switchport trunk allowed vlan 1,<YOUR VLANs HERE>,1002-1005
switchport nonegotiate
3. Assign VLANs to the other ports as you wish
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
4. Add the VLAN to pfSense (bge0 was attached to trunk in my setup)
Interfaces->(assign)->VLANs
[+]
Set parent interface (bge0 in my case)
Enter VLAN tag (10 in my case)
And a description (Internet in my case)
[Save]
I assigned the WAN interface to this new one in Interfaces->(assign) for
the rest of the VLANs I created I created interfaces for them
5. Create an interface for the VLAN
Interfaces->(assign)->Interface assignments
[+]
Choose correct interface and VLAN in the new OPT interface
[Save]
6. Configure the new interface
Interfaces->OPT<n>
[x] Enable Optional <n> interface
IP address: 10.150.<vlanid>.1 / 24
Do remember to set /24 here or the thing wont route.
This works for me.
Xavier Beaudouin skrev:
Hi,
Le 15 oct. 08 à 14:20, Paul Mansfield a écrit :
Fredrik Rambris wrote:
Hello
Searched through the list and found many posts on VLAN. To my knowledge
I have done what I think is correct but packages wont go through. I can
see in the pfSense logs that packages do get in on the right VLAN
interface but that's about it.
bge0 is WAN
bge1 is LAN
I have defined two VLANs (201 and 202) and added them as interfaces
VLAN201 10.150.1.1
VLAN202 10.150.2.1
! This is where bge0 is connected
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
!
pfsense numbers vlan interfacs sequentially, unlike linux's eth0.X
notation, so vlan0 might be tag 202. this caught me out when I first
installed pfsense - take a closer look at "ifconfig -a" to check
settings.
it's definitely wise to put "nonegotiate" on all server switch ports to
prevent hosts turning on .1q and thereby breaking security.
Hum.. Also 3550 (and later) seems to be nasty sometimes..... you should
do :
interfance FastEthernet 0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,201,202,1002-1005
switchport mode trunk
switchport nonegociate
The switchport nonegociate tell cisco to work in dot1q only and stop
trying to negociate special stuff.
Vlan 1 and 1002-1005 are more less mandatory to make the cisco work...
(change VLAN1 to another stuff if you have changed your default VLAN
something else).
/Xavier
--
Fredrik Rambris <[EMAIL PROTECTED]>
Advanced Systems Specialist
CDON.COM Nelly.com LinusLotta.com Gymgrossisten.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
