VLAN Help

[demoso]

So I have a slight problem with my VLAN. Let me break down my network first. I Have Comcast cable modem acting as the DHCP server for my network. The Comcast modem gets plugged into the WAN nic of a pfSense box (that's bridged so all traffic flows right through it). The LAN nic on the pfsense box gets plugged into a Cisco SLM248G switch. Finally I have an three LAPAC1200 Linksys access points. I created a VLAN (VLAN 2) on the pfsense box and put it on the LAN nic and enabled DHCP server on it. I created a VLAN on the switch (VLAN 2) and I created the same VLAN on my AP's. All ports on the switch are set to VLAN1 untagged default VLAN. The ports that I plug the pfsense box into and the AP's are set to VLAN1 untagged and VLAN2 tagged. My AP's are configured with VLAN enabled, untagged default VLAN1 enabled. Then I have 2 SSID's. SSID 1 internal wireless set to default VLAN1 and SSID2 external wireless set to VLAN2.

So When anyone connects to the external wireless they get an IP from pfsense box. If they connect to internal they get an IP from Comcast. This works most of the time. For some reason my iPhone, iPad, and a Laptop that I have sometimes get an IP from the Comcast Modem even though I connect them to the external wireless. If I click on renew IP it switches and get an IP from pfSense like it should. But maybe after a week or two they will switch back to getting IP's from the Comcast modem.

Any ideas would be greatly appreciated!

 

[trevm999]

It sounds like you pretty much just have two DHCP servers on your network. I would create sub interfaces on the LAN NIC, each as their own default gateway, DHCP, etc and set one for VLAN2. Then your routing rules will determine who gets to talk to what on each VLAN.

 

[CLC]

I would use your pfsense for dhcp serving and bridge the cable modem to be honest, you would have better control.

 

[YeOldeStonecat]

Agree with CL...bridge the Comcast gateway and use PFSense as your router. Use multiple internal interfaces so you can have separate internal networks, or use VLAN tagging to nest a VLAN on the single LAN NIC....lots of flexibility. but bridging a PFSense box is so limiting.

 

[CLC]

@YeOldeStonecat CL..... must be because my logo now says Central Lakes Technologies instead of computers or do I not deserve all my initials anymore

 

[YeOldeStonecat]

Early in the morning...tail end of a trip I'm tired didn't even see CLC in the bottom, just the Central Lakes jumping out at my eyes..so I did a quick abbreviation missing the CLC in member name below.

 

[CLC]

I feel so unappreciated right now.

 

[NETWizz]

I work on larger networks for a living and to be honest am not clear exactly what you did or what you are trying to do.

You say you have a Comcast modem acting as a DHCP server for your network. Presumably this would provide Internet routable IPs and is usually limited to one (1), which you would need to NAT everything to that IP behind a firewall. Certainly the ISP could provide DHCP and provide more IPs, but I never really see this. Clients who have multiple Internet IPs usually get a small CIDR block like a /29 to a /24 advertised to them. Typically, in these implementations they have a separate /30 for point-to-point connectivity to the ISP itself. The rest is just routing tables to make larger blocks usable.

At any rate, we know you have a modem and the ISP is providing connectivity. What do you mean "the WAN nic is bridged so all the traffic flows right through it?" Is it acting like a virtual-wire? Similar to this: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments

Typically, what I do and see is that blokes usually run their firewalls with the Interfaces provisioned as Layer-3 interfaces whereby they have an IP address assigned to them. By virtue of being assigned an IP and mask, an interface's subnet becomes a directly connected route in the VRF or Virtual Router process to which it is assigned. At any rate, the firewall runs the routing process (usually static only though some run an IGR). Often in larger networks there is a head-end router where after the firewall there is another /30 point-to-point network connecting the firewall to a network core as best practice, but in your case, you would want to directly put LAN subnet(s) on the firewall. In fact this I am certain. Your SML248G is a Layer-2 switch only, so it does not do routing (https://www.cisco.com/c/en/us/produ...-smart-switch-sfps/data_sheet_c78-504112.html). Provided you have multiple VLANS going over one(1) interface, you would then create sub-interfaces running Dot1q (802.1q) and assign them to whatever VLANs you are going to use to cross that trunk. Again, that switchport would need to be configured as a trunk to carry those VLANS. ... OR if you have multiple physical interfaces on the firewall you could bring each into different physical ports assigned to different VLANS on the switch.

This is how you would create a trunk on the Cisco:

interface TenGigabitEthernet0/2
description trunk Uplink to Firewall
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 38,39
switchport mode trunk
!

I don't understand your statement: "I created a VLAN on the switch (VLAN 2) <redacted>. All ports on the switch are set to VLAN1 untagged default VLAN."

My reading of this is that you instantiated VLAN 2 in the switch by defining it but not a single interface is assigned to it; instead, you left all interfaces as access-ports (untagged) in VLAN 1.

Then I read this that is contradictory:
"The ports that I plug the pfsense box into and the AP's are set to VLAN1 untagged and VLAN2 tagged."

To me that shouts:
interface TenGigabitEthernet0/2
description trunk Uplink to Firewall
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 2
switchport mode trunk
!


Overall, I do not see any reason why this wouldn't work. My presumption is that the problem is with the APs. You want both SSIDs to be completely separate putting all traffic into only one VLAN.


I doubt you can force this being you have Linksys APs, but I do my best to avoid carrying a native (untagged) VLAN on a trunk for security reasons of VLAN hopping

I usually instead add:
vlan dot1q tag native


All this would do is explicitly tag VLAN 1 across the trunks and drop any untagged traffic.