All HowTo's pfSense & Netgate

Netgate 2100 VLAN Configuration

This article discussed the Netgate 2100 VLAN capabilities. We’re not trunking in this article, we’re simply spinning of a single switch-port as a discrete port. Ie, we’ll have one of the 4 switch-ports on a different VLAN.

This article “https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html” from Netgate is correct, but:

  1. VLAN 1 (the default) seems to need to exists (can’t be removed) and seems to require at least one switch-port assigned to it. I need to verify this but in hindsight this seems to be the case.
  2. I highly recommend not creating and assigning (tagging) more than 2 VLANs on this device.
  3. Having more than 2 VLANs seems to have caused issues with DHCP. Ie, I had a very strange case where DHCP settings were not matching the switch-ports that I was connecting to. This could have been a tagging issue or my workstations (tried two), but it’s unclear.

But having said all that, no one else is complaining about this so it could be just me. I’ve experienced similar on the Netgate 3100. Both devices come with 802.1q disabled. So there’s a good chance that I’m treating these devices like the upper-end models which may be incorrect.

My objective was to have the Netgate 2100 configured with 1 WAN connection, 1 LAN connection (192.168.1.0/24) and 1 OPT connection (192.168.5.0/24). The OPT was to be used for a segment of the local network that was for a different use case.

I ended up with:

  • Switch-port WAN as the WAN interface (obviously).
  • Switch-ports 1, 3 & 4 on the LAN VLAN.
  • Switch-port 2 on the new VLAN.

The remainder of this article are a reflection of my settings.

IMPORTANT: I’m keeping switch-port 1 on the default VLAN and therefore using it as my connection between my workstation and the Netgate 2100. This is important because otherwise there’s a good chance I’ll kick myself off the Netgate 2100.

Note: I’ve configured pfBlockerNG as you can see in the firewall settings. You can ignore that.

 

Start the configuration

Create the new VLAN. Here I’m using VLAN ID 4085. I chose that number because the third octet in the IP address will be a 5 for my new VLAN. This number scheme isn’t important.

Assign the new VLAN. Here I’ve already renamed it to something other than OPT1. I’ve called the new VLAN interface “LAN_5” because it will be on the “192.168.5.0/24” network.

Enable 802.1q VLAN support. Then add the new tag. Notice the “Members” column and pay attention to the numbers (and “t”) I’ve used. In this case, we’re using switch-port 2 as the new VLAN (network 192.168.5.0/24), and all other switch-ports (1, 3 & 4) remain on the default VLAN.

Set the un-tagged inbound frame assignments. Here we’re saying that anything not assigned to a VLAN coming inon switch-port 2 will be assigned to the “4085” VLAN.

Now make sure the firewall rules are correct. Here we are allowing everything through.

This is the first (default VLAN 1) VLAN interface.

This is the new (VLAN 4085) VLAN interface.

Now make sure the interfaces have the correct IP addresses.

This is the default VLAN (VLAN 1).

This is the new VLAN (VLAN 4085).

Now make sure DHCP is enabled (or not).

This is the first VLAN (VLAN 1).

This is the new VLAN (VLAN 4085).

At this point we’re done. You should be able to connect a computer to switch-port 2 and get an address on the range “192.168.5.0/25” while connecting to any other switch-port (1,3,4) will assign you an address on the “192.168.1.0/24” network. Inter-VLAN communication (routing) is enabled through the firewall rules.

Leave a Reply

Your email address will not be published. Required fields are marked *