pfSense and Cisco SG350 managed switch - help needed on setup. Especially VLAN's

[+BudMan MVC]

Im online we can TV.. I will hit you up via PM

[sc302 Veteran]

so you can see context.

 

4 hours ago, The Dark Knight said:

*snip*

 

True, but for you guys this is like second nature as these are your fields of work. I am just a creative guy who also happens to like all this stuff, so keep experimenting with things. And since I'm creative, I also prefer GUI's. 

 

3 hours ago, sc302 said:

It takes a logical mind to do any of this.  It takes a creative mind to figure things out.  A truly creative mind isn't limited by interface, but simply challenged by it.  To do what I do it takes not only a logical mind but a creative mind where the limit is only my capability of understanding.

3 hours ago, c.grz said:

I'd say it takes a logical mind to understand CLI and that the creative types prefer the GUI.

and finally to answer your rebuttal, with a relative example of a type of person or field that is truly creative followed by an example of what one would follow that is a very scripted outcome based on a predefined picture. 

3 hours ago, sc302 said:

it is a bit closed minded don't you think, that the only way to be creative is to point and click around in a predefined environment?

 

artists are creative, they start with blank canvases.  They usually don't start with connect the dots when they are creating art.

 

 

I wasn't discussing art, I was still on the creative path...your mind lead to art, I never said anything about art, only referring to a person who would be considered an artist, the tools that they would use, and the end result (and that doesn't have to be a professional artist, it could be a amateur...it is just an artist in general).   not really concentrating on the art part of it (you went there, not me), just their ability to think.   I don't mean for this to be negative, but you need to open your mind a bit more and step outside of that box.

[The Dark Knight]

12 minutes ago, BudMan said:

Im online we can TV.. I will hit you up via PM

Sent via PM.

[+BudMan MVC]

@sc302 hey so this pfsense is on hyperV... Which I do not use - how to do you make sure it doesn't strip tags and allows them?

 

DarkNight can fill you in more on the config.. But pfsense and switch are correctly setup..

[sc302 Veteran]

What is being allowed on the vm virtual adapter?

 

get-vmnetworkadaptervlan -vmname whateveritis | fl

 

 

command to set:

 

set-vmnetworkadaptervlan -vmname whateveritis -Trunk -AllowedVlanIdList 0-100  -NativeVlanID 0

 

not sure if you need the nativevlanid or not, but that is the example I have.  supposedly 0 is for untagged...

 

 

I have one or two hyper-v servers....but no trunks to them.  I am uncertain if you can do it in the gui, where I know for sure you can do it in the gui with vmware.

 

 

If you want to be sure if you are passing traffic,  give the vlan on the switch an ip on the subnet. 

 

ping gatewayip source ipofvlan

 

so lets say my vlan 30 on pfsense has an ip of 10.10.10.1

 

I would assign vlan 30 on my sg350 with 10.10.10.2

 

at an enable prompt on the switch I would do the following

 

ping 10.10.10.1 source 10.10.10.2

 

or in switch ios commands

 

ping 10.10.10.1 source vlan30

 

This will test that you can ping from the vlan on the switch to the gateway, testing basic communications on that vlan provided that icmp is turned on within the firewall.  Then you can go one step further and ping out...

 

ping 8.8.8.8 source 10.10.10.2

which essentially tests your route tables or acls

 

or in ios command

 

ping 8.8.8.8 source vlan30

 

if you are in a configure prompt vs enable type "do" in front of the command, do allows you to run enable commands from a configure prompt but tab doesn't work if you like to utilize tab to cycle commands.

 

do ping 8.8.8.8 source vlan30

 

*edit* for anyone paying attention, hyper-v is both gui and cli.  not all things are available though the gui, windows server is hybrid in that sense where you need both to accomplish certain tasks.

 

 

[+BudMan MVC]

Yeah I sent him to docs on using that cmdlet... I pretty sure its blocking stuff, because the vlan setup is dead simple here.. And wasn't seeing any dhcp discover even on the native vlan..  But yeah simple test would be to generate traffic and validate its tagged, etc..

 

No wonder he was having so many problems.. As soon as I hit the pfsense gui and saw 10ge on the lan interface... I was like ok this is really some screaming hardware or this is running VM

 

And yes I get your point about gui and client with windows hehehe  I was going to bring up the same thing... Gui is fine for some stuff, but power is always at the command line..

[The Dark Knight]

Thanks a lot sc302 for your detailed reply! Yes, BudMan also found out that this has to be done via CLI and pointed me to a couple of articles online. No issues, will implement this later today. Windows CLI is fine for me, used it for years! 

 

Thanks again BudMan for all your help! Will post results here once done.

[+BudMan MVC]

Yeah let us know... If you need me to TV in again, just let me know.. Sorry about the disruption during our session but my Boss came by discussing project working on hehehe

[The Dark Knight]

Ok, so I've been trying and trying, and failing every time with this. I used the Trunk command that sc302 gave, and while the command was accepted, it locked me out of my network completely on all ports! I altered the command slightly to suit my setup - basically gave 1 to 100 in allowed VLAN's bit and gave the native ID as 1, since my switch default is 1.

 

With Trunk on Hyper-V, I was able to get an IP from the 192.168.3.1 DHCP server and was also unable to access any other devices. So that bit was working as intended. But another machine which was on the primary 192.168.1.1 network lost connection and got an auto config IP. 

 

I have finally got it working though, by creating a new virtual adapter for pfSense in Hyper-V, and then specifying VLAN30 in it. No Trunks on Hyper-V. Cisco switch is set to how you did it BudMan, I just added more VLAN's on the Switch, using the same settings you put in for the one you created. And added those tags to the Trunk port under Port VLAN membership like you had done. So now all is good. However I think I foresee a headache with this setup, as the more VLAN's I add, the more messy it is going to get, with me having to create a virtual adapter for each one. And all those showing up in pfSense.

[The Dark Knight]

1 hour ago, BudMan said:

Yeah let us know... If you need me to TV in again, just let me know.. Sorry about the disruption during our session but my Boss came by discussing project working on hehehe

Thanks! I wouldn't mind you logging in. Maybe we can figure out Trunks on Hyper-V? Or should I just stick to the way I've got now - an additional adapter in Hyper-V for the pfSense VM? Also wondering, any performance or security implications with this way, as opposed to Trunk method?

 

I'm still plugged in physically to my server running pfSense for now, so no worries of getting locked out! 

[+BudMan MVC]

So I installed hyper-v on my win 10 PC... I enabled an external hyper-v switch and wow did it kill my networking performance.. I updated my nic drivers to current from realtek vs the default window 10 ones that were dated 2015

 

I always see 550ish Mbps down from internet, after I installed that hyper-v switch on my nic... I was only seeing 300ish.. As soon as turned off the switch, back to my full internet speed.. I didn't bother to test actual speeds with iperf locally, etc.  But when get time will test that.. Hopefully the driver update fixed whatever was going on.. That is some serious hit to performance.

 

But have not had chance to turn the hyper-v switch back on, just got back from my morning walk..

 

Even if take that performance hit, I will plan on duplicating your setup with pfsense on hyper-V and getting tagged vlans to work.. Or atleast attempt too..

 

But your work around should work with multiple vswitches on the same physical nic and mapping vlans.. But then you would create just new virtual nics in pfsense and not have to do any vlans or tagging in pfsense.  Just connecting the new virtual nics in pfsense to your hyper-v vswitches with those vlans you have defined in your cisco switch.

[grunger106]

Interesting thread.....

 

I'm really vaguely remembering some of this when I set up a nested Hypervisor scenario for testing, (ESXI host, with a Hyper-V VM, itself spawning VDI instances)

I can't quite remember the detail at the moment as it was 18 months back, I think I still have the setup on one of my not often esxi hosts though, I'll fire it up and have a look later.

 

Out of interest what is the rationale for using pfsense to do the intervlan work rather than using the switch (Not familiar with this specific model, I'm HPe biased, but it's L3 capable isn't it?)
I tend to run my lab VLANs back to a 'core switch' (loosely termed here of course - 1920-24G is certainly not a real core switch ) and then pass traffic destined for the outside world up to my firewall (virtualised Sophos XG) rather than having the firewall handle everything.

I know that most of the L3 lite equiemnt only supports a limited number of static routes, but generally enough for a small setup

 

[DaveLegg Developer]

If you're using Hyper-V, you might find it easier to setup a a switch for each vlan, with the appropriate vlan tag set, and connect them to the pfsense VM as individual interfaces, rather than using a single interface and trying to pass the vlans through.

[+BudMan MVC]

^ yeah that is what he is currently doing with the interfaces and specific vlan tags on each vswitch

 

As to doing the routing on the L3 switch he has - yes that is an option.  But firewall on the L3 is going to be a PITA.. Has to be done with ACLs and ACEs - real PITA!!  Especially for someone new to the concepts in general.

 

Using pfsense as his router/firewall between his segments is going to make doing everything much easier via simple straightforward gui.

 

The use of the downstream L3 is also going to create complexity for outbound nat to the internet.. And doing all of this via VM also makes it more complex if he went the downstream L3 method.  He is going to need to do transit network to the downstream from his edge router or he will run into asymmetrical issues, etc. etc.

 

If he needed routing at wire speed, and firewalling between the segments was of secondary or no concern then yeah routing at the L3 would be option..  He might want to do it as a learning experience once he gets more comfortable with his skills.

[The Dark Knight]

Wow! That really is a massive drop in performance!! Must test my network tomorrow. Although my internet is 125 up and down, so as long as I get that, I'm ok with it. Will also test local LAN speeds. Again, if I get full gig like earlier, I'm good. If not, well....☹️

 

Wow, ok! Look forward to your experience with duplicating my setup! 😎👍

 

Not going to have too many VLAN's for quite some time most likely. Testing one restricted network just now with all wireless devices.  This will finally become my IoT and Guest network with no LAN access. And I'm planning to put one more just now completely isolated for a test VM.

 

Any suggestions on what else I can have on VLAN? Not going to be hosting a website because of the security risks, otherwise that would have been one more.

[The Dark Knight]

I was planning to ask you about Layer 3 routing, but you already answered that for me. That is way beyond me! 😂

[The Dark Knight]

I actually moved from Windows 10 over to Server 2019. Got tired of the frequent updates and restarts. I know, they can be stopped, but Server OS is just cleaner and more stable. Not sure what is the difference between Hyper-V on Windows Server vs on 10.

[+BudMan MVC]

Im not sure either... But I don't currently have anything running Server 2019 that I could play with.. I thought you said you were running hyper-v on 10?  Maybe I misread our conv on TV?

 

If you wanted to do yourself a huge bump would be to move your vm host to esxi hehehe  So much cleaner and easier to run VMs on IMHO..

 

I hope to do some testing tonight on performance with hyper-v switch connected to my physical nic.. But yeah it really killed my connection.. The other thing that ticked me off, was it re enabled IPv6 on my interfaces when I did it.. Which had disabled, since I only use it when testing.. Maybe that was the performance hit to the internet?  Since I run through a HE tunnel? I will validate that as well.  But I doubt it since I don't believe speedtest.net supports IPv6?  Have to look into that as well

 

But as long as your working the way you are your fine.. Nothing wrong with the way your doing it with different vswitches for each vlan.. You can do it that way in esxi as well with portgroup for each vlan on your vswitch.

 

As to what else you would segment out, would depend on your devices.. If you have different types of iot devices, breaking them out into their own vlans prob a good idea vs all on the same one.  But if they are wireless devices since your AP doesn't support vlans your going to have a hard time doing that.  Unless you use different AP for each vlan.

[sc302 Veteran]

FWIW, VMware is a much more mature product and it is very easy to setup vswitches.   But it is a headless system, can’t use it as a desktop...it would be managed via a web based GUI. 

[The Dark Knight]

Yeah, I was running 10 initially, but moved to Server OS a couple weeks back.

 

I looked at ESXi and Proxmox as well when I first setup my server, but those are a problem in my scenario. I have a hard drive on the box that has all my work backups. I've got Syncthing running, which immediately copies my work files from my desktop or laptop over to this server. It's also serving music to my Pi based music player, Kodi and other Windows machines via SMB. I had just moved this over from an external case. So that's formatted as NTFS, which Windows takes up easily of course and has no issues. If I run any bare metal OS, I would have to move all that data to another drive, which I don't have, and then format it.

 

I'm looking into alternative firmware for routers, but that's another nightmare. DD-Wrt is popular, but not so compatible, especially with low-end devices. Open-Wrt is more compatible, but more difficult to install on many devices. Similar story with Tomato. Was actually wondering, how do VLAN's work on these? Doesn't the hardware need to support 802.1q traffic? From my limited research, when people have asked about VLAN's on wireless, the responses have either been to get Ubiquiti hardware or flash custom firmware. Ubiquiti does support all this of course, but others on custom firmware?

 

Would have loved to go in for Ubiquiti, but no official presence here in India, so they cost a dear sum! $150 for a Lite AP!

[The Dark Knight]

Update: Tested network for performance, full speed ahead! 

 

 

[Mindovermaster Moderator]

27 minutes ago, The Dark Knight said:

Update: Tested network for performance, full speed ahead! 

 

Ahoy, matey!  

 

Glad you got it sorted  

[The Dark Knight]

Yup, all thanks to BudMan and sc302! And DaveLegg. Adding additional adapters in pfSense VM directly was definitely far easier! 

[+BudMan MVC]

Well I just did a test, and while it does show a bit of a hit... Its not what I was seeing yesterday...

 

 

Prob is I never did a local test yesterday.. But I did update the nic drivers - don't have the motivation to rollback drivers and repeat testing, etc..

 

But still will take a look at doing the vlan stuff when get a chance..

 

Top is before creating external switch in hyper-v, bottom is after.. After removing vswitch back to full speed locally, etc.

 

Will have to spend some time trying to figure out why the internet hit though..

 

Top is without switch, bottom is with.. Seems ODD??? Since don't see much of a hit locally.

[The Dark Knight]

Yeah, your LAN speed difference is negligible. But the question still remains though, why it is slower. But yes, big difference in internet speed!

 

Look forward to your experience with Hyper-V VLAN's!