Tuesday, January 21, 2014

Set up VLAN on pfSense and Cisco Layer Two Switch

Set up VLAN on pfSense and Cisco Layer Two Switch

Internet --- (ext) Router (int) --- (port 1) Layer 2 Switch

VLAN setting on pfSense
Step 1: To determine whether your LAN network card driver supports 802.1Q VLAN tagging by looking for the VLAN_MTU and VLAN_HWTAGGING options in ifconfig command:
 - ifconfig
 - output: em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>

Step 2: Interfaces > (assign) > VLANs tab > Add VLAN:
 - Parent interface: em0 (your LAN network card).
 - VLAN tag: 2
 - Description: IT
 - Repeat the steps for VLAN3.

Step 3: Interfaces > Select Opt 1
 - check "Enable Interface".
 - Description: VLAN2
 - IPv4 Configuration Type: Static IPv4
 - IPv4 Address: 192.168.2.2 / 24
 - Gateway: none
 - Click on "Save" Button
 - Repeat the steps for VLAN3.

Step 4: Firewall > NAT > Outbound tab > Add new mapping:
 - Interface: WAN
 - Protocol: any
 - Source Type: Network
 - Source Address: 192.168.2.0 / 24
 - Source port: (leave blank for any)
 - Destination Type: any
 - Destination Port: (leave blank for any)
 - Description: VLAN2 IT
 - Click on "Save" button
 - Repeat the steps for VLAN3

Step 5: Firewall > Rules > VLAN2 tab > Add new rule:
 - Action: pass
 - Interface: VLAN2
 - TCP/IP version: IPv4
 - Protocol: any
 - Source Type: VLAN2 subnet
 - Destination Type: any
 - Description: VLAN2 to any
 - Repeat the steps for VLAN3

VLAN Plan on Cisco Layer Two Switch
Port 1       // VLAN1 (the default VLAN).
Port 2, 3, 4 // VLAN2
Port 5, 6, 7 // VLAN3

Interface Settings
Port 1: Interface VLAN Mode: Trunk
Port 2, 3, 4: Interface VLAN Mode: Access
Port 5, 6, 7: Interface VLAN Mode: Access

Port VLAN Membership

Port 1: Join VLAN:
 - Add VLAN1 UP (Untagged member, PVID).
 - Add VLAN2 T (Tagged member).
 - Add VLAN3 T (Tagged member).

Note: Port 1 有比較安全的設法是:
 - Remove VLAN 1
 - Add VLAN99 UP (Untagged member, PVID).
 - Add VLAN2 T (Tagged member).
 - Add VLAN3 T (Tagged member).
 - Note: 這樣的設法是,沒有加到 自定義的 VLAN 的 ports 就認不得 Port 1 (也就是對外的 gateway),以防有任何人未經允許把網線插到沒被定義的 ports。

Port 2, 3, 4: Join VLAN:
 - Remove VLAN1.
 - Add VLAN2 UP (Untagged member, PVID).

Port 5, 6, 7: Join VLAN:
 - Remove VLAN1.
 - Add VLAN3 UP (Untagged member, PVID).

No comments: