VLANs pfSense and ESXi

VLANs are a very common networking technology used in our computer networks. In this post i will outline the steps i took to create and configure 2 VLANs on my ESXi machine, using a Dell PowerConnect 5324, and a pfSense firewall appliance.

In this example we will create 2 VLANs, 100 which we will call internal with the network 10.0.100.0/24 and VLAN 200,  with the network 10.0.200.0/24 which we will call clients

First a little backgroud, Cisco defines a VLAN as

a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments.

This is allows them to be quite flexible, for example network devices in different geographical locations can be a part of the same local network.

The details of the hardware and software used are as follows:

  • Dell PowerConnect 5324 Gigabit Layer-2 switch
  • pFsense 2.2-RELEASE (i386)
  • VMware vSphere 5 (ESXi 5.5.0)
  • vSphere C# Client 5.5.0

1. Create VLANs in pfSense

  1. Go to Interfaces –> Assign and take note of the interface name for which you will be using to route the VLAN traffic, in my case my LAN interface, re1
  2. Now we go to Interfaces –> VLANs and click on the + to create our 2 VLANs, 100 and 200, which we call internal and clients. We will also set the parent interface to the LAN interface, the one we noted in step 1 (re1). Interfaces - VLANs VLANs - Add
  3. Now we can go back to Interfaces –> Assign, Add these 2 interfaces to your list with the plus at the bottom near the Available network Ports line, and you will see that after refreshing they will show in in the list as OPT(X).shot_150314_120220shot_150314_120328
  4. Now we need to configure these interfaces, so go to Interfaces –> OPT6, enable the interface, name it, give it a static ip configuration, and give if the network address.Interface - ConfigurationRepeat this for the second VLAN interface OPT7
  5. We will want a DHCP service to assign address for our 2 VLANs. Go to Services –> DHCP server. The 2 interfaces will show up in this panel, select internal, enable the DHCP server, and select your address pool.DHCP server - ConfigurationRepeat for the clients VLAN interface.
  6. Newly created interfaces don’t have any firewall rules, and pfSense will deny traffic by default. So we will configure some firewall rules to allow traffic on these interfaces. Go to Firewall –> Rules and click on the internal (vlan100) tab. Add a new rule. Pass traffic on internal (vlan100) interface, protocol any, source inernal (vlan100) network, destination any.Add Firewall RuleRepeat for clients (vlan200) interface

To recap, we now have 2 virtual interfaces on our re1 interface that correspond to vlan100 and vlan200, we have DHCP servers to assign addresses to devices, and we have firewall rules to allow traffic to pass in on this interface. You should note that the firewall rules we created will allow traffic between any destination including your VLANs and LAN, if you had intended to block this traffic you would have to adjust the firewall rules accordingly.

2. Configure switch ports

Next we are going to need to configure our switch ports to accept VLAN tagged traffic. This is where things got confusing, at least for me. The terminology and settings vary from product to product making understanding the basics of tagged/untagged and siwtch port modes quite confusing for the uninitiated. I will try to elaborate on this at the end of the article and give an overview of my understanding of a few of the details.

  1. Go to Switch –> VLAN –> VLAN Membership and click add to create the new VLANs.VLAN - CreateRepeat for clients (vlan200).
  2. In my case port 11 is connected to the ESXi machine vSwitch, and port 1 is connected to the pfSense device LAN interface (re1). Both of these ports need to be configured to carry tagged traffic from multiple VLANs. Go to Switch –> VLAN –> Port Settings, select the port g1, and set the port VLAN mode to Trunk, apply the changes and repeat for the second port g11.VLAN Port Settings
  3. The last step is to make these 2 ports a member of our new VLANs, and set that port to Tagged. Switch –> VLAN –> VLAN Membership, show VLAN 100, click the static row box for our 2 ports, 1 and 11, and set them to T for Tagged. Apply ChangesVLAN Membership

Lastly don’t forget to copy your running configuration to the startup configuration! System –> File Management –> Copy Files, running-config to startup-config

3. ESXi Configuration

That takes care of the physical networking configuration, we have our layer-3 device to route our 2 vlans, and our switch ports are set to carry vlan tagged traffic. Now we need to configure the virtual ESXi switch to tag the traffic with the correct VLAN ID.

  1. We need to create 2 new port groups on our vSwitch0 and set the VLAN ID. In your vSphere Client, the Configuration –> Networking tab, Add Networking, Select Virtual Machine, Click next. We will use vSwitch0 which has the physical adapter vmnic0, click NextVMware Networking Configuration
  2. Set a network label for the port group, internal, and set the VLAN ID to 100, finish the wizard and repeat for clients, VLAN ID 200.VMware - Add Port Group
  3. Lastly we need to set the network adapter for the virtual machine to use the new port group. Right Click –> Edit Settings –> Network Adapter and change the Network Label to one of the new port groupsVMware Port Group association

That’s it, you now should have 2 VLANS, internal and clients, which each have a virtual machine associated with them. Each VM should be assigned an ip address from the DHCP server for its VLAN.

VLAN Configuration Overview

One of the most confusing things of this process for me was understanding the various port settings in the PowerConnect switch interface. I will summarize what i have learnt, (hopefully it is correct..) for anyone who may have the same questions as i did.

In general there are 3 different types of Port Modes: Access, Trunk, General

Access:

This is the default mode for all ports on this switch. Frames that enter access ports are untagged.  The switch will add tags to received frames, and remove tags from transmitted frames. Access ports can associated with only 1 VLAN. By default they are assigned the default VLAN (vlan1). Typically used when connecting VLAN unaware devices to a switch.

Trunk:

This mode allows you to use tagged frames on transmission, generally all traffic must be tagged. It will also allow untagged traffic on the native VLAN (vlan1). This mode us most often used when connecting 2 VLAN aware devices together.

General:

This mode combines Access and Trunk, with general mode you can specify any native VLAN and you can have multiple untagged VLANs

One thought on “VLANs pfSense and ESXi”

  1. In general you never want to send an untagged VLAN down a trunk — it’s bad security practice. Someone with malicious intent on the trunk side could craft a packet to escape their VLAN and start moving around the network. In general, if possible, I always set the native VLAN to 999 and then disallow it on the trunk. That means no untagged traffic will flow down the link, and thus mitigates the possibility of escaping the tagged network.

    http://en.wikipedia.org/wiki/VLAN_hopping

Leave a Reply

Your email address will not be published. Required fields are marked *