I have a pfsense (version 1.2.3) server PC mainly for loadbalancing purposes because of internet-pricing issues. Runs without problems. However i’ve run out of pci ports on the pfsense pc, but need more WANs. I assume utilizing vlans is the next step. For this i’ve acquired a mikrotik routerboard RB750.
The process of creating vlans in pfsense looks pretty straighforward, but I’ve been trying all sorts of configs and reading hundreds of forums, and for the life of me, i cannot get it to work. Most people that use vlans this have done so with a netgear smart switch (port-trunking), but i’m almost sure that the routerboard (5 ethernet ports) should be sufficient.
Has anyone ever set this up with a mikrotik RB? ideas?
In the Mikrotik, create all of the VLANs that you want. After the VLANs are created bridge one VLAN with a different physical port. So the config will look something like this:
Assuming that i understood you correctly, i created 4 VLANs (attached to port5). Then i created 4 bridges (rstp), each with 2 ports: 1 VLAN + 1 physical ethernet port.
I can’t ping from/to port 5 from/to any other port. (hooked up 2 laptops for config). Even added IP addresses (in same range as laptops) to bridge, vlan, port5 and ethernet port.
When creating the virtual interfaces, weather it be a bridge or a VLAN in Mikrotik, it treats each one as it’s own separate physical interface. Unless the traffic is tagged for the right vlan going into ether5, it will not reach any of the other ports because they are not on the same bridge. Also any traffic coming in on say ether1 will leave ether5 with that VLAN tag, so if something cannot read that tag, it will not “see” the traffic. Also anything coming in with a VLAN tagg of 10 will leave ether1 without a tag.
Do you have the switch chip turned off on the 750? I’ve never used that model, but I believe that will bind ports 2-5 together, which is something you don’t want it to do with this configuration.
edit: RSTP is enabled to prevent it from making loops on the network/within itself so that it can pass traffic normally.
Not quite there yet..
First of all, if i watch the virtual interface in pfsense i get a small amount of outgoing data (max: 100kb on a 512kb line), and no incoming, while the Actual WAN interface it is linked to does show normal incoming and outgoing traffic(in pfsense). Note that the actual interface is’nt in the loadbalancing table. Somehow it seems to let data through, but the data visible is all wrong.
one more fact is that in the RB750 (no visible switch-chip btw), having the vlan and the ethernet port on a bridge without port5 (pfsense) is not working. When i add port5 to the bridge, i get the above mentioned situation.
so i have to have VLAN10 + Ethernet1 + Ethernet5 on the same bridge. Which doesn’t sound right according to what you described to me.
Should there be tags coming from the adsl modem as well?
If you are hooking a laptop directly to Ether5, you are not going to be able to ping the other devices because the traffic from the laptop is not being tagged.
Try plugging ether 5 into your firewall, and try pinging from the firewall. If the routing in your firewall is set up correctly, the firewall should tag the traffic for the VLAN of the device and you should get a reply.
If this doesn’t work, are you doing dhcp, and are the networks associated with the VLANs on your firewall.
On port 5 of the mikrotik i have the Pfsense firewall, in which i’ve configured vlan10.
On Port 1 of the mikrotik is an adsl modem. Not using DHCP, but added ipaddresses to port5, port1, vlan and bridge in the same range of Vlan10 and modem
Run Torch on Ether5 and have VLANs selected so it will display them. Then try having your pfsense box ping out or pass traffic, this way you will be able to see if any tagged traffic is coming into the box. On the 750, I’m not sure if the switch chip is something you have to physically disabled or if it can be done from the software.
Also, do not have Ether5 part of the bridge, just the VLAN and the other Ethernet port you want it tied to. By having the physical port the VLAN is on tied to the bridge, you break it, this is a Linux router, not a switch, the way they handle VLANs are completely different. You do not need to assign IPs to the bridge or any other interface, a bridge is just that, it will forward the traffic on through the interfaces. It’s not doing any routing at that point, so it doesn’t require any IP addresses.
Another thing you can try, is set up the pfsense box with a VLAN and an IP on that VLAN, then have the corrisponding VLAN on the Mikrotik on one of the interfaces and assign an IP within the same range. Then see if they can ping each other.
Torch watches all incoming traffic on an interface, and you can filter it down based off of Source IP, Destination IP, Port, Protocol, or VLAN. One of the most handy tools as it will tell you how traffic is flowing on through a Mikrotik.
Don’t know what i did wrong or right, but after switching vlan10 around between the pfsense nics (though that maybe the nics on pfsense were a problem), while torching port5 on the RB (while it was “again” on the bridge) i suddenly saw traffic on vlan10, so i quickly removed port5 from the bridge and Voila! Worked for about 20 minutes in which bandwidth flowed freely between vlan10 on the Rb and vlan10 on pfsense, then out of the blue it just quit again. zero traffic.
this time it worked a little longer. About 25 min, and then all traffic seized on the vlan and it’s masterinterface. One thing i noticed is that the masterinterface in pfsense showed exactly the same bandwidth pattern of the vlan10 that is attached to it. Whole thing worked perfecty while it did.. and then it stopped.