This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN Use on Home UTM

Greetings Folks,

  I recently delved into adding two layer-2 switches to my home network getting rid of my un-managed units.  I am trying to setup separate VLAN's for private vs guest networks.  

  Can the UTM handle multiple VLAN's on one physical NIC?  

  I modified my Internal interface to be of type "Ethernet VLAN" and set the VLAN to 1 for initial setup.  I then added two additional interfaces on that same NIC of type "Ethernet VLAN".  I setup Private on VLAN 10 and Public on VLAN 20.  192.168.10.1/24 and 192.168.20.1/24 respectively.

  In essence all on eth0, I have:

VLAN 1  -  192.168.254.1/24

VLAN 10  -  192.168.10.1/24

VLAN 20  -  192.168.20.1/24

  My layer-2 switch is connected to the UTM on port 1, and set as a trunk port allowing VLAN 1,10,20 to it.

  When I add ports to VLAN 10 or 20, I am getting a fair amount of packet-loss when pinging those Interfaces from machines plugged into these tagged ports.  I have tried to set the PVID of the switchport to the matching VLAN and that isn't helping the problem either.

  So in addition to the initial question above, I'm trying to diagnose if this is a misconfiguration of my switch, or if I am setting up the UTM incorrectly.

  Any thoughts or comments would be greatly appreciated! :)



This thread was automatically locked due to age.
Parents
  • To add some additional notes to my issue...

    I have the three interfaces setup now, and working! :) Management "Ethernet", guest "vlan 10", private "vlan 20"
    DHCP is working for the two VLAN's and I have both of my switches and their ports configured correctly for all.

    To address the packet loss problem I referenced before.. I found out that this was due to a misconfiguration on part with regards to my Unifi AP's. The management network "VLAN 20" needed to be an UNTAGGED port, with the PVID set to 20. Then I needed to add it to VLAN 10 as TAGGED.

    That threw me off for a while, and apparently with the wireless network set for VLAN 20, and the port tagged, the AP's more or less caused what I can only presume was a glorified broadcast storm that was crippling the switches. As soon as I ran to both switches and unplugged the AP's, the network calmed down and no more packet loss.

    The last thing I wanted to inquire about, was what the best way would be to restrict access from one VLAN to another. Currently I have a firewall rule at the top that DROPS all traffic from Guest (vlan 10) to private (vlan 20). So while I cannot access resources (http, ssh, cifs) from guest to private, I still can ping devices on VLAN 20 from VLAN 10...

    Is there something I am missing to disallow pings from one VLAN to another? Didn't know if anyone has thoughts on this.



    Also, I would very much like to thank Ian and Jaime for their comments and help, they helped me get my head straight to get the configs working. :)
  • Hi Mike, would you be able to take a look at your DHCP log on UTM and check if you're seeing the same symptoms as me? My log is below.

    You can see how the DHCP request comes in on 2 interfaces, the physical and the VLAN, and they both respond.

    2015:12:04-10:03:55 host dhcpd: DHCPDISCOVER from 34:12:98:XX:XX:XX via eth0
    2015:12:04-10:03:55 host dhcpd: DHCPOFFER on 192.168.1.123 to 34:12:98:XX:XX:XX via eth0
    2015:12:04-10:03:55 host dhcpd: DHCPDISCOVER from 34:12:98:XX:XX:XX via eth0.99
    2015:12:04-10:03:56 host dhcpd: DHCPOFFER on 192.168.99.100 to 34:12:98:XX:XX:XX (phone) via eth0.99
    2015:12:04-10:03:57 host dhcpd: DHCPREQUEST for 192.168.99.100 (192.168.99.1) from 34:12:98:XX:XX:XX (phone) via eth0: wrong network.
    2015:12:04-10:03:57 host dhcpd: DHCPNAK on 192.168.99.100 to 34:12:98:XX:XX:XX via eth0
    2015:12:04-10:03:57 host dhcpd: DHCPREQUEST for 192.168.99.100 (192.168.99.1) from 34:12:98:XX:XX:XX (phone) via eth0.99
    2015:12:04-10:03:57 host dhcpd: DHCPACK on 192.168.99.100 to 34:12:98:XX:XX:XX (phone) via eth0.99

Reply
  • Hi Mike, would you be able to take a look at your DHCP log on UTM and check if you're seeing the same symptoms as me? My log is below.

    You can see how the DHCP request comes in on 2 interfaces, the physical and the VLAN, and they both respond.

    2015:12:04-10:03:55 host dhcpd: DHCPDISCOVER from 34:12:98:XX:XX:XX via eth0
    2015:12:04-10:03:55 host dhcpd: DHCPOFFER on 192.168.1.123 to 34:12:98:XX:XX:XX via eth0
    2015:12:04-10:03:55 host dhcpd: DHCPDISCOVER from 34:12:98:XX:XX:XX via eth0.99
    2015:12:04-10:03:56 host dhcpd: DHCPOFFER on 192.168.99.100 to 34:12:98:XX:XX:XX (phone) via eth0.99
    2015:12:04-10:03:57 host dhcpd: DHCPREQUEST for 192.168.99.100 (192.168.99.1) from 34:12:98:XX:XX:XX (phone) via eth0: wrong network.
    2015:12:04-10:03:57 host dhcpd: DHCPNAK on 192.168.99.100 to 34:12:98:XX:XX:XX via eth0
    2015:12:04-10:03:57 host dhcpd: DHCPREQUEST for 192.168.99.100 (192.168.99.1) from 34:12:98:XX:XX:XX (phone) via eth0.99
    2015:12:04-10:03:57 host dhcpd: DHCPACK on 192.168.99.100 to 34:12:98:XX:XX:XX (phone) via eth0.99

Children
  • dmitripr said:

    You can see how the DHCP request comes in on 2 interfaces, the physical and the VLAN, and they both respond.

    I tried this configuration and had the same problem.

    On the old forum, others stated that they also saw the same issue.  It was suggested that you cannot have DHCP running on the native vlan (physical interface).  You need to use all tagged vlan's.   I never tried it to confirm.

  • I converted everything to VLAN type of interface on internal physical port, and can confirm that it did solve the problem. Thanks for the inputs!