Ok… I’ve been beating my head against a wall the last week trying to set up what should be a fairly simple setup. I have a single NIC on my xcp-ng host, which means the pfSense firewall vm I want to run on it needs to be set up with vlans and virtual NIC’s.
Should be simple, right? I have an 4+1 port router running asus-wrt that I’m trying to set up with the necessary vlans. Right now, I’m trying to put the pfsense vm between the modem and asus-wrt using only vlans.
What’s the simplest way to set up this kind of system?
I don’t know anything about the asus-wrt modem but by your description it sounds like its a VLAN compatible router.
You need to define all the VLANs on Asus and within XCP-NG. Tom just made a video on how to do this and this page is a reference for defining VLANs within xcp-ng: https://github.com/xcp-ng/xcp/wiki/VLAN-Trunking-in-a-VM. If pfsense is virtualized within xcp-ng, then each VLAN is going to be presented to pfSense as a network adapter. You would configure each adapter as if it were it’s own separate network with a dhcp server and dns resolver. (You don’t define the VLANs within pfsense which is virtualized within xcp-ng – see Tom’s video if you don’t understand what this means).
Everything should work as long as all the tags are defined on the rounter and xcp-ng host. If you have any switches in the mix you’d have to define the VLANs on the switches as well.
Is your asus-wrt is not VLAN capable then what you want to do wont work. Intervlan routing requires a router or Level2 switch. If you Asus router isn’t VLAN capable, you could still virtualize pfsense as you were planning and just have pfsense act as the router for your network. Some people don’t like to virtualize their router since if the xcp-host fails/needs updates/etc its going to take your router down during the process. If you are running this as a lab or home setup however, then I wouldn’t think of this a major limitation. I’m running a virtualized pfsense installation and it runs quite well. When I upgraded from xcp-ng 8.0 to 8.1 last week, I had to reboot the system and I lost internet services for about 5 minutes during the installation and reboot process. Honestly not too big of deal.
Drawing looks good. Is port 4 on your ASUS a trunk port? Are all the port-groups (virtual VLANs) assign on the same virtual switch? Is your physical port assigned to the same virtual switch?
I’m assuming the “t” designation is for tagging
So for example
vlan1 will be untagged on ports 1,2,3,5 but tagged on port 8
vlan4 will be taggged on ports 4,8
vlan15: not tagged on port 0 but tagged on ports 4/8.
So if your port 4 is your trunk port - your passing tagged vlan4 and vlan15. Do you not want to pass vlan1 untagged on this port?
When I look at this output, I only see two vlans configured, VLAN 1 and 2. Based on the drawing I see 100 and 500 also referenced. Also, port 4 is down. As far as trunking, it looks it port 8 is configured for that since it is the only port listed under both VLANS and as a “t” next to it. Probably stands for trunking.
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:01:5c:96:b8:46
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: c8:f7:50:af:f7:11
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: 100FD enabled stp: none vlan: 1 jumbo: off mac: 9c:20:7b:e3:9a:98
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:dd:a9:ca:48:b4
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:dd:a9:ca:48:b0
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:dd:a9:ca:48:b0
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 5 8t
2: vlan2: 0 8t
