Modem > asus-wrt > xcp-ng host > pfSense vm firewall

Ok… I’ve been beating my head against a wall the last week trying to set up what should be a fairly simple setup. I have a single NIC on my xcp-ng host, which means the pfSense firewall vm I want to run on it needs to be set up with vlans and virtual NIC’s.

Should be simple, right? I have an 4+1 port router running asus-wrt that I’m trying to set up with the necessary vlans. Right now, I’m trying to put the pfsense vm between the modem and asus-wrt using only vlans.

What’s the simplest way to set up this kind of system?

I don’t know anything about the asus-wrt modem but by your description it sounds like its a VLAN compatible router.

You need to define all the VLANs on Asus and within XCP-NG. Tom just made a video on how to do this and this page is a reference for defining VLANs within xcp-ng: If pfsense is virtualized within xcp-ng, then each VLAN is going to be presented to pfSense as a network adapter. You would configure each adapter as if it were it’s own separate network with a dhcp server and dns resolver. (You don’t define the VLANs within pfsense which is virtualized within xcp-ng – see Tom’s video if you don’t understand what this means).

Everything should work as long as all the tags are defined on the rounter and xcp-ng host. If you have any switches in the mix you’d have to define the VLANs on the switches as well.

At least the Asus routers I have are not vLan capable via the GUI. In another thread it looks like it might be possible via the CLI.

I can’t believe what you are trying to do has any hope of working, your kit is too limited.

Is your asus-wrt is not VLAN capable then what you want to do wont work. Intervlan routing requires a router or Level2 switch. If you Asus router isn’t VLAN capable, you could still virtualize pfsense as you were planning and just have pfsense act as the router for your network. Some people don’t like to virtualize their router since if the xcp-host fails/needs updates/etc its going to take your router down during the process. If you are running this as a lab or home setup however, then I wouldn’t think of this a major limitation. I’m running a virtualized pfsense installation and it runs quite well. When I upgraded from xcp-ng 8.0 to 8.1 last week, I had to reboot the system and I lost internet services for about 5 minutes during the installation and reboot process. Honestly not too big of deal.

The asuswrt router is vlan capable. Here is the output of robocfg from asuswrt.

This is the output of iptables-save:

Where I’m confused about is what the robocfg output should look like in order to trunk the necessary vlan’s over port 4.

I can only put 2 links in a post. So, I’m going to repost right after this with the other links…

This is what I see in the pfSense VM:
…where vlan15 is intended to be WAN and vlan4 is intended to be LAN to pfSense.

How do I get the router to send its WAN to vlan 15 for pfSense and to accept pfSense’s LAN (on vlan4) as LAN for asuswrt?

If it helps, this is a sketch I drew of the intended set up (vlan numbers are changed):

Drawing looks good. Is port 4 on your ASUS a trunk port? Are all the port-groups (virtual VLANs) assign on the same virtual switch? Is your physical port assigned to the same virtual switch?

Port 4 is intended to be a trunk port, yes.

As for the other questions, I don’t know how to tell based on the output of robocfg:

I’m assuming that I have to change the last output to:
1: vlan1: 1 2 3 5 8t
2: vlan2:
3: vlan4: 4t 8t
4: vlan15: 0 4t 8t

does this look right?

Shot in the dark here - since I have no idea.

I’m assuming the “t” designation is for tagging
So for example
vlan1 will be untagged on ports 1,2,3,5 but tagged on port 8
vlan4 will be taggged on ports 4,8
vlan15: not tagged on port 0 but tagged on ports 4/8.

So if your port 4 is your trunk port - your passing tagged vlan4 and vlan15. Do you not want to pass vlan1 untagged on this port?

You need port 4 to allow VLANs 100 and 500 based on your drawing.

This was my thinking. Something that confuses me are the first lines that start with Port # in the robocfg output.

The reason is each port appears to carry only a single vlan. So, then what is the map at the bottom doing?

When I look at this output, I only see two vlans configured, VLAN 1 and 2. Based on the drawing I see 100 and 500 also referenced. Also, port 4 is down. As far as trunking, it looks it port 8 is configured for that since it is the only port listed under both VLANS and as a “t” next to it. Probably stands for trunking.

Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:01:5c:96:b8:46
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: c8:f7:50:af:f7:11
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: 100FD enabled stp: none vlan: 1 jumbo: off mac: 9c:20:7b:e3:9a:98
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:dd:a9:ca:48:b4
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:dd:a9:ca:48:b0
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:dd:a9:ca:48:b0
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 5 8t
2: vlan2: 0 8t