VLANs, UniFi, FreeNAS and ESXi in homelab

Networking & Firewalls
1

After reading a bunch on VLANs and networking and supposing I understood something (apparently I was wrong) I am attemping to set up the (for now) basic system:

  • VLAN10 → management network on 10.1.1.1/24
  • VLAN100 → servers network on 10.0.10.1/24.

ESXi ìis running a FreeNAS VM and I want to expose the web interface on the management on VLAN10 and the storage services (for now SMB) on VLAN100.

The Network is run by an USG 3P and UniFi 24ports PoE+ managed switch.

The VLANs are configured as follows on the router:
link

The switch port that is connected to the server is set to pass all vlans and networks, and the ESXi port group is using the 4095 VLAN ID to forward all VLANs.

699×332 16.6 KB

With default FreeNAS settings I am able to access the FreeNAS box on the LAN network (10.0.1.1/24) for initial setup, and I can successfully add in the FreeNAS network interfaces the VLANs (with em0 as parent) for VLAN100 and VLAN10.

Then, if I change the port profile on the UniFi switch from “All” to the following profile I lose all access, until I reset the configuration on the FreeNAS from the CLI.

link

Next up, I tried to first set the switch port profile and then run the configuration, which connects the FreeNAS server on the 10.1.1.1/24 subnet (on the VLAN10 but showing as LAN on the freenas, as its the “native” VLAN) but not on the 10.0.10.60 ip address I set up on the VLAN100.

If then I try to invert in the setting the interface that uses the DHCP (In FreeNAS it can only be one) the only interface that works is the one with the DHCP connected.

On the other hand, if I allow “all” profile on the switch port I can access everything (but firewall rules blocking inter VLAN connectivity dont work).

Currently there are no firewall rules preventing inter vlan traffic, and all are set up as corporate, which should allow traffic by default, and a traceroute from my workstation to the non working interface stops at the gateway.

Do you have any suggestions or am I going at thist the wrong way?

2

Can you post a pic of the ACLs on your router please?

3

Hi, what do you mean by ACL?

I have all inter VLAN traffic enabled, and I can reach the server on both VLANs (not at the same time) as long as they are the one on the interface set as DHCP.

I even tried creating two port groups in ESXi, one with the VLAN100 and the other with VLAN10 and adding a second NIC to the VM. The IPs are assigned on the correct subnets but I can reach only one from my workstation.

4

Hello welcome to the pro world of network. :wink:

I would sugged to setup the vlan 10 and vlan100 so that the thid occted matches the vlan id. This makes it easy to keep track of ip to vlan assignment ;).

Nerver the lesse. What you need to do:

  • Make the USG Port Carry one or both VLAN as Tagged.
  • Make the Switchport the ESXi and the USG is attech to transport all vlan or better specifily make a port profile in the unifi controller and assgin the vlan as native and tagged there. This profile you bind to the esxi port and the usg.
  • Then on the ESXi you create two portgroups with the vlan IDs that you choose. (10 and 100 from your description).
  • You create two virtual nics at the freenas and assign each one to the portgroup.
  • In freenas you need to specify which nic to use for management and the other nix for the service like smb.

that are be basics.

After that you should check if you host on managment can ping the server on vlan 10 with it’s ip. Make shoure it only has this connection. Later connect vlan 100 to the host if this is working.

Also you need to make shure the usg is not blocking the traffic. I would sugged get rid of the usg and get a edgerouter x.

5

Look at the setup for option 3 and implement that ACL (access control list) or firewall rule. Sorry, I’m used to the Cisco terms :slight_smile:

https://help.ui.com/hc/en-us/articles/115010254227-UniFi-USG-Firewall-How-to-Disable-InterVLAN-Routing

6

Thanks for the reply. I have done all the steps you posted, but still I can get only one interface to work at a time. I even tried using a new ubuntu VM and connecting two interfaces on the two port groups (obviously since the vlan tagging is managed in the virtual switch the OS is not aware) but I can only ping (or trace route) an interface at a time, alternatively. I have no firewall issues as with no modification to the rules both interfaces work.

I really have no more clues.

7

Thanks. The firewall rules are all set to allow every vlan and the LAN to talk to each other. But still I can only get one interface to work at a time. If one works the other doesn’t.