Solved: Re: Router on a stick

enkay · ‎01-09-2024

I am a networking novice and trying to set up a router on a stick but unable to get it work. I want pfsense to handle all the routing. Here is my simple configuration:

ISP---pfsense---cisco 3650 switch (IOS version 16.12 with ipbase services)

pfsense is VM on a computer with a two port NIC. One port connected to WAN interface. Other port is connected to LAN interface. The LAN port on pfsense is wired to port 24 on switch. LAN is assigned 192.168.1.1/24 and DHCP is enabled. Now, when I connect a host to any port on the switch everything thing works great...DHCP on pfsense LAN interface automatically assigns IP address and I am able to access the internet.

Then I created VLAN10 on LAN interface in pfsense with address 192.168.10.1/24 and enabled DHCP. Also created a firewall rule in pfsense to allow allow all traffic.

On the switch I configured the following:

interface GigabitEthernet1/0/21
switchport access vlan 10
switchport mode access

interface GigabitEthernet1/0/24
switchport mode trunk

interface Vlan1
ip address 192.168.1.22 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.10.1
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server

Now, if I connect my host to port 21 (which is for vlan10) there is no DHCP, no internet.

please help. Appreciate any comments/suggestions with specific commands I can use to help fix the issue.

KJK99 · ‎01-10-2024

@enkay

You have your pfSense in a VM. If you configured pfSense to handle VLAN tagging, most people do, you need to make sure that your hypervisor passes VLAN tags between pfSense and the switch. There isn’t much to do on the switch side except for setting up a trunk port.

Kris K

View solution in original post

balaji.bandi · ‎01-09-2024

If the PFSENSE FW acting as Router on stick - you do not need any configuration on the Switch

You already have Trunk configuration which allows all the vlan in that trunk (i am hoping that this interface connected to PFSENSE - interface GigabitEthernet1/0/24)

on the switch just create VLAN 10

config t

vlan 10

end

and add that access port to VLAN 10 - which you did already (interface GigabitEthernet1/0/21)

remove below configuration from switch its not needed (if the switch acting as layer 2)

no interface Vlan10

rest follow the configuration on pfsense as below video guide you :

https://www.youtube.com/watch?v=b2w1Ywt081o&t=156s

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

enkay · ‎01-10-2024

Hi Balaji - Thanks for your comments. I followed your instructions to reconfigure the switch...but no luck getting it work. The host connected to port 21 still does not get IP assignment and no internet.

I also tried deleting all the config on the switch, deleted vlan.dat and reloaded the switch to start with a clean slate. I then created the trunk port (24), created vlan 10 as you suggested, and assigned port 21 to vlan10. Still the same result that the host connected to port 21 does not get ip assignment and no internet.

I have another computer connected to another port on the switch, which is on the default vlan 1 and everything works fine on that computer. From this computer I am also able to ping 192.168.10.1, which is the vlan 10 interface on pfsense.

balaji.bandi · ‎01-10-2024

as per the code the default should be dot1q on the switch side.

interface GigabitEthernet1/0/24
switchport mode trunk

switchport trunk encapsulation dot1q

Can you post below information from switch :

show run (removing all passwords)

show interface trunk

show vlan brief

show interface status

show ip interface brief

I have another computer connected to another port on the switch, which is on the default vlan 1 and everything works fine on that computer.

From this computer are you able to ping vlan 10 IP address of pfsense ?

192.168.10.1 - Yes that means PFsense setup ok - if not you need to refer the video i have suggested again and configure

or check another below video walk through on PFSENSE configuration.

https://www.youtube.com/watch?v=X6dFu7t6Y58

Note : Depends on what pfsense version you using, some PFsense does not work vlan 1

so move out of VLAN like 10 and 20 on PFSENSE, same configuration on switch side also see if that makes any difference.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

enkay · ‎01-11-2024

Hi Balaji - Here are responses (IN CAPS) to your questions:

- Q:From this computer are you able to ping vlan 10 IP address of pfsense ? YES.

- Q:PFsense does not work vlan 1---AGREED. I HAVE ONLY SET UP VLAN10 ON PFSENSE AND THE SWITCH. THERE IS NO OTHER VLAN.

Switch#show interface trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/24 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi1/0/24 1-4094

Port Vlans allowed and active in management domain
Gi1/0/24 1,10

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/24 1,10

Switch#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/19, Gi1/0/20, Gi1/0/22
Gi1/0/23, Gi1/1/1, Gi1/1/2
Gi1/1/3, Gi1/1/4
10 Computers_and_Phones active Gi1/0/21
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

Switch# show interface status

Port Name Status Vlan Duplex Speed Type
Gi1/0/1 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/2 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/3 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/4 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/5 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/6 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/7 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/8 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/9 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/10 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/11 notconnect 1 auto auto 10/100/1000BaseTX

Port Name Status Vlan Duplex Speed Type
Gi1/0/12 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/13 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/14 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/15 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/16 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/17 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/18 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/19 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/20 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/21 connected 10 a-full a-1000 10/100/1000BaseTX
Gi1/0/22 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/23 connected 1 a-full a-1000 10/100/1000BaseTX

Port Name Status Vlan Duplex Speed Type
Gi1/0/24 connected trunk a-full a-1000 10/100/1000BaseTX
Gi1/1/1 notconnect 1 auto auto unknown
Gi1/1/2 notconnect 1 auto auto unknown
Gi1/1/3 notconnect 1 auto auto unknown
Gi1/1/4 notconnect 1 auto auto unknown

Switch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.1.102 YES DHCP up up
GigabitEthernet0/0 unassigned YES unset down down
GigabitEthernet1/0/1 unassigned YES unset down down
GigabitEthernet1/0/2 unassigned YES unset down down
GigabitEthernet1/0/3 unassigned YES unset down down
GigabitEthernet1/0/4 unassigned YES unset down down
GigabitEthernet1/0/5 unassigned YES unset down down
GigabitEthernet1/0/6 unassigned YES unset down down
GigabitEthernet1/0/7 unassigned YES unset down down
GigabitEthernet1/0/8 unassigned YES unset down down
GigabitEthernet1/0/9 unassigned YES unset down down
GigabitEthernet1/0/10 unassigned YES unset down down
GigabitEthernet1/0/11 unassigned YES unset down down
GigabitEthernet1/0/12 unassigned YES unset down down
GigabitEthernet1/0/13 unassigned YES unset down down
GigabitEthernet1/0/14 unassigned YES unset down down
GigabitEthernet1/0/15 unassigned YES unset down down
GigabitEthernet1/0/16 unassigned YES unset down down
GigabitEthernet1/0/17 unassigned YES unset down down
GigabitEthernet1/0/18 unassigned YES unset down down
GigabitEthernet1/0/19 unassigned YES unset down down
GigabitEthernet1/0/20 unassigned YES unset down down
GigabitEthernet1/0/21 unassigned YES unset up up
GigabitEthernet1/0/22 unassigned YES unset down down
GigabitEthernet1/0/23 unassigned YES unset up up
GigabitEthernet1/0/24 unassigned YES unset up up
GigabitEthernet1/1/1 unassigned YES unset down down
GigabitEthernet1/1/2 unassigned YES unset down down
GigabitEthernet1/1/3 unassigned YES unset down down
GigabitEthernet1/1/4 unassigned YES unset down down

Switch#show run
Building configuration...

Current configuration : 8639 bytes
!
! Last configuration change at 20:44:56 UTC Wed Jan 10 2024
!
version 16.12
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform punt-keepalive disable-kernel-core
platform management port rate-limt-enabled
!
hostname Switch
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
switch 1 provision ws-c3650-24ps
!
!
!
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
no device-tracking logging theft
!
license boot level ipbasek9
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
memory free low-watermark processor 79468
!
!
redundancy
mode sso
!
!
!
!
!
transceiver type all
monitoring
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
!
policy-map system-cpp-policy
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
 ip dhcp client client-id ascii cisco-*********
 ip address dhcp
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface Vlan1
!
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
line vty 5 15
login
!
!
!
!
!
!
!
end

MHM Cisco World · ‎01-10-2024

ISP---pfsense---cisco 3650 switch
only cisco device know the un-tag vlan frame
here you config trunk between SW and pfsense and config two vlan in pfsense
the SW send un-tag for vlan 1 and tag for vlan 10 (I assume vlan1 is native in this SW)
that make issue in pfsense
you need instead use any vlan in pfsense except the native vlan of SW.
MHM

enkay · ‎01-10-2024

Hi MHM - I have only one vlan10 configured on pfsense and the switch. You are correct that the switch has native vlan 1. I have not configured vlan 1 in pfsense.

My issue is that when I connect a host to the port21 on the Switch, which is configured as an access port tagged to vlan10, I am not getting DHCP or internet.

Apologies if I am not understanding your recommendation.

MHM Cisco World · ‎01-10-2024

if pfsense only need vlan10
config the port connect to pfSense as trunk and allow vlan10,1
this make sure that pfsense receive the tag frame

MHM

KJK99 · ‎01-10-2024

@enkay

You have your pfSense in a VM. If you configured pfSense to handle VLAN tagging, most people do, you need to make sure that your hypervisor passes VLAN tags between pfSense and the switch. There isn’t much to do on the switch side except for setting up a trunk port.

Kris K

enkay · ‎01-16-2024

After weeks of struggling with this I found my solution....As KJK99 suggested, I needed to make sure in my hypervisor (ESXI) the virtual port VLAN ID was set to 4095 on the LAN network to make it act as a trunk.

Thanks everyone for the help.

MHM Cisco World · ‎01-16-2024

I already suggest that
anyway
glad your issue solved
happy end

have a nice day
MHM