Home Lab | Proxmox and Pfsense with Cisco SG300-10

How-to-guide for self when VLANs are configured in Pfsense and Cisco SG300-10.

Pfsense with VLANs –> Cisco Switch –> Proxmox (vmbr0)

After a factory reset, access the switch on 192.168.1.254 and enable the SSH service.

Security --> TCP/UDP services --> Check SSH and apply.

SSH into Cisco SG300-10 Switch.

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@192.168.1.254

Show running configuration.

# show running-config

Before creating with VLANs

# show vlan
switch6b9fee#show vlan 
Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN

Vlan       Name           Tagged Ports      UnTagged Ports      Created by    
---- ----------------- ------------------ ------------------ ---------------- 
 1           1                               gi1-10,Po1-8           V         

switch6b9fee#

Show the interface where Pfsense connected.

# show interfaces switchport GE 10
switch6b9fee#show interfaces switchport GE 10
Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN
Port : gi10
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1
 
Port is member in: 
 
Vlan               Name               Egress rule     Added by     
---- -------------------------------- ----------- ---------------- 
 1                  1                  Untagged          V         

 
Forbidden VLANS: 
Vlan               Name               
---- -------------------------------- 

 
Classification rules: 
 
Mac based VLANs:                                      
  Group ID   Vlan ID                                  
------------ -------                                  
                                                      
switch6b9fee#

Create the required VLAN’s

# configure
# vlan 11  
# vlan 22  
# vlan 33  
# vlan 44

Change the mode to trunk for GE 10 and tag the newly created VLANs

# interface GE 10
# switchport mode trunk 
# switchport trunk allowed vlan add 11,22,33,44
# no shutdown

Output

switch6b9fee(config-if)#switchport trunk allowed vlan add 11,22,33,44
15-Aug-2023 20:44:42 %LINK-I-Up:  Vlan 11
15-Aug-2023 20:44:42 %LINK-I-Up:  Vlan 22
15-Aug-2023 20:44:42 %LINK-I-Up:  Vlan 33
15-Aug-2023 20:44:42 %LINK-I-Up:  Vlan 44

Change the mode of remaining switch ports as trunk for all GigabitEthernet 1 to 8

# interface GigabitEthernet 1
# switchport mode trunk 
# switchport trunk allowed vlan add 11,22,33,44
# no shutdown

# interface GigabitEthernet 2
# switchport mode trunk 
# switchport trunk allowed vlan add 11,22,33,44
# no shutdown

# interface GigabitEthernet 3
# switchport mode trunk 
# switchport trunk allowed vlan add 11,22,33,44
# no shutdown

# interface GigabitEthernet 4
# switchport mode trunk 
# switchport trunk allowed vlan add 11,22,33,44
# no shutdown

Save the current configuration by copying the running config to startup config

# exit
# exit
# copy running-config startup-config

Show the configured switch port GigabitEthernet 10

# show interfaces switchport GigabitEthernet 10

Output for reference

switch6b9fee#show interfaces switchport GigabitEthernet 10 
Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN
Port : gi10
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1
 
Port is member in: 
 
Vlan               Name               Egress rule     Added by     
---- -------------------------------- ----------- ---------------- 
 1                  1                  Untagged          V         
 11                 11                  Tagged           S         
 22                 22                  Tagged           S         
 33                 33                  Tagged           S         
 44                 44                  Tagged           S         

 
Forbidden VLANS: 
Vlan               Name               
---- -------------------------------- 
                                                      
                                                      
Classification rules:                                 
                                                      
Mac based VLANs:                                      
  Group ID   Vlan ID                                  
------------ -------                                  
                                                      
switch6b9fee#

Print all tagged VLANs to verify.

# show vlan
switch6b9fee#show vlan 
Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN

Vlan       Name           Tagged Ports      UnTagged Ports      Created by    
---- ----------------- ------------------ ------------------ ---------------- 
 1           1                               gi1-10,Po1-8           V         
 11         11             gi1-4,gi10                               S         
 22         22             gi1-4,gi10                               S         
 33         33             gi1-4,gi10                               S         
 44         44             gi1-4,gi10                               S         

switch6b9fee#

Few more command to verify the tags and listening state.

# show vlan tag 22
# show mac address-table
# show mac address-table vlan 11
# show mac address-table vlan 22

Configure a VM with interface vmbr0 in Proxmox with IP 192.168.11.0/24 GW 192.168.11.254, VLAN 11.
Use Pfsense VLAN IP as gateway for the VM

switch6b9fee#show mac address-table vlan 22
Flags: I - Internal usage VLAN
Aging time is 300 sec

    Vlan          Mac Address         Port       Type    
------------ --------------------- ---------- ---------- 
     22        00:e0:67:1e:3d:b5      gi10     dynamic   
     22        ee:98:e2:c5:89:23      gi1      dynamic   

switch6b9fee#

Add firewall rules in Pfsense side Firewall --> Rules for SSH and ICMP.

Virtual machines hosted on Proxmox should start to reach.

That’s it.