Interface range setup

JT40

@patch said in Interface range setup:

@jt40 said in Interface range setup:

As you can see highlighted in red, the VLANs IP range is not being respected

You need to set up VLAN on the switch so the access point only see's the VLAN's you want it to see.

I suspect using VLAN 1 for your Management interface s a bad idea as some switches use that as the default so it behaves differently to other VLANs

You show an AP on your ISP modem. Are you intending to continue to enable that function or is that just historical?

I already have VLANs on the switch and PfSense.

It seems that I need to configure the VLANs in the AP as well :D ... I'll also create different networks to make better separation between certain devices, or maybe not initially.

I forgot to mention that the default VLAN ID is 1 on the switch, as every other switch I think, but it's not tagged as far as I know, I mean, it's not enabled, I only tagged the way I wanted, the ports I wanted.
To keep it even easier anc cleaner, the VLAN of the AP will be only on that switch port, I won't use that VLAN for anything else.

Yes, I'll remove the wireless from the modem, it will have less chances to crash and it's also less safe.

Patch

@jt40 said in Interface range setup:

It seems that I need to configure the VLANs in the AP as well

If the AP has multiple SSID then yes that is normally implemented as a different VLAN for each SSID.

If you just have one wifi network all with the same SSID then you just need to configure your switch to only connect to the AP via that VLAN (the AP does not have to be aware of VLANs at all.

JT40

@patch said in Interface range setup:

@jt40 said in Interface range setup:

It seems that I need to configure the VLANs in the AP as well

If the AP has multiple SSID then yes that is normally implemented as a different VLAN for each SSID.

If you just have one wifi network all with the same SSID then you just need to configure your switch to only connect to the AP via that VLAN (the AP does not have to be aware of VLANs at all.

Thank you.
I didn't understand that last sentence though.
Maybe you mean that the AP is not a switch, so actually I can't configure VLANs there, I can only tell the AP to tag the packets with the respective ID, is it right?

I actually need to have 2 VLANs on the AP, or so called 2 different networks in Unifi, so I'll create 2 different networks which match the VLANs IP from the switch.
Then, in the switch I'll assign 2 different VLANs to the same port, is it right?

Patch

@jt40 said in Interface range setup:

2 VLANs on the AP, or so called 2 different networks in Unifi,

Then you configure your switch to pass those 2 tagged VLANs to the Unifi AP

Btw, what is you swithch

JT40

I have a D-Link L2+ switch, it means that it does't have all the L3 functions.

I made some extensive testing, below you find the setup.
The graph is the same as before, I didn't change the network layout, I just changed the settings.

1. The switch is configured with static IP 10.90.90.90, but there is also the option to set it with DHCP, I didn't think it was a good idea :D . This refers to the management interface only, normally, but it's also the start of the DHCP range in somehow, below you'll find more info.

2. The connecte devices get assigned all with the DHCP after that range, verified with cables :D but also with the AP, which wonderfully ignore the VLAN setup.

3. On the AP, if I set the VLAN ID on the network that I created, it fails to assign the IP address to the devices, and then the device fails to join the network.
   I noticed that for a while, as IP it receives my public IP (LOL) instead of one from the DHCP, and the mask is 255.255.0.0, I never specified such mask, it must be the mask of that range, which in any case both don't make any sense in my private network...

4. The connection works only if I specify the default LAN network auto-created by Unifi, which has the same exact setup as the one created by me, but you I can't touch the VLAN ID, it seems not existent or maybe by default is 1...
   Interestingly, the range is 192.168.1.0/24, if I create it, in DHCP it takes 192.168.2.0/24, I also tried to set it up manually following the VLAN IP on PfSense (10.10.60.1), as well as the DHCP, but it fails immediately

5. Prior these tests, I didn't have an IP interface on the switch.

• I've set it up and it's the same result, it nicely ignores the IP range that I've set, same for the VLANs IP ranges in PfSense.

• In case you wonder, this is under the L3 functions on my switch, I defined the VLAN tag again at L3.
  Previously I created the VLANs in L2 and tagged the same in PfSense, but it didn't sort out any effect.

• There is an option for port truncate which I believe I should use, but I wonder why it didn't flag me that conflit, it may be a bug or a feature not present there, because normally this is a problem, if you have more than 1 VLAN per port you need to configure port truncate for my knowledge.

6. I don't have a trusted DHCP server in the switch, what's the main IP on Pfsense? Due to this missing info, I still didn't test that functionality on the switch...
   The whole point is that I was expecting PfSense to act as a DHCP server......... I already defined all the DHCP ranges, with all the firewall rules and all the VLANs tags... Not sure what else is missing to make it work with the switch...

• I noticed that every device behind the switch takes as a router or DHCP server the IP of the PfSense interface where it's attached to, is this expected?

• In any case, at the moment the switch assigns IPs as 10.90.90.91 and so on...
  The UPLINK interface has IP 10.90.90.89, which becomes the router/DHCP. That's how it is respectively described in my phone and my desktop.

In all this mess:

1. I get into internet with stupid FW rules like "Allow ALL from Network to ANY", so basically I have the setup I don't want, plus the setup I should not have :D .

2. I can also access the WebGUI or PfSense without problems from any interface, I need to resolve this but blocking the traffic to the firewall doesnt' help, so I think I need to write a floating rule for all these scenarios, but with all these VLANs changes etc, it's too easy to screw up or to forget some interface/VLAN here and there... I'm pretty sure to leave some of them behind. How do you deal with these scenarios?

3. Plus, most of the machines can ping each other and eventually ssh etc, that's terrible :D , but I think that proper firewall rules will be sufficient.

4. There is still one main issue, what is the rule that should allow the traffic to the WAN? If I set the followings I can't reach the gateway and therefore internet:

• from this network to WAN net
• from this network to WAN address
• from this network to 192168.0.1 (gateway IP)
• It works only with: from this network to ANY

It doesn't make much sense to me...

JT40

ok, mistatch in the DHCP range :D , it's too late for me guys.
After I changed it, I noticed that the DHCP server is the IP of the UPLIN interface (for the switch) configured in PfSense.
The IPs are assigned correctly, also the AP received a new IP, I had to give it a kick but it works :D , from now on I won't finally lose the connection to the AP!

Tomorrow I'll test the VLANs, but if I already got the IPs from that DHCP server instead of the one for each VLAN, then I already know that it's not working properly...
Each VLANs is on a different network range, so it's clearly not working, no space for mistakes here, unless this is an a mistake from top down :D

johnpoz

@jt40 said in Interface range setup:

this is under the L3 functions on my switch

Thought you said your switch doesn't have L3?

D-Link L2+ switch, it means that it does't have all the L3 functions.

Which is it - what is the model number of this switch.

I need to resolve this but blocking the traffic to the firewall doesnt' help

Then your doing it wrong - and sure and the hell do not need a floating rule.. Nobody can help point out what your doing wrong - if you don't actually show us what your doing.

What are the vlan IDs you set? What are the port configurations of the switch, etc. etc.. What are you firewall rules..

bingo600

If it's a D-Link 15xx , there might be some interesting info here
https://community.spiceworks.com/topic/927137-vlans-dhcp-dns-and-routing-on-l2-d-link-switches

I just skimmed it - But it seems that enabling the DHCP server on the switch is asking for trouble.

What i use to do on my 1210's.

1: Create a management vlan , where the switch management ip would end up.
2: Enable pfSense DHCP server on that vlan.
3: Create an untagged port in the management vlan (recovery)
4: Move the switch management to the management vlan.
5: Move the Management PC to the port created in step3 (still using the 10.90.90.xx for the lan if)
6: Login to switch on 10.90.90.90
7: Switch the management interface to use DHCP
8: Switch the PC to use DHCP.
9: Login to switch using the new DHCP management ip assigned to the switch.
10: Save the switch config
11: At that point i usually download and save the config on the pc (Named something like - dgs1210-blank-dhcp).
12: Either move the switch to static ip , or not ..... Save the switch config

Now if i ever get a new switch of the same model , i just connect to 10.90.90.90,
Restore the dgs1210-blank-dhcp config , and it's running like step-11 above.

If anything totally FSCK's up ... Press & hold the reset button until all the Port-LEDS light up.
Then it should boot up as "Factory reset" w. 10.90.90.90

/Bingo

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

this is under the L3 functions on my switch

Thought you said your switch doesn't have L3?

D-Link L2+ switch, it means that it does't have all the L3 functions.

Which is it - what is the model number of this switch.

I need to resolve this but blocking the traffic to the firewall doesnt' help

It's an L2+ switch, it has some of the L3 functionalities, the switch is Dlink DGS-1210-16 , but I don't want to use them.
I only defined 2 IP interfaces with a different range (otherwise I can't) but for me it doesn't make much sense, and in any case is not respected, it takes the IP range of the PfSense interface where it is attached to.

Then your doing it wrong - and sure and the hell do not need a floating rule.. Nobody can help point out what your doing wrong - if you don't actually show us what your doing.

:D , I still need to dig into FW rules in PfSense.
The rules are fixed in that way, unless you love to use the shell to configure them.
Making a screenshot is a bit of a pain because that machine is isolated, same as other devices (in a certain way)
I have just a few options on the UI when I set up FW rules:

• Any
• Single Host or IP alias
• Network
• PPPeE clients
• L2TP clients
• Interface Network (respectively of each interface)
• Interface address (respectively of each interface)

• the classic, protocol, IPV4, etc...
  I see the advanced option of "In / Out pipe", it seems a bit different from what I see above... Or this is the simple outbound/inboud concept??

What are the vlan IDs you set? What are the port configurations of the switch, etc. etc.. What are you firewall rules..

I've set 40-41 as a test on the same port, both in the Switch and in PfSense, + on the AP but as I mentioned it doesn't work at all, I can't get any IP address if I do such thing... It seems to be more related to the new LAN that I create in the AP, more than the VLAN ID itself. I can set the VLAN ID in the AP network but I don't get any IP and the device doesn't join after a few attempts.
The VLANs are currently set both in PfSense and the Switch, but not in the AP, I'm using the default LAN and it doesn't have any VLAN ID on the UI, but maybe it uses 1 as default.

My FW rule for each interface currently is:

• Interface Network (respectively of each interface) to ANY.
• This automatically implies that I have access to any other network, even if another network interface doesn't have an INBOUND rule, this is very weird, it is supposed to be in this way?
  I can ping, ssh, login into the firewall etc from each interface to any other.
  I can't do what I mentioned only if I'm behind the switch when these rules are applied, otherwise I can do even that from the other side (from PfSense interface OUTBOUND to the devices atached to the switch).
  This mismatch is quite weird.

@bingo600 I'll reply to you later, thanks for that.

johnpoz

@jt40 said in Interface range setup:

Making a screenshot is a bit of a pain because that machine is isolated

Then don't isolate it while you get setup and actually understand how it works..

Go back to the drawing I provided way back when... Simple lan, access to pfsense, everything on the lan working.. Then move on to adding your vlans and AP with vlans, etc.

Once you have it working you can secure who can talk to pfsense gui, be that some admin console you have only connected directly to the lan port of your pfsense.

Your switch out of the box would be just a dumb switch, everything in vlan 1.. Set its admin IP to be on your lan network and move on from there.. You want your lan net to be your admin network anyway when all set and done. This is the network on pfsense that has an antilock out rule.

You then from your admin box on your lan net admin pfsense, your switch and your AP via their management IPs that would be on your admin/infrastructure vlan..

JT40

@bingo600 said in Interface range setup:

If it's a D-Link 15xx , there might be some interesting info here
https://community.spiceworks.com/topic/927137-vlans-dhcp-dns-and-routing-on-l2-d-link-switches

I just skimmed it - But it seems that enabling the DHCP server on the switch is asking for trouble.

What i use to do on my 1210's.

1: Create a management vlan , where the switch management ip would end up.
2: Enable pfSense DHCP server on that vlan.
3: Create an untagged port in the management vlan (recovery)
4: Move the switch management to the management vlan.
5: Move the Management PC to the port created in step3 (still using the 10.90.90.xx for the lan if)
6: Login to switch on 10.90.90.90
7: Switch the management interface to use DHCP
8: Switch the PC to use DHCP.
9: Login to switch using the new DHCP management ip assigned to the switch.
10: Save the switch config
11: At that point i usually download and save the config on the pc (Named something like - dgs1210-blank-dhcp).
12: Either move the switch to static ip , or not ..... Save the switch config

Now if i ever get a new switch of the same model , i just connect to 10.90.90.90,
Restore the dgs1210-blank-dhcp config , and it's running like step-11 above.

If anything totally FSCK's up ... Press & hold the reset button until all the Port-LEDS light up.
Then it should boot up as "Factory reset" w. 10.90.90.90

/Bingo

Intially I thought, what kind of approach is that :D .
Few seconds later... Oh yeah :D
Your approach simplifies and automates the switch backup-restore, very good.
This will take me some time, I'll do it as soon as I can make some change.

I have a few observations though:

1. We have the same switch :) , but I can only see 2 configs, where the number 1 is the default and I didn't change it, the second one is my setup. How can you create more versions? There is nothing about it, I'm using the latest firmware. I can't even change the name of the config :D .

2. Oh ok, you asked me to enable DHCP for the management interface only, this scares me a bit though :D , every time I need to know what IP did it get, most probably the first one after the physical interface but what can I say... Currently the VLAN IP range assigned to the UPLINK port in PfSense is not considered, it's considered only the IP range of the network interface, I mean the physical interface, this is valid for each VLAN/Interface, for me the VLANs are not working at all at the moment, but I'll keep your idea in mind. I'm simply still fighting with it.

johnpoz

@jt40 said in Interface range setup:

this scares me a bit though :D , every time I need to know what IP did it get

Set a reservation - it will always get that IP then.. And to be honest, normally dhcp never changes anyway as long as the device is on like a switch.. It just always renew the same IP it originally got..

Devices only ever change their IP via dhcp is when they have been off and the lease expired and given to some other device.. This rarely happens if your scope is large compared to your number of clients.

Or there was some other issue with the renew, and discover goes out vs a renew. But normally if the client is on, it will just continue to renew that IP.. But if you want to make sure a device gets a specific IP, just set a reservation. Pretty much every dhcp client on my network is via reservation, other than guest devices.

edit: Why dhcp is better than static set on the device. You can change info, like dns, ntp, gateway.. Without having to touch the device. You can even change the IP or even your network space completely - again without having to even touch the device, or at worst just rebooting of it, etc. If your lease time is long and you want the IP to change now, etc.

Its almost always better to set dhcp because it gives you more flexibility.

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

Making a screenshot is a bit of a pain because that machine is isolated

Then don't isolate it while you get setup and actually understand how it works..

Go back to the drawing I provided way back when... Simple lan, access to pfsense, everything on the lan working.. Then move on to adding your vlans and AP with vlans, etc.

Once you have it working you can secure who can talk to pfsense gui, be that some admin console you have only connected directly to the lan port of your pfsense.

You then from your admin box on your lan net admin pfsense, your switch and your AP via their management IPs that would be on your admin/infrastructure vlan..

I'm recluctant to login from other machines :D , they are pretty safe but not the way I want :D . Let me get some screenshot...

Your switch out of the box would be just a dumb switch, everything in vlan 1.. Set its admin IP to be on your lan network and move on from there.. You want your lan net to be your admin network anyway when all set and done. This is the network on pfsense that has an antilock out rule.

What LAN IP? Do you mean the UPLINK interface where the it is connected in PfSense? I don't see other possibilities.

I don't use anymore the antilock out rule, in the worst case I disable the firewall and I fix the issue :D .
I only have the common rule I mentioned: from this LAN/network to ANY.

I have 2 different accesses like that, 2 different physical interfaces (LAN), so I can connect to the firewall from both if I need to, but considering that for some reason every device can go pretty much anywhere, this is not safe, it just works for now...
This is not what I want and I'm trying to figure out how to configure the firewall to stop it from happening without breaking the network...

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

this scares me a bit though :D , every time I need to know what IP did it get

Set a reservation - it will always get that IP then.. And to be honest, normally dhcp never changes anyway as long as the device is on like a switch.. It just always renew the same IP it originally got..

Devices only ever change their IP via dhcp is when they have been off and the lease expired and given to some other device.. This rarely happens if your scope is large compared to your number of clients.

Or there was some other issue with the renew, and discover goes out vs a renew. But normally if the client is on, it will just continue to renew that IP.. But if you want to make sure a device gets a specific IP, just set a reservation. Pretty much every dhcp client on my network is via reservation, other than guest devices.

edit: Why dhcp is better than static set on the device. You can change info, like dns, ntp, gateway.. Without having to touch the device. You can even change the IP or even your network space completely - again without having to even touch the device, or at worst just rebooting of it, etc. If your lease time is long and you want the IP to change now, etc.

Its almost always better to set dhcp because it gives you more flexibility.

Thanks for the tip, good to know :) , I'll set the switch as DHCP then, let me test it.
That's the last device that remains without DHCP.

bingo600

@jt40
My DGS-1100-08's had a tendency of "forgetting their Mgmt IP , if using DHCP.
Kind'a forgot to renew after a while.

That's why i switched to using static, when making the config permanent.

But it could be fixed in one of the updates ... Actually i think it is.

Re: Dlink configs.
You can only have 2 configs saved in the switch.

You can save & restore configs easily to/from a pc.

/Bingo

JT40

@bingo600 said in Interface range setup:

@jt40
My DGS-1100-08's had a tendency of "forgetting their Mgmt IP , if using DHCP.
Kind'a forgot to renew after a while.

That's why i switched to using static, when making the config permanent.

But it could be fixed in one of the updates ... Actually i think it is.

Re: Dlink configs.
You can only have 2 configs saved in the switch.

You can save & restore configs easily to/from a pc.

/Bingo

You genius! Thanks.

I'm digging into the VLANs issue in these days, I found this article about static VLANs: https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_dgs_1210_setup_static_vlans

I don't understand why they are not tagged... In my case I tagged all of them in the switch plus PfSense, but the DHCP range is always the same...
I'll refresh that service as I did before, pretty sure nothing will change, are you aware of anything like that?
I don't even need to open Wireshark, the first problem is that I get the wrong IP range, that is the one from the UPLINK interface.
This is valid for each port in the switch, regardless if tagged or not assigned.
I'll try this option of untagging, but I can't see the difference right now between not tagging and not a member in this switch...

bingo600

@jt40 said in Interface range setup:

I'll try this option of untagging, but I can't see the difference right now between not tagging and not a member in this switch...

You have 3 vlan "modes" in the switch
1:
Not a member -
The specific port will NEVER transport that Vlan

2:
Untagged member of Vlan xx (aka PVID or Native vlan) -
The specific port will act as a "Normal Ethernet port used for a PC or other non vlan enabled device", but all data sent/received with no vlan tag , this what a normal PC or other device would do. will (by the switch be "put in" or "gotten from" Vlan xx).
This is what you would use/set for most end devices.
NB: The port can ONLY be member of One untagged Vlan.

3:
Tagged member of Vlan xx
Typically used for "Multi vlan capable devices".
Ie. Other switches , an AP (with multi SSID's) etc ...
You would at some time prob. use this for your UBI AP's.
You might even use both tagged (for SSID's) and untagged (for mgmt)

I gave a brief intro to tagging here and a few posts down:
https://forum.netgate.com/post/944381

/Bingo

JT40

@bingo600 said in Interface range setup:

@jt40 said in Interface range setup:

I'll try this option of untagging, but I can't see the difference right now between not tagging and not a member in this switch...

You have 3 vlan "modes" in the switch
1:
Not a member -
The specific port will NEVER transport that Vlan

2:
Untagged member of Vlan xx (aka PVID or Native vlan) -
The specific port will act as a "Normal Ethernet port used for a PC or other non vlan enabled device", but all data sent/received with no vlan tag , this what a normal PC or other device would do. will (by the switch be "put in" or "gotten from" Vlan xx).
This is what you would use/set for most end devices.
NB: The port can ONLY be member of One untagged Vlan.

3:
Tagged member of Vlan xx
Typically used for "Multi vlan capable devices".
Ie. Other switches , an AP (with multi SSID's) etc ...
You would at some time prob. use this for your UBI AP's.
You might even use both tagged (for SSID's) and untagged (for mgmt)

I gave a brief intro to tagging here and a few posts down:
https://forum.netgate.com/post/944381

/Bingo

So you mean the following?

• Untagged (The VLAN ID remains in that device that defines the VLAN) Why I should set this for my PC for example?
• Tagged (The VLAN ID will be included in the packet frames, plus it supports multi VLANs on the same port)
• Not a member (Not even a chance to set a VLAN, right? Or you can set it up but it remains always confined in that device?)

I understood that I always need to use VLAN tag for the following reasons:

1. Well I need VLANs :D
2. I need to use multi VLANs on the same port in most cases
3. This is especially valid in the AP, I'll use multi SSID.

johnpoz

@jt40 said in Interface range setup:

Untagged (The VLAN ID remains in that device that defines the VLAN) Why I should set this for my PC for example?

Because you want whatever plugged into that port to be on vlan X.. And not have to tell that device to tag their traffic.

If you want PC to be on vlan X, the port on your switch you connect the PC would be set to vlan X with a pvid to X.. This tells the switch, hey any untagged traffic you see coming into this port is vlan X. Only send traffic out this port if too vlan X..

Understanding tagging and what a native vlan (untagged) is really step 1 in wanting to use a vlan capable switch and vlans on your network. Until you grasp the concept your not going to make much progress in using vlans on your network.

I need to use multi VLANs on the same port in most cases

This not normally true.. The only ports where you would carry multiple vlans would be ports that connect to other switches, or an AP or say a router where you need to carry multiple vlans over a single physical interface. Most devices connected to a switch would only ever be in a single vlan.. Other option where you might need to tag traffic is to say a VM host, where again you need to carry multiple vlan traffic over a single port, and you need something to understand what traffic goes where via the tag, or the lack of a tag.

With unifi AP, the management of that is normally untagged.. They not that long ago did enable the ability to use tagged traffic. But that is so far beyond your current grasp of vlans, save that for another day..

The port connected to your AP for example would carry untagged (native vlan) traffic for the vlan your management IP is in on the AP, and tagged traffic for any SSIDs you want to be in other vlans.

edit: here is a drawing I did many ages ago trying to help someone understand where tag and untagged go on a switch infrastructure.

It is missing the untagged for the management of the AP, and possible any native network you had setup on the pfsense interface where the vlans 50,60, etc. are riding on.

JT40

@johnpoz Thank you, let's see if I understood.
The reason why I said I want to use VLAN tag everywhere, it's because I want every machine to be isolated, maybe in the future I'll ease some protocol but that's it (through FW rules, VLAN doesn't play much in it if the FW allows the traffic), that's the starting point for me.
Does it make sense to tag each interface is this case?

I also know that I need truncate the port where multiple VLANs are tagged, for example the UPLINK interface, but not necessarily if there is only one VLAN tagged there and where others not tagged pass through, is it correct?
In my case, whatever traffic goes to the UPLINK most probably goes on Internet, so I truncate the port and tag everything.

In any case, even if I tag only one VLAN on one port and there is only one end-user device attached to it, what can be the problem? What will stop the traffic? I don't trunkate the port but I'll have a single VLAN there.
The only useful and automated case I can think of is when you want that machine to communicate only in the LAN, precisely only in that network range, basically the default one of the switch, in my case given by the DHCP from the UPLINK/DOWNLINK interface in PfSense.
Hence, I skip the tag here and the traffic can't go on the next network node (PfSense), or eventually not out of that default network range in the LAN...