Tagged VLAN Setup on Single Switch
-
@gmarler said in Tagged VLAN Setup on Single Switch:
addition to the default VLAN of 1, which my switch won't let me eliminate.
Huh.. if your switch will not allow you to remove vlan 1 from ports.. Then you really need to get another switch.. That is completely borked and breaks the way vlans are to work.
There is a big difference from not able to remove it from the switch itself, but you need to be able to remove it from ports you want in different vlan.
-
@bingo600 said in Tagged VLAN Setup on Single Switch:
1:
Did you add that Vlan70 (OPT5) Gateway your self ?
Gateways are not needed for (on) any local lan interfaces.Yes, I added that one manually - I've deleted it now, but doesn't seem to make a difference in the results.
2:
Since the pfSense IGB2 IF will transport multi vlans via vlan tags, the switchport you connect IGB2 to , must also be setup to use the same vlan tags (means a tagged switchport). - Here i see 50,60,70,99 , so you must config the switchport for those as tagged.Yes, I thought my diagram indicated that I had configured the switch port that igb2 attaches to as being a member of VLANs 1 (untagged), 50, 60, 70 and 99 (tagged). But thanks for answering the question about whether that port should be tagged in those VLANs or not.
3:
Then you can make an untagged vlan70 port on the switch , and connect the Sun (or any other untagged ethernet device) there.Which I did, and the Sun machine seems to work fine on its (untagged) VLAN 70 switch port.
The Vlan1 your "less god" (crappy) switch ...
Can't disable , would probably be the "IGB2" switchport's "untagged or native vlan" or PVID."crappy" is IMHO allowed to use for "older tp-links" or their "cousins" , that enforces vlan1 on all ports.
Ah, I see a potential problem. All of the switch ports have a default PVID of 1 - if I change it to any other PVID, then I can delete VLAN 1 from that switch port, which I've now done. I changed the PVID of that switch port to 70, but not really sure what I ought to set it to in the end. However, I still don't see any difference in the ultimate behavior - still can't ping the IP on the igb2.70 interface for whatever reason - and that interface is showing output errors as I noted above.
/Bingo
-
@johnpoz said in Tagged VLAN Setup on Single Switch:
@gmarler said in Tagged VLAN Setup on Single Switch:
addition to the default VLAN of 1, which my switch won't let me eliminate.
Huh.. if your switch will not allow you to remove vlan 1 from ports.. Then you really need to get another switch.. That is completely borked and breaks the way vlans are to work.
There is a big difference from not able to remove it from the switch itself, but you need to be able to remove it from ports you want in different vlan.
You're right - I just didn't understand how to eliminate VLAN 1 from any given switch port - you first have to change the PVID of that port to anything but 1, then you can delete it from that port.
-
@gmarler said in Tagged VLAN Setup on Single Switch:
I changed the PVID of that switch port to 70, but not really sure what I ought to set it to in the end.
You can't have a tagged port having bot tagged VlanX and PVID X.
I usually use PVID 999 for all my "Trunk/Tagged Ports" , unless a specific untagged port is needed. And I never use Vlan999 for anything, but to "Blackhole" untagged traffic on a "Trunk/Tagged ports". -
@bingo600 said in Tagged VLAN Setup on Single Switch:
I changed the PVID of that switch port to 70, but not really sure what I ought to set it to in the end.
If the switch port is access, ie just 1 device connecting to it that you want in vlan 70, which would be untagged to and from the device then yes setting the pvid to the vlan is correct. Many switches will do this for you automatically when you set a port to be untagged in specific vlan. But if your does not, then yes if setting to vlan 70 access port (cisco term) where only untagged traffic in vlan 70 enters and leaves this port, the the pvid should be 70
@bingo600 statement about setting an odd ball pvid would be when the port is going to carry only tagged traffic.. so on the off chance some untagged traffic is seen on this port, its just black holed to some vlan that goes nowhere..
-
@johnpoz said in Tagged VLAN Setup on Single Switch:
@bingo600 statement about setting an odd ball pvid would be when the port is going to carry only tagged traffic.. so on the off chance some untagged traffic is seen on this port, its just black holed to some vlan that goes nowhere..
Correct , 999 is only used on my "pure tagged" links.
@gmarler
Have you tried to set the solaris switchport to both untagged 70 & pvid 70
Does those output errors increase when you ping the Solaris ?Are you sure the Solaris is using untagged ethernet frames ?
You haven't configured any vlan stuff on that one ?? -
@bingo600 said in Tagged VLAN Setup on Single Switch:
@johnpoz said in Tagged VLAN Setup on Single Switch:
@bingo600 statement about setting an odd ball pvid would be when the port is going to carry only tagged traffic.. so on the off chance some untagged traffic is seen on this port, its just black holed to some vlan that goes nowhere..
Correct , 999 is only used on my "pure tagged" links.
@gmarler
Have you tried to set the solaris switchport to both untagged 70 & pvid 70
Does those output errors increase when you ping the Solaris ?Are you sure the Solaris is using untagged ethernet frames ?
You haven't configured any vlan stuff on that one ??I tried setting the Solaris switchport to both untagged 70 & PVID 70, with no difference in behavior, and the output error count on OPT2 of the pfSense is not increasing.
However, the Solaris system started by only being on a subnet that I'm going to retire (192.168.1.0/24), and I'm now going to put it on VLANs 50, 60, 70, and 99, to serve as the DHCP server for all of them, then retire 192.168.1.0/24.
So I think the issue might be that I've only got the default Solaris interface on 192.168.1.0/24 (no VLAN tagging), so it's going over the default VLAN. And I've got interfaces for VLANs 50, 60, 70, and 99 configured, with only VLAN 70's interface up. I can see the packets from that interface coming out tagged as VLAN 70 as they leave the Solaris system. BUT... I suspect this means I need to change the single switch port for this connection from Solaris to tagged for those VLANs, eventually. And when I do, untagged traffic from the default (non-VLANed) interface will simply stop. Do I have that right?
Separately from that, and after the changes so far, I now see, from the packet capture on the pfSense, the packets from the Solaris system showing up, but they're no longer tagged as being VLAN 70 - so I suspect the fact that the Solaris attached switch port being untagged is simply stripping the VLAN 70 tags as they enter the switch.
To me, that means that I have to configure the Solaris box to be purely VLAN'ed, with no interface being on the default VLAN - AND mark it's switch port as tagged for at least VLANS 50, 60, 70, and 99 - but not sure about that.
But I also see that packets coming out of the pfSense igb2.70, before they enter the switch, are also not tagged as being VLAN 70. That seems concerning.
-
Ah, yes, that did it.
I set the Solaris attached switch port to tag VLAN 70, and suddenly the pings from Solaris to pfSense worked just fine.
But this switch won't let you tag some VLANs and not others, so after a few seconds, all of that port's other VLANs switch from untagged to tagged, and the default VLAN (which is all other traffic from that host) can't pass, while the VLAN 70 traffic passes just fine.
I wonder if just explicitly setting the original/default interface on Solaris to be in tagged VLAN 1 for the time being would clear this up.
-
@gmarler said in Tagged VLAN Setup on Single Switch:
I tried setting the Solaris switchport to both untagged 70 & PVID 70, with no difference in behavior, and the output error count on OPT2 of the pfSense is not increasing.
OK - Have you tried a different pds cable to the switch ?
However, the Solaris system started by only being on a subnet that I'm going to retire (192.168.1.0/24), and I'm now going to put it on VLANs 50, 60, 70, and 99, to serve as the DHCP server for all of them, then retire 192.168.1.0/24.
So I think the issue might be that I've only got the default Solaris interface on 192.168.1.0/24 (no VLAN tagging), so it's going over the default VLAN. And I've got interfaces for VLANs 50, 60, 70, and 99 configured, with only VLAN 70's interface up. I can see the packets from that interface coming out tagged as VLAN 70 as they leave the Solaris system. BUT... I suspect this means I need to change the single switch port for this connection from Solaris to tagged for those VLANs, eventually.
Yes if your Solaris is tagging , you's need the Switchport to accept those tags.
AKA configure it for tagging on the vlans of interest.And when I do, untagged traffic from the default (non-VLANed) interface will simply stop. Do I have that right?
Depends ...
If your Solaris would send an untagged packet , it would by the switch be put into the PVID vlan.
That said i can't see why the Solaris should send any untagged packages , if you have just configured tagged interfaces in that box.Separately from that, and after the changes so far, I now see, from the packet capture on the pfSense, the packets from the Solaris system showing up, but they're no longer tagged as being VLAN 70 - so I suspect the fact that the Solaris attached switch port being untagged is simply stripping the VLAN 70 tags as they enter the switch.
If you don't see any tags on the pfSense capture , then those packages would be sent untagged from the solaris.
To me, that means that I have to configure the Solaris box to be purely VLAN'ed, with no interface being on the default VLAN - AND mark it's switch port as tagged for at least VLANS 50, 60, 70, and 99 - but not sure about that.
That would be correct, and the same goes for the switchport the Solaris is connected to.
But I also see that packets coming out of the pfSense igb2.70, before they enter the switch, are also not tagged as being VLAN 70. That seems concerning.
I'll have to agree .. concerning.
If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
@gmarler said in Tagged VLAN Setup on Single Switch:
Ah, yes, that did it.
I set the Solaris attached switch port to tag VLAN 70, and suddenly the pings from Solaris to pfSense worked just fine.
But this switch won't let you tag some VLANs and not others, so after a few seconds, all of that port's other VLANs switch from untagged to tagged, and the default VLAN (which is all other traffic from that host) can't pass, while the VLAN 70 traffic passes just fine.
Get a new switch , that functions correct.
Life is to short for bad switches.I wonder if just explicitly setting the original/default interface on Solaris to be in tagged VLAN 1 for the time being would clear this up.
Why would you do that ?
If you want to keep that switch.
Why not let pfSense be your DHCP server , and just run the Solaris as untagged (normal) ethernet , and put the solaris switchport in "Untagged 70 + PVID 70" -
@bingo600 said in Tagged VLAN Setup on Single Switch:
are also not tagged as being VLAN 70. That seems concerning.
how exactly are you seeing these? sniffing on with say pfsense for vlan 70 in packet capture would not show the tag.
You would need to use tcpdump or on the parent in promiscuous mode in the gui..
So for example I have a igb2 with native untagged network and vlan 4 and vlan 6 riding on it.. If I sniff on the parent in packet capture, set to full details. I can see untagged traffic and vlan 4 and vlan 6 traffic.
Here is small snip
14:22:18.938762 00:08:a2:0c:e6:20 > a8:1b:6a:24:ec:26, ethertype 802.1Q (0x8100), length 70: vlan 4, p 0, ethertype IPv4, (tos 0x0, ttl 237, id 10371, offset 0, flags [DF], proto TCP (6), length 52) 18.232.219.54.8883 > 192.168.4.81.39146: Flags [.], cksum 0x2717 (correct), seq 1, ack 1, win 425, options [nop,nop,TS val 4065030919 ecr 133836713], length 0 14:22:18.985750 0c:51:01:8c:19:ae > 00:08:a2:0c:e6:20, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.2.253 tell 192.168.2.200, length 46 14:22:19.168749 00:08:a2:0c:e6:20 > 18:db:f2:3e:44:ce, ethertype 802.1Q (0x8100), length 182: vlan 6, p 0, ethertype IPv4, (tos 0x0, ttl 54, id 19259, offset 0, flags [DF], proto UDP (17), length 164) 64.43.241.202.4500 > 192.168.6.142.52559: [udp sum ok] UDP-encap: ESP(spi=0x214629e8,seq=0x2947), length 136 14:22:19.187563 d4:a6:51:d1:a2:8a > 00:08:a2:0c:e6:20, ethertype 802.1Q (0x8100), length 127: vlan 4, p 0, ethertype IPv4, (tos 0x0, ttl 255, id 29915, offset 0, flags [none], proto TCP (6), length 109) 192.168.4.58.61343 > 52.12.196.80.8886: Flags [P.], cksum 0xca2b (correct), seq 484189:484258, ack 2631772778, win 3828, length 69where you can see untagged the 192.168.2 stuff, and then vlan 4 and 6 192.168.4 and 192.168.6 traffic.
-
Sorry i first noticed now , that i could scroll in the top post network diagram.
Missed that.You have a Netgear GS748T.
Even though i'm not a fan of Netgear , i find it hard to beleive that it can't do basic tagging correct.
For the Linux sniffer port , you'd want to use the mirror port function in the switch. And decide if it should mirror the Solaris switchport or the pfSense switchport. The mirror function would copy every frame from the source port to the mirror port. And then Wireshark won't miss a single bit.
Edit: Seems like you might be able to use multiple source ports
https://www.downloads.netgear.com/files/GS748T_UM_30Oct07.pdf
Pg. 53
-
@bingo600 said in Tagged VLAN Setup on Single Switch:
i find it hard to beleive that it can't do basic tagging correct
Same here, I have used netgear now and then over the years, and have never seen any problems with tagging. I don't have any experience with that specific model. But it sure isn't an entry level model ;) Not at 48 ports..
