Netgate 6100

Gerry26500

Hi, I switched from SG1100 to SG6100 and I m having a hard time to get the trunk working.
See attached screenshot.
I created a bunch of vlan and added the interfaces on igc0 (Lan port)
My understanding was that should create a trunk and allow those vlan to pass.
The config on the switch connected to the lan port is
interface gigabitethernet1
description uplink-FW
switchport trunk allowed vlan add 10,20,30,40

Do you have any idea what I am doing wrong ?
Thanks

keyser

@gerald26500 Seems right if there is no intention to use the native VLAN on the switch trunk, and consequently not use the Interface named LAN in your pfSense config.
If it was me, I would make VLAN 10 native on the switch Trunk, and call your currently marked LAN interface LOCAL instead.
(And make no VLAN 10 interface). That way you do not have a stranded LAN interface.

Are you sure you are linking the switchport to the correct LAN port on the 6100? As far as remember it’s the one named LAN1 on the backside.

Gerry26500

@keyser Thanks for the input.
the LAN interface actually have a IP (10.10.70.1) which is the management vlan and the native vlan on the switch.
Yes I am connected to LAN1
Do you think it would work if I assigned all the vlan to igc1 (port LAN2 on the backside)?

keyser

@gerald26500 Okay - that is kind of weird. That should work just fine then. How are you diagnosing the “problem”? Is it perhaps a lack of firewall rules to allow any traffic on the VLAN interfaces?

keyser

@gerald26500 said in Netgate 6100:

Hi, I switched from SG1100 to SG6100 and I m having a hard time to get the trunk working.
See attached screenshot.
I created a bunch of vlan and added the interfaces on igc0 (Lan port)
My understanding was that should create a trunk and allow those vlan to pass.
The config on the switch connected to the lan port is
interface gigabitethernet1
description uplink-FW
switchport trunk allowed vlan add 10,20,30,40

Do you have any idea what I am doing wrong ?
Thanks

Ohh, just read your switch config again. There is no “switchport mode trunk” statement. Depending on the switch you might also have to declare the “switchport mode trunk encapsulation dot1q” statement. With that config (again depending on the switch) the port is still in access mode, and only your management VLAN is up (untagged). You would need to use the native vlan statement to have your management VLAN native on the trunk.

Gerry26500

@keyser said in Netgate 6100:

500 Okay - that is kind of weird. That should work just fine then. How are you diagnosing the “problem”? Is it perhaps a lack of firewall rules to allow any traffic on the VLAN interfaces?

yes , it is weird , I was convinced that I had the right config.
I have allow any on each VLAN for the FW rule (As I thought too that it could be the issue)
I cannot ping any gateway from any device .. as if the routing or the trunk wasn't working.

keyser

@gerald26500 Did you see the second post I made before your reply?

Gerry26500

@keyser said in Netgate 6100:

would need to use the native vlan statement to have your management VLAN native on

Yeah , it;s one of those old cisco switch , even though I enter the command it won't show up .
It was working fine with the SG1100 ./. I am so confused
homenet-sw1(config-if)#int gi1
homenet-sw1(config-if)#switchport mode trunk
homenet-sw1(config-if)#
homenet-sw1(config-if)#
homenet-sw1(config-if)#exit
homenet-sw1(config)#do sh run int gi1
interface gigabitethernet1
description uplink-FW
switchport trunk allowed vlan add 10,20,30,40,60,99
switchport trunk native vlan 70
!
homenet-sw1(config)#

keyser

@gerald26500 I can’t quite remember those old cisco’s, but you might need to make the statement as follows:
Switchport mode trunk encapsulation dot1q

I think there was some very early models where it dit not work with standard dot1q equipment without that statement.

Edit: and i think you need to add vlan 70 to the allow list as well

keyser

@gerald26500 Last but not least - have you tried rebooting the sg-6100? I have from time to time seen config changes that would not “engage” before the box was rebooted. especially around interfaces.

Gerry26500

@keyser
My switch OS version doesn't take "encapsulation dot1q" .. pls the trunk was working before.
I just restarted the SG6100 and still the same.

If I connected directly to it "bypass the switch" I can't even access internet.. there is a routing issue on the 6100.
I can't even ping the other interfaces IPs (even though the rules for each vlan is allow * *

Could you please confirm that enabling the interface and adding an IP to it creates a route for that subnet.

so basically WAN is connected outside (works fine, it gets an IP , no need to touch the FW rule for that)
then I have LAN port enable , with an IP in the Native vlan subnet
then few vlans, each created/associated under that LAN port, each with an IP on the interface.

Thanks again for your time

keyser

@gerald26500 said in Netgate 6100:

@keyser
My switch OS version doesn't take "encapsulation dot1q" .. pls the trunk was working before.
I just restarted the SG6100 and still the same.

If I connected directly to it "bypass the switch" I can't even access internet.. there is a routing issue on the 6100.
I can't even ping the other interfaces IPs (even though the rules for each vlan is allow * *

Could you please confirm that enabling the interface and adding an IP to it creates a route for that subnet.

so basically WAN is connected outside (works fine, it gets an IP , no need to touch the FW rule for that)
then I have LAN port enable , with an IP in the Native vlan subnet
then few vlans, each created/associated under that LAN port, each with an IP on the interface.

Thanks again for your time

I can confirm assigning an interface, enabling it and giving it an IP creates the needed routing to access WAIN (and the other interfaces if firewall rules allow).

Your issue sounds almost as if the machine you are pinging from does not belong to the IP subnet of the interface it’s connected to (de facto isolated). Does your client get a DHCP IP from the DHCP server in pfSense, or have you given it a static Ip yourself? If so, my guess is you entered it wrong, or gave a wrong subnet/default gateway.

keyser

@gerald26500 In fact, if you can ping the default gateway from the client, but nothing else, my guess is your subnet mask or default gatway is wrong on the client.

Gerry26500

@keyser Very strange , my client is getting the IP and subnet throught DHCP from the LAN interface
I am getting 10.10.70.10 (because my DHCP range is 10 to 100) mask 255.255.255.0 (because I chose /24) and gateway 10.10.70.1

I am that close to factory reset yet again and start over with no vlans no subnets etc .. maybe i just got a defective box :(

Gerry26500

@keyser Oh man , I feel so stupid.
Il all FW rules I had IPV4 TCP ... instead of IPV4 *
so all good now
I really appreciate your help though !
Thanks!

keyser

@gerald26500 said in Netgate 6100:

@keyser Oh man , I feel so stupid.
Il all FW rules I had IPV4 TCP ... instead of IPV4 *
so all good now
I really appreciate your help though !
Thanks!

Those things happens to all of us. As Long as it works as intended all is good