VLANs setup properly?

terry.c

Hi guys,

Having trouble with vlans. I succesfully configured initial vlan during setup, but any other one's wont work. I've watched numerous video and checked out the netgate book... am I missing something, any help would be appreciated. heres the sutup:

WANvlan10
lan default

interface/VLANs add vlan, lan interface, assign #20
interface/ interface assignements, select created vlan, add
select vlan20, enable, static ipv4, assign ipv4 other than vlan10 (192.168.2.1), save

firewall/rules
vlan20
add action pass, interface vlan20, address family ipv4+ipv6, protocol any, save.

default vlan1: port1U, port2U, port3X, port4U, port5X
Switch setup: vlan10WAN, port1T(pfsense), port2T(pc), port3T(dirty), port4T, port5U(internet)
vlan20: port1U, port3U

thanks!

viragomann

@terry-c
Without tagging the packets for VLAN20 on the switch port, which is connected to pfSense, you won't get any joy.

terry.c

@viragomann vlan1 seems to be the same on the switch as 20, what am i missing?

Gertjan

@terry-c said in VLANs setup properly?:

vlan1 seems to b

Never actually used VLAN, but I'm pretty sure : whatever number you chose, don't chose "1" as a VLAN id.

terry.c

@gertjan i seen that as well, i just tried routing everything through 5 vlans but that didnt work, went back to using 1. maybe if i figure this out i can take advantage of that hardening best practice.

Jarhead

@terry-c
The difference between 1 and 20 is 1 is your pvid, so it's untagged. Any additional vlans need to be tagged.
In your switch, find the pvid setting and change it to another vlan id. This could result in loss of access to switch, so what I do is change it on every port except the port you' managing it from. Then set an IP for the new vlan. Connect to a port on the new vlan and verify you can access it. If you can, change the pvid on the last port.
That will get rid of vlan 1.

Then as stated above, you need to tag the new vlan on the switchport connected to your router. That port should be in "trunk" mode.
Then untag that new vlan on another port. Set the pvid on that port to the new vlan id.
Plug a pc into that port and it will be on the new vlan.

terry.c

This post is deleted!

terry.c

This post is deleted!

terry.c

@jarhead I tried a few configurations with the info you provided. here's what seems to be working, although VLAN30 laptop doesn't seem to be switching over at this time. I restarted the switch and laptop, checked all settings, pfsense, and switch a few times, all is the same. Not sure what's up with that... Any idea why LAN says there's activity even though nothing is routed there?

Jarhead

@terry-c I don't understand your drawing.
Post a screenshot of your switch vlan config.
Use "snipping tool" if you're using windows.

milew

@terry-c
Do you have one or two interfaces in your pfsense?

For one interface try this
Flowchart

terry.c

@jarhead here's screenshots of the setup.

viragomann

@terry-c
Any specific reason for having port 1 configured with PVID10?

VLAN10 is your WAN as I got you and port 1 has it tagged. As well it should be tagged in pfSense. So there is no need for PVID.

terry.c

@viragomann not really sure how to connect this. I'v tried a bunch of different ways. At this time if I untag port 1 from 10 I lose pfsense. Anybody have a really good example or explanation of tagged and untagged. I think I have it figured out, then it doesn't work with 2 devices. Only one vlan will work. Really confused and shocked at how difficult this is. lol

viragomann

@terry-c
untagged VLAN10 != PVID10

The switch gives you 3 way to assign a port to a VLAN.
tagged: outgoing packets on the port are tagged
untagged: outgoing packets are untagged
PVID: incoming packets get tagged

I requested you to remove the PVID from port 1. Port 1 is the trunk port to pfSense = all VLANs tagged. I.e. all outgoing packets are tagged with the respective VLAN IDs. Incoming packets must not get tagged, because they are already.

Jarhead

@terry-c said in VLANs setup properly?:

@viragomann not really sure how to connect this. I'v tried a bunch of different ways. At this time if I untag port 1 from 10 I lose pfsense. Anybody have a really good example or explanation of tagged and untagged. I think I have it figured out, then it doesn't work with 2 devices. Only one vlan will work. Really confused and shocked at how difficult this is. lol

Think of it like this, if you have a tagged vlan on an interface, whatever you plug into that interface also needs to be tagged.

Why are you using a vlan on the WAN?

There should be a third option on the vlans, tagged, untagged and "no". ie excluded, not allowed, something like that. If a vlan isn't being used on a port, set it to excluded on those ports.

All vlans are assigned to LAN as parent in pfSense, correct?

terry.c

@jarhead Hi, thanks for following up. I appreciate it. I contacted the switch manufacturer for a 3rd time and finally figured it out. lol. there was a few things i was doing wrong, plus the support tech kind of led me in the wrong direction.

Thanks again!!