VLANs setup properly?
-
@gertjan i seen that as well, i just tried routing everything through 5 vlans but that didnt work, went back to using 1. maybe if i figure this out i can take advantage of that hardening best practice.
-
@terry-c
The difference between 1 and 20 is 1 is your pvid, so it's untagged. Any additional vlans need to be tagged.
In your switch, find the pvid setting and change it to another vlan id. This could result in loss of access to switch, so what I do is change it on every port except the port you' managing it from. Then set an IP for the new vlan. Connect to a port on the new vlan and verify you can access it. If you can, change the pvid on the last port.
That will get rid of vlan 1.Then as stated above, you need to tag the new vlan on the switchport connected to your router. That port should be in "trunk" mode.
Then untag that new vlan on another port. Set the pvid on that port to the new vlan id.
Plug a pc into that port and it will be on the new vlan. -
This post is deleted! -
This post is deleted! -
@jarhead I tried a few configurations with the info you provided. here's what seems to be working, although VLAN30 laptop doesn't seem to be switching over at this time. I restarted the switch and laptop, checked all settings, pfsense, and switch a few times, all is the same. Not sure what's up with that... Any idea why LAN says there's activity even though nothing is routed there?
-
@terry-c I don't understand your drawing.
Post a screenshot of your switch vlan config.
Use "snipping tool" if you're using windows. -
-
@jarhead here's screenshots of the setup.
-
@terry-c
Any specific reason for having port 1 configured with PVID10?VLAN10 is your WAN as I got you and port 1 has it tagged. As well it should be tagged in pfSense. So there is no need for PVID.
-
@viragomann not really sure how to connect this. I'v tried a bunch of different ways. At this time if I untag port 1 from 10 I lose pfsense. Anybody have a really good example or explanation of tagged and untagged. I think I have it figured out, then it doesn't work with 2 devices. Only one vlan will work. Really confused and shocked at how difficult this is. lol
-
@terry-c
untagged VLAN10 != PVID10The switch gives you 3 way to assign a port to a VLAN.
tagged: outgoing packets on the port are tagged
untagged: outgoing packets are untagged
PVID: incoming packets get taggedI requested you to remove the PVID from port 1. Port 1 is the trunk port to pfSense = all VLANs tagged. I.e. all outgoing packets are tagged with the respective VLAN IDs. Incoming packets must not get tagged, because they are already.
-
@terry-c said in VLANs setup properly?:
@viragomann not really sure how to connect this. I'v tried a bunch of different ways. At this time if I untag port 1 from 10 I lose pfsense. Anybody have a really good example or explanation of tagged and untagged. I think I have it figured out, then it doesn't work with 2 devices. Only one vlan will work. Really confused and shocked at how difficult this is. lol
Think of it like this, if you have a tagged vlan on an interface, whatever you plug into that interface also needs to be tagged.
Why are you using a vlan on the WAN?
There should be a third option on the vlans, tagged, untagged and "no". ie excluded, not allowed, something like that. If a vlan isn't being used on a port, set it to excluded on those ports.
All vlans are assigned to LAN as parent in pfSense, correct?
-
@jarhead Hi, thanks for following up. I appreciate it. I contacted the switch manufacturer for a 3rd time and finally figured it out. lol. there was a few things i was doing wrong, plus the support tech kind of led me in the wrong direction.
Thanks again!!
