PFsense with VLANs > Brocade switch > Devices and Unifi Controller/APs

dabdad

Hello,
I'm having an issue with my tagged VLAN ports. they are not receiving an IP from pfsense.
Wifi devices on appropriate tagged WIFI SSID are also not receiving IPs as well.
LAN works fine with no issues at all.
Brocade switch model: ICX6450-48P

I'm running pfsense on a HyperV VM.
Box has a 2 port ethernet pcie card, WAN(hn1) and LAN(hn0)
WAN(hn1) goes to the ISP Modem.
LAN(hn0) goes to the Port 25 on the Brocade switch

LAN - 192.168.1.1/24
VLAN 6 - 172.16.69.1/24
VLAN 5 - 192.168.3.1/24

Interface assignments:

VLAN 6:

VLAN 5:

DHCP server for VLAN 6:

DHCP server for VLAN 5:

Firewalls are wide open:

hn0 is plugged into port 25 on Brocade switch
Ports 1 - 24 are tagged for VLAN 6
Ports 46 and 47 are tagged for VLAN 5
Port 25 is set for "dual"/Trunked for all VLANs
All other ports are untagged

Unifi Networks are set up accordingly:

The wireless networks are on their appropriate 'network' to receive the correct tagged IP:

I cant for the life of my figure out why my tagged VLAN ports and WIFI SSID's are not getting an IP.
I tried manually setting an IP on my PC with no luck as well..
Any assistance is appreciated.

keyser

@dabdad Your issue is VERY likely that tagged VLANs are either not passed/configured or allowed on the Hypervisor (Hyper-V).
Everything else looks fine, but if Hyper-V does not pass the tagged VLANs your problem will exibit what you are seeing now.

flat4

I my me be wrong but you also need a statement in the switch telling it where to look for the DHCP server

i.e
conf t
int vlan 31
ip helper-address 10.2.20.20

Jarhead

@dabdad said in PFsense with VLANs > Brocade switch > Devices and Unifi Controller/APs:

I cant for the life of my figure out why my tagged VLAN ports and WIFI SSID's are not getting an IP.

Because they're tagged. They should be untagged.
You only tag a port if it's connected to another tagged port.
So unless you tag all of your devices (ie pc's), you need untagged ports.

AndyRH

@jarhead I am not sure this is correct. I cannot untag any of my ports (Aruba switch). I set the native VLAN so untagged hosts have some help getting the packet to the right place.
My setup is not that different from the OP. More than one SSID, each on a different VLAN. Mine is not running as a VM, which others stated might be where the issue lies.

Jarhead

@andyrh If a port is tagged with a vlan, whatever you plug into that port needs to be tagged also. That's not debatable, it's fact.

dabdad

@keyser I added 2 more Network Adapters within HyperV both with the corresponding VLAN tag.

I'm still not getting IP resolution the tagged Ports.

dabdad

@keyser I also adjusted the VLAN parent interface and Interface assignments..

Jarhead

@dabdad So now you have enough physical interfaces, why use vlans at all??
Just assign the IP's to the interface itself and connect them to your switch where the ports would be untagged with each vlan.

AndyRH

@jarhead I guess my switch is different or it is working despite the inability to untag a port. I set it up with advice from the Cisco certified network guys at work.

The PC I am typing this on is on a port in the default (should have renamed it) profile and the PC certainly is not tagged.

What is the purpose of the native VLAN setting? One of my multi VLAN APs has 4 VLANs and the native VLAN is set to my primary VLAN so the dumb switch behind it (the AP has a passthrough port) with it's untagged hosts will be on the primary VLAN.

dabdad

@jarhead I've never had to "tag" a device when plugging it into a tagged port. the device tries for an IP, appropriate routing rules and such direct the traffic for the device to the appropriate DHCP server and gets the appropriate IP per that tagged VLAN and port.

my ports are tagged
my vswitch in hyperv is tagged
VLANs within pfsense are tagged
DHCP server with pfsense for the VLANs are running....

something i missed please let me know..

Jarhead

@jarhead said in PFsense with VLANs > Brocade switch > Devices and Unifi Controller/APs:

@dabdad So now you have enough physical interfaces, why use vlans at all??
Just assign the IP's to the interface itself and connect them to your switch where the ports would be untagged with each vlan.

Those are untagged except for the AP.

Jarhead

@dabdad said in PFsense with VLANs > Brocade switch > Devices and Unifi Controller/APs:

@jarhead I've never had to "tag" a device when plugging it into a tagged port. the device tries for an IP, appropriate routing rules and such direct the traffic for the device to the appropriate DHCP server and gets the appropriate IP per that tagged VLAN and port.

my ports are tagged
my vswitch in hyperv is tagged
VLANs within pfsense are tagged
DHCP server with pfsense for the VLANs are running....

something i missed please let me know..

How about this, connect one of your "vlans" to your switch with that vlan untagged on the port. Then untag that same vlan on another switchport and plug a pc into it. It'll work.
You don't tag a port unless the device being plugged in is tagged also.

dabdad

@jarhead
ok hear me out..
ignore the fact that 'now' there are multiple interfaces..

here is the flow of traffic:
Internet > Modem > pfsense with tagged vswitches > pfsense tagged vlans and dhcp servers > brocade switch with tagged ports(i defined the tagged ports above) >Devices/APs

The goal is:
if i plug a device into the port 12, i get a 172.16.69.x IP.
if i plug a device into port 46, i get a 192.168.3.x ip.
If i plug a device into port 26 i get a 192.168.1.x IP
Currently i get nothing. post 12 and 46 is tagged as i stated in OP.
port 26 works because its untagged and i get the native vlan ip scope with no issues..

Since when do we need to tag a device? ive NEVER in my entire career had to TAG my PC the same as the VLAN.

Jarhead

@dabdad
Now that you have enough interfaces, you don't need vlans in pfSense at all.
Are you using one virtual switch or one per interface?
If one per interface, don't tag anything in the VM.
In your brocade, you would untag the ports you want one of the LANs to be one. I think 1-24 was vlan6? So untag vlan 6 on 1-24. Plug port 24 into the correct pfSense interface for that network. That's it. It's no different than your "normal" LAN".
If you left it as 1 interface with vlans, you tag the trunk port, then untag any ports you want to use for that vlan.

All a vlan does is separate a switch into multiple switches. Why do you think it is any different than any other LAN. All your LAN ports are untagged and they work, right?

dabdad

@jarhead

Im a bit perplexed on how you think this should be setup..
You're saying i need to tag my devices that connect to a port on the switch..which ive never had to do before.
you are also saying to untag my ports..but then how would the appropriate IPs be assigned?
Are you aware that i stated i have a 2 port pcie network card. slot for WAN and slot 2 of LAN?
the additional interfaces are only showing because i added the same vswitch interface with a VLAN on them, therefore PFsense see's these are multiple interfaces...these are NOT physical ports..

Jarhead

@dabdad No, I said if you tag a switchport, whatever you plug into that port needs to be tagged also. So in your original config, you had ports 1-24 tagged. The only way to use those ports would be if your pc's were also tagged.

Google trunk port and access port.
A trunk port carries multiple vlans. The only way to separate those vlans on a single port is by tagging.
An access port carries one vlan, and it's untagged.
Devices like pc's connect to access ports 9 out of ten times, because the pc's interface isn't tagged.

So go back to your original config.
Add the vlans to the LAN. Connect that interface back to port 25. Make port 25 a trunk port with the vlans tagged and your LAN untagged.
Then untag port 1 as vlan6. Plug a pc into it and it will get an IP in vlan6's network.
Providing your vSwitch is correct of course.

dabdad

@jarhead
bruh, i dont think you read my OP completely..
Port 25 is trunked to ALL VLANs.....

Jarhead

@dabdad No, I read it.
You're not understanding how vlans work.
Port 25 is your trunk port. It carries all your vlans to your switch. Once they're there, you don't need any other ports tagged unless you're carrying multiple vlans to another device.
Just untag ports 1-24 and plug a pc into one of them.

dabdad

@jarhead

Devices connected to Untagged ports 26-45(default VLAN 1) get a 192.168.1.x IP.
devices connected to ports 1-24 should get a 176.16.69.x IP..
devices connected to ports 46 and 47 should get a 192.168.3.1 IP..

if i untag port 1, then ill get an IP of 192.168.1.x which is not what we want..

I'm sorry but maybe i'm misunderstanding when you say that my PC needs to be tagged. again ive never had to tag a PC and connect it to a port with the same tag in order for traffic to flow. Pc requests an IP when connected, The switch knows what VLAN its on, it communicates via the Trunked port(25) with that 'tagged' traffic to pfsense, pfsense see the tagged traffic as assigns an appropriate IP..

Please school me, im curious to your methods..