Cant ping vlan on pf sense from any device?

johnpoz

@travelmore As I showed vlan 1 untagged, this your lan.. And vlan 20 Taggged (1U, 20T).. In cisco lan this a trunk port. Not a access port..

If you do not understand what tag or untagged vlan is - your going to have a really hard time working with vlans..

sg300-10#sho vlan
Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN

Vlan       Name           Tagged Ports      UnTagged Ports      Created by    
---- ----------------- ------------------ ------------------ ---------------- 
 1           1                                                      V         
 2         Wlan               gi9                gi8                S         
 3          DMZ             gi2,gi9              gi7                S         
 4         W_PSK             gi8-9                                  S         
 6        W_Guest            gi8-9                                  S         
 7        W_Roku             gi8-9             gi2,gi6              S         
 9           9                            gi1,gi3-5,gi9-10,         D         
                                          Po1-8                               
 10      disabled                                                   S         

sg300-10#sho run int gi9
interface gigabitethernet9
 description "Uplink sg300-28"
 switchport trunk allowed vlan add 2-4,6-7
!
sg300-10#sho run int gi8
interface gigabitethernet8
 flowcontrol on
 description "UAP-AC-Lite (Kitchen)"
 switchport trunk allowed vlan add 4,6-7
 switchport trunk native vlan 2
!
sg300-10#

On port 8 I have native vlan 2 set because this is the vlan my AP are on for management which is untagged. I talk to the switches on vlan 9. You see that is untagged on port 9 which is port that connects to my upstream switch sg300-28, that is connected to my pfsense.

If you put the port that connects through the dumb switch to your netgear only on vlan 20, how would you talk to the switch via default vlan 1 which is your lan network..

TravelMore

@johnpoz After what you mentioned about trunk port instead of access. I made the following changes below. please see the cmds typed in the screenshot. hopefully, that is correct.

on my cisco switch, port 8 is the AP that is plugged in. on port 1 is the cable that connects from my cisco switch to my dumb switch.

here are some more settings of my cisco switch currently

yes I agree i have more reading / learning to do w/tagged & untagged.

what do i need to fix or is that correct?

my normal ssid wireless is acting weird after making those changes, not allowing things to connect etc. so i am not sure if adding the vlan to the cisco switch made it worse or not.

I went to check my APs and it seems like something is off. see the screenshots below. I am not sure what needs to be fixed.

johnpoz

@travelmore where is 192.168.0 ??

I thought your lan was 192.168.1/24

Why would your AP be on a 192.168.0 network?

From your cisco - you have 20 trunk only on port 8, how does vlan get to this switch from your pfsense??? What are you not understanding about this?

pfsense - 1U,20T -- netgear -- 1U,20T -- dumbswitch -- 1U,20T - cisco -- 1U,20T -- AP

Your lan is native and untagged.. 192.168.1.x this would be the default vlan on your switch.. You then tag vlan 20 on same lan interface re0.. So your switch that connects to pfsense lan interface would need to be vlan 1 untagged. Vlan 20 tagged.

Now as you pass this traffic to your cisco.. Again vlan 1 untagged and tagged vlan 20.. Your dumb switch is stupid he doesn't know anything about tags, but you still have to tag the traffic as it gets sent to your dumb switch.. Then as it enters the cisco, the cisco needs to know that untagged traffic is vlan 1, and that tagged traffic on 20 goes where, etc..

So on the port your AP connected to vlan 1 would be untagged, and vlan 20 would be tagged.

Just at a loss to where/why your AP are on this 192.168.0 network?? Yeah that isn't going to work..

TravelMore

@johnpoz Okay good catch. that is weird i scrolled up and looked at the pics and they do show the 192.168.1 address. i didn't change anything in those settings the only thing i did was change those commands on the cisco switch.
how does something like that even change?

johnpoz

@travelmore did you manually set IPs on our AP.. If not then they get their IP via dhcp.. So what dhcp server on vlan 1 do you have handing out a 192.168.0.x address??

TravelMore

@johnpoz thats the thing, i didnt' mess w/the APs at all. the only thing i did after we figured out that disabling and re-enabling that vlan20 on the pf sense fixed it our issue and i could then poing the 20.1 vlan, then i changed the settings on the cisco and ever since then i cant remote into the cisco switch and stuff w/the APs started acting wonky.

so to answer your question what DHCP server on vlan 1 do i have handing out 192.168.0.x address. I don't, everything comes from PF sense and from what I can tell there isn't anything in a 168.1 address.

i looked in my routes on pf sense and i don't even see a 168.1.

So i used IP scanner and I found this:

i didn't plug any new device in today. and i checked my netgear switch is still good. i have no clue where that device is or how it even got plugged in because no one plugged anything like that in. but that device in the pic even shows its like not on. I pulled the power on my cisco switch. maybe that will help once it reboots.

in unifi, on networks, there was a setting that said global switch settings, and DHCP snooping was enabled. I unchecked that box. maybe that was it.

Jarhead

@travelmore Again, the problem with vlan20 was that you never applied the changes you made. You can't just click save and think you're done, you have to then click "apply changes" to actually apply them. Bouncing the port is what actually applied the changes.

You have a netgear router running dd-wrt somewhere on your network. Probably using it as an AP only but the dhcp server on it is enabled.
Find that mac address. Do a sh mac add on the cisco and see what port it shows up on.
If that doesn't work, disconnect things until the dhcp server stops giving out addresses and locate from there.

TravelMore

@jarhead hey I will but I just tried plugging into my Netgear switch and I can't even connect to it. I am on my phone on mobile typing this out. I unplugged said device but still nothing.
I am at loss. When I did the Cisco commands on the switch as shown above I did write to save the changes so I don't know what happened.

The only thing plugged in and on is my pihole, modem, pfsense PC, switches and APs that went rogue.

I can get into my pihole via directly and see it's still live and not handing out dhcp.

I can ping my pf sense box from there.

I rebooted pf sense and it's fine I can still ping it from my pihole. My pihole can ping my pfsense ip and the pf sense vlan20 up, just fine.

Now I am not sure what to type in the switch that needs to be looked at or done.

There is no rogue device on my network but I did see a frontier said pop up last night that I'm wondering if it is interfering (doubtful but one can hope).

I rebooted the switch lastnight.
What commands should I even type in the Cisco switch at this point?

I can't connect to wireless devices or plug into my Netgear switch and connect to anything, just shows connected then says no internet.

I can connect to my Netgear via ip when plugged into the switch but it doesn't show that I have a hardwired connection.

Edit: I just called the isp and there is an outage in my area and they said it started late last night and don't know when it will be fixed or what caused it.

johnpoz

@travelmore said in Cant ping vlan on pf sense from any device?:

shown above I did write to save the changes so I don't know what happened.

A command on a switch is instant, now if you rebooted the switch before you wrote those to mem, then it would load its previous saved config.

To your netgear config.. You show you had its port 8 tagged on 20.. Any device connected to that port would have to be set to understand the tag.

What did you have the pvid set on port 8 of your netgear? if 20 then untagged traffic entering the port would be vlan 20. But traffic leaving the port towards you device would be tagged 20, and you device would need to understand that tag..

TravelMore

@johnpoz hi, currently, I cannot connect to wireless, nor can I connect to internet hard wired from my switch.
Earlier the ISP said they had an outage which is fine but I am trying to still get this resolved or at least make sure I have everything configured correctly. The ISP still has the outage but I am trying my best to get this fixed on my end.

Forgive me, I don't understand your question about what I had setup on port 8 on my Netgear. Port 4 is what pf sense plugs into on my Netgear. Port 8 is just a PC for testing purposes and currently right now for connecting to the switch to view the settings.

the current setting on my Netgear is exactly the same pic you shared in the last post. I am sorry i can't upload pics from my phone for some reason.

The Cisco switch has the same settings as the last recent post with it, where it showed trunk access etc. The specific post was I believe 6:15pm, yesterday where I started off the post stating "after what you mentioned about trunk port... etc"
That post shows my current Cisco config settings. If something from that needs to be changed or checked I'll gladly connect and try to adjust it if I know the commands neededbyt unfortunately I can't upload a picture.

Thank you for your patience and help with this as I am still trying to work my way through this. I tried resetting the access points and that didn't seem to help anything.

I'm at a loss honestly and am trying to confirm Netgear switch and Cisco switch are properly configured then see what needs to be fixed.

Idk what to do next. I've been at this for a while and it's hard to only type this on my phone.

johnpoz

@travelmore said in Cant ping vlan on pf sense from any device?:

Port 8 is just a PC for testing purposes and currently right now for connecting to the switch to view the settings.

How would that work with vlan 20 tagged... Did you tell the pc to look for a tag?

Just at a loss to what your not getting.. What what is confusing about this??

pfsense - 1U,20T -- netgear -- 1U,20T -- dumbswitch -- 1U,20T - cisco -- 1U,20T -- AP

This shows you exactly what the ports on pfsense or switch connected should be set for.

Pfsense lan is native untagged.. this would be vlan 1 on your switch... So the port connected pfsense, port 4 on your netgear should be vlan 1U, 20T and pvid should be 1 as well.

POrt on your netgear that will end up on your cisco same way 1U, 20 tagged..

Port that connects to your dumb switch on cisco, in cisco world this would be a trunk, and you would allow the vlans you want 20..l pvid still 1.. nothing to change there.

Port that connects to your AP on your cisco, again same thing vlan 1 Untagged, vlan 20 tagged this is a trunk on cisco..

What are you not understanding - so I can come at it a different way.. This is pretty basic stuff here.. If there is no tag, this is a native vlan on a switch.. Normally 1 for example is the default for switches. You can only have 1 untagged vlan on a port. If you carry another network it has to be tagged.

For vlan 20 traffic to get from pfsense to your cisco you have to have all the physical ports that connect the switches set to understand that 20 is tagged, not tagged is vlan 1, etc.