Netgate 2100 - setup question

SteveITS

@netboy One can separate/isolate switch ports on a 2100. I have one and have done it (and, side note, undone it). You need to use VLANs as directed to do it. You’re trying to do an extra step and put two on the same VLAN. So something like:

Port 1 - unchanged
Port 2 - unchanged
Port 3 - VLAN 4093
Port 4 - VLAN 4093

Correct? Nothing you plug in needs to know about VLAN 4093.

netboy

@netboy This is my understanding so far....

Define two VLANS

• VLAN1: 192.168.0.XXX (Range 192.168.0.50 to 192.168.0.100)

• VLAN2: 176.16.0.XXX (Range 176.16.0.50 to 176.16.0.100)
  LAN1 & LAN2

• Assign ports to VLAN1: For VLAN1 remove ports LAN3 & LAN4 but include and "UNTAG" ports LAN1 AND LAN2

• Assign ports to VLAN2: For VLAN2 remove ports LAN1 & LAN2 but include and "UNTAG" ports LAN3 AND LAN4

• Setup firewall rules so that VLAN1 traffic can flow to VLAN2 but not vice versa and ensure both VLAN1 and VLAN2 can access the internet

Have I understood the setup? Something similar to youtube video.

stephenw10

Yes. You can do that and you don't need any separate managed switches to do it. As Steve said the VLANs are all internal to the 2100 so no problem there.

Steve

SteveITS

@netboy I'm not very well caffeinated yet, but you only want two networks, correct? So you only need one VLAN. The base-not-configured ports are all one interface out of the box because it's a switch. You're trying to separate two of them.

Or if you follow Ryan's linked directions to the letter to isolate one port, and plug in a cheap 5 port switch, you'd have 3 ports +4 (1->4 remaining switch) ports.

netboy

@steveits
Now I am trying to implement my idea and seek help.

I have changed my default IP for router from 192.168.1.1. to 192.168.0.1.

Can somebody show me screenshots to achieve the following:

• Create 2 subnets 192.168.0.XXX & 172.16.0.XXX

• Assign physical port LAN 1 & 2 to 192.168.0.XXX and assign physical port LAN 3 & 4 to 172.16.0.XXX

Please note that I do not use VLAN's - The idea is to connect LAN 1 & 2 to unmanaged switches and so is LAN 3 & 4 to another set of unmanaged switches.

I want to take baby steps as I go so that I can get help from this forum. Thanks

SteveITS

@netboy LAN is already assigned to 192.168.0.1 so ports 1 and 2 are done.

If you follow https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html that will isolate port 4 and you can assign it 172.16.0.1. I would start with that, and worry about port 3 in a second step.

netboy

@steveits Hey steveits, I have created the port 4 as per the url you provided. Now I want this to apply to port 3 as well. Can you kindly let me know how I go about doing this? Do I follow identical process for port 3 as well - I basically want port 3 and 4 on the same subnet 172.16.0.1/24

netboy

@netboy

My guess is based on the screenshot above:

• edit VLAN group 0 and REMOVE 3

• edit VLAN group 1 and ADD 3

Will the above work? The idea is to make 3 & 4 in subnet 172.16.0.1/24

stephenw10

Yes, do that and also change the PVID on port 3 to 4084 to match port 4.

Steve

netboy

@stephenw10
Thank you.
This is how it looks now:

Does the above sound OK ?

netboy

@netboy As soon as I did the above my Web GUI is VERY SLOW (I was trying to apply static address to certain MAC addresses). Has the port / switch configuration messed up something?

stephenw10

Yes, that's correct for the switch config.

As long as you have the mvneta1.4084 VLAN interface also configured and assigned it should work as expected.

Steve

netboy

@stephenw10
Get the following message:
Hmmm… can't reach this page
192.168.0.1
took too long to respond

netboy

@netboy

This is what I have

netboy

@netboy Definitely something is wrong... the web GUI is very slow......Any suggestions?

netboy

@netboy When I removed the ethernet jack from port 3 the web gui works normal. Is there something I am missing in configuring port 3?

rcoleman-netgate

@netboy What was plugged into port 3 exactly? And if it was a switch what was THAT plugged in to?

What it sounds like to me, after a quick glance over the thread, is you might have a loop going -- your main network feeding back into the new VLAN... but that's just an educated guess.

stephenw10

Yes, if you had the switch connected to ports 3 and 4.
The switch in the 2100 does not support STP to prevent that.

Steve

netboy

@stephenw10 What is STP? Yes port 3 and port 4 are connected to "separate" unmanaged switches so that anything connected to the switch has the 172 subnet.

This was my idea right from beginning.

Are you telling me that I cannot connect any switch to port 3 and 4?

Please note that port 3 is disconnected right now and port 4 is connected to a unmanaged switch. This configuration does not choke up web GUI but once I connect port 3 to a switch the web GUI chokes up.

Kindly advice

rcoleman-netgate

@netboy said in Netgate 2100 - setup question:

What is STP?

Spanning Tree Protocol.

If you have a link from one network going into another, it cannot detect that and mitigate the cross-talk.

You can connect a switch to those ports, yes, but I was asking you what the rest of those are connected to -- is it possible that one of those switches is connected to port 1 or 2?