Homelab VLAN Setup Help Needed

Derelict

@junwen Where are you telling the switch it should be allowing tagged VLANs 18 and 28 on the "trunk" ports?

Jarhead

@junwen You need to show the vlan settings and port vlan membership screens.

So basically, if you plug into a trunk port with a pc, you are only connecting to the pvid of that port since your laptop is not tagged with a vlan (unless you did tag it in that case you'll only connect to that vlan), but the good news is you can ping all interfaces so at least they're setup correctly.

The port you have going to pfSense LAN needs to be a trunk, and it needs to have both vlans tagged, 18 and 28, and you can leave the pvid at 1.

Do that and it'll work providing the firewall rules are correct. For now, just copy the default any any from the LAN to both vlan interfaces. Once that works you can adjust them as needed/wanted.

Junwen

Thank you both for the help! That's indeed the issue with the vlan id not tagged in the trunk ports. The cisco video did not show that step for the vlan setup. Everything is working properly now.

Jarhead

@junwen said in Homelab VLAN Setup Help Needed:

Thank you both for the help! That's indeed the issue with the vlan id not tagged in the trunk ports. The cisco video did not show that step for the vlan setup. Everything is working properly now.

You only need 1 trunk port. You put an 's' on the end of it. Guessing you left them as in the picture.
Those switches come with all ports set to trunk. Trunks are only used to carry multiple vlans so if the only port that has multiple vlans is the port going to pfSense, set all other ports to access.
It'll still work if they're trunks but it's uneeded and you'll only be accessing the pvid on those ports anyway.

Just saying this because you said you added the tagged vlans to the trunk port's'.

Derelict

@jarhead Maybe they have other gear like wireless access points.

Jarhead

@derelict said in Homelab VLAN Setup Help Needed:

@jarhead Maybe they have other gear like wireless access points.

Yup, that's why I said this:

@jarhead said in Homelab VLAN Setup Help Needed:

so if the only port that has multiple vlans is the port going to pfSense

Junwen

@Jarhead I sure will follow your networking best practice suggestion when I will deploy the system for actual use. I am still playing around with PFsense features such as NAT and firewall rules.

@Derelict Yes, I have an Unifi AP which is going to be connected to my GuestWIFI network (VLAN 18).

Jarhead

@junwen said in Homelab VLAN Setup Help Needed:

@Jarhead I sure will follow your networking best practice suggestion when I will deploy the system for actual use. I am still playing around with PFsense features such as NAT and firewall rules.

@Derelict Yes, I have an Unifi AP which is going to be connected to my GuestWIFI network (VLAN 18).

If you use the Unifi controller you can use the one AP for all of your vlans. Just trunk the port going to the AP and add the vlans to the controller.
Different SSID's for each vlan.

the other

@junwen
hey is it working now?
I got about the same setup, similar hardware...
In your cisco settings page:

1. go to Display mode in the far right upper corner, set it to advanced.
2. go to VLAN Management
3. go to Interface settings: here make sure to switch your ports to either TRUNK or (the other ones) ACCESS (Trunk is cisco spech for the uplink between router/switch or /switch/switch)
4. go to Port VLAN Membership: here choose a port...
   ...Access Port (iE Port 2 for VLAN 10). Press JOIN VLAN to enter, which VLAN this port should belong to (under Access VLAN ID), leave everything else at it is)
   ...do this for every needed port. If you do not need all ports, set those not needed in INACTIVE mode (can be done later too)
   ...Trunk Port (iE Port 1 for Trunk): here everything should be TAGGED (all VLANs) EXCEPT Vlan1 (untagged)
5. To put a VLAN as either tagged or untagged on an switch interface, got to PORT TO VLAN, here enter (upper field) your VLAN ID, press GO and choose, which Port will either a) carry the given VLAN as tagged b) untagged c) excluded. Make sure (as said) that VLAN 1 on iE Port 1 is untagged, while all others are tagged. For security reasons (later, when everything is running) you can change iE Native VLAN away from VLAN1 and except VLAN 1 (default VLAN) and future native VLAN from any ports.

Make sure to press either the blinking SAFE icon after each step or save under Administration > File Management > File Operations...be patient, it takes a while sometimes.
:)

ps: when putting your unifi aps online, they are connected via another trunk port, so the can use multissid to offer wlan for your different vlans (up to 4 out of box), just put them on a trunk. ;)

Junwen

@the-other Thanks for chiming in. Yes, it is working now. The Unifi AP WIFI setup was rather smooth. Not sure if everything in the switch ports setup correctly, but it's working for now. Still trying to figure out the difference between tag and untagged. I have GE1, GE2, GE9, and GE10 setup as trunk ports. GE1 and GE2 are reserved for Unifi APs, and GE9 and GE10 are uplinks to other switches.

This is a fantastic community. I was struggling for 10+ hours before I decided to post here, and I got the solution within minutes!