Strange MicroSemi PDS-208 behavior
-
I'm not following or something. I said I tried that.
The main LAN switch is set this way;
The LAN is not a vlan.
I can't set another vlan on the microsemi, it simply doesn't work. I've tried repeatedly but each time get locked out and have to factory reset it as explained above. If I've missed a step, I don't know what it is because I have the manual and yes, it's pretty straight forward.
Now if you want another network to be a vlan, use some other ID other than one, after you have created it on your switch and tag that vlan on your switch on the port that is connected to pfsense lan port.
Tagging vlan 1 is NOT something that is done.. In 30 years in the biz - never ever seen it.. Vlan 1 is the native UNTAGGED vlan on switches. You do not need to use that to access a switch if you don't want to - but its fine to do so..
I'm simply trying everything I can to see if I can get somewhere. If I can't reach the microsemi after adding a vlan id higher than 3 with a directly attached terminal, then nothing on the network will for sure.
That's partly where I'm stumped. If I could add a new vlan id on the micrsemi, I think the rest would be simple but I can't. That's why I wondered if there are some additional steps from the CLI since some documentation seems to imply there might be.
-
@lewis said in Forced to use vlan1:
The LAN is not a vlan.
Yeah it is. On the switch, it is vlan 1.. its just not tagged.
Once you start using a smart/managed switch all networks are vlans to the switch... All your ports can be in the default vlan 1 and untagged. And then you can start virtualization the switch and creating new "vlans"..
But to the switch the native network, that is untagged is vlan 1 to the switch.. Pfsense doesn't think its a vlan, because its not tagged.. But to the switch yes it is a vlan..
-
@johnpoz LOL, ok so now I'm really lost :).
On pfsense, I added vlan1 on the lan interface as you saw in the images above. So I guess that's something I should remove then.
Either way, since I'm not able to change the microsemi to any other id, then I guess I'm SOL?
-
@lewis How are you adding the vlan in the switch? If it's kicking you out, my guess would be you're trying to change the management vlan.
Simply adding a vlan won't kick you out. -
@jarhead exactly... he is doing something wrong..
I posted a picture from the manual where to add a vlan.
Yes delete that vlan 1 you created on pfsense.. That is wrong!
Now reset your setup.. Its going to be vlan 1 untagged on all ports. Connect it to your pfsense lan port. Give it management IP on whatever you lan network is.
Now on the switch add say vlan 100.. Now on pfsense create your other network with a vlan ID of 100.. Attach this vlan on pfsense lan interface, use some network say 192.168.100.0/24, setup dhcp, setup some firewall rules on your new vlan network on pfsense interface.
On the port that is connected to lan on pfsense, set vlan ID 100 to tagged. Put some other port untagged on your switch in vlan 100.. There you go your doing vlans - and bobs your uncle, it really is that simple.
-
@jarhead said in Forced to use vlan1:
@lewis How are you adding the vlan in the switch? If it's kicking you out, my guess would be you're trying to change the management vlan.
Simply adding a vlan won't kick you out.On the microsemi, I can add a new vlan/id so I add vlan2 for example. I enable that for port 9 only, which I have connected to the main LAN switch, port 16 I think I mentioned. There is no option to add any IP at this point.
If I enable port 10 which I have the terminal connected to, then I'll lose access. That seems odd since I've not changed the IP nor added one to the new vlan yet but then, I've never done vlans before.
-
So here is an example.
On the microsemi, I added vlan100.
I enabled that on port 9 only, the one connected to the main LAN switch.
I then set the IP for that to 192.168.100.50.
There's no option to use one or the other and when I save it, I get booted from the microsemi. Fine, I change the network on the terminal to match, 192.168.100.75 but nope, cannot ping the microsemi anymore on either the 192.168.0.x or 192.168.100.x networks from the terminal.It seems to only want to work when it's using vlan1. I think I have to solve this before moving on to anything else.
-
@lewis said in Forced to use vlan1:
I then set the IP for that to 192.168.100.50.
Huh? why are you trying to set the switch ip to some other IP that is not your lan?
You stated this is a layer 2 switch, it is unlikely it would let you set a SVI (Switch Virtual Interface) on any of the other vlans.. You use the vlan 1 IP, the management vlan to manage the switch.
Your other vlans 100, 2 or 1012, etc.. would not have any IPs set on the switch
Pfsense would have an IP on vlan 100 for example - since it is the router to get on and off that network.. Your other devices you put on this vlan 100 would have IPs.. The switch doesn't need an IP on this vlan, its just layer 2.. Is not routing anything..
-
I then set the IP for that to 192.168.100.50.
Huh? why are you trying to set the switch ip to some other IP that is not your lan?
I'm not 'trying' to do anything, I don't know what I'm doing when it comes to vlans as I've said all along. I though I was being asked to set up a new vlanx on the microsemi using the above IP.
You stated this is a layer 2 switch, it is unlikely it would let you set a SVI (Switch Virtual Interface) on any of the other vlans.. You use the vlan 1 IP, the management vlan to manage the switch.
I only see it or can access it from a terminal connected directly to one of the microsemi ports. A terminal that is secluded from the main lan so I can change it's IP as needed.
Your other vlans 100, 2 or 1012, etc.. would not have any IPs set on the switch
I don't have any other vlans. Only the microsemi has vlan1 and of course, devices on the LAN like switches.
Pfsense would have an IP on vlan 100 for example - since it is the router to get on and off that network.. Your other devices you put on this vlan 100 would have IPs.. The switch doesn't need an IP on this vlan, its just layer 2.. Is not routing anything..
My limited knowledge of vlans is that they are simply a virtual network instead of a physical one. You could have one LAN/network and have a bunch of virtual networks on that. So long as the switches know to handle those vlans, all devices on the same networks can talk with devices on the same networks.
In my case, while I have three different networks physically connected to the pfsense, I only need the microsemi devices to communicate on the LAN network.
Unfortunately, forums aren't like talking face to face so things can get more complicated then they actually should be. Saying 'why are you doing this and that' doesn't help because I'm not really trying to do this and that, just trying to get a basic setup working so that once it is, I can finally learn how to put vlans to work :).
Since you understand what I'm trying to do, could you just walk me through what I need to do, one thing at a time and I'll follow those directions and post what I've done and where I'm at. At some point, we should be in sync of where it's at. I'm nervous that this post will only get more and more convoluted if we don't do it this way. I don't want to waste anyone's time so happy to follow directions one step at a time.
-
@lewis said in Forced to use vlan1:
I'm not 'trying' to do anything, I don't know what I'm doing when it comes to vlans as I've said all along. I though I was being asked to set up a new vlanx on the microsemi using the above IP.
If you want that to be your management IP of the switch. Then put the switch on that network, no vlan on pfsense.
I only need the microsemi devices to communicate on the LAN network.
Well then do that - that is how it would work out of the box.. With everything in vlan 1..
Since you understand what I'm trying to do, could you just walk me through what I need to do,
I already did... Set the IP on the switch for an IP on your LAN... Your done - if you have no other need for any vlans.. If you do, I already went through how to do that as well.
I was being asked to set up a new vlanx on the microsemi using the above IP.
Who asked you to do that? A layer 2 management IP, ie the IP you use to access its gui or via ssh/telnet if supports that would be on the switches vlan 1.. The default untagged network... if you want it to be 192.168.100.50 then connect it to a network on pfsense that is using 192.168.100/24 and is not a vlan.. Be that your lan or some other network, or set your lan to be 192.168.100/24
-
Before I change anything, let me try to make sure we've in sync.
I believe I understand what you're saying, that vlan1 is default on all switches, maybe not pfsense.
I tried putting the microsemi at 192.168.1.22, a free IP in the 192.168.1.1/24 network that is the LAN on pfsense. Doing that did not make the switch accessible from any device on the LAN. There is no vlan configured on pfsense at the moment.
Changing the vlan1 on the microsemi to 192.168.1.22 allows the terminal to reach it because it's connected directly to the switch.
However, a device trying to ping it from the 192.168.1.1 network gets 3-4 pings and no more. I've tested this countless times.
And to confirm, there is nothing set to tagged, never was.
-
Just for kicks, I tried again. I changed the vlan1 on the microsemi to 192.168.1.22.
I wasn't able to reach it from any device on the lan while the terminal connected directly can. Then I restarted the microsemi and it did what it has done since the start.
From a device on the lan, I can ping it for a few moments then it's gone. Yet the terminal can still communicate with it.
Does it mean something is blocking it at the firewall level? Why does it ping for a few moments then gone?
Also, there is something weird about these microsemi. Twice now, after changing the IP as mentioned above, maybe 5 minutes into it, it reboots and goes back to it's factory 192.168.0.50 IP. Maybe that's because there is something else I should be running to keep the configuration permanently so I'll look at the manual again.
UPDATE: Actually, it rebooted but this time it kept it's new IP. The pinging device on the lan saw it for a few pings then no more.
And I found a 'save to flash' option.
This is the current setup;
-
Lewis,
I'm really new to vlan but I think you are taking some steps out of order and causing some issues due to it.My newb recommendation:
Reset the microsemi switch, connect to it with a lan cable and set the IP to an address in the subnet of your pfsense box.After reboot, you should be able to connect the microsemi back to the main switch and log into it from your network using the new IP.
Create your vlan in pfsense and the desired switches.
Configure trunk ports on the respective ports of each switch.
Untag the appropriate ports and set your firewall rules.
The any to any rule is ok for testing but I discovered allowing the (http); (https) and (DNS) rules helped my vlans to begin seeing traffic when I first started my vlans.
Good luck, I spent three days trying to get my vlan to work only to discover I had port 8 and 9 cables reversed. The trunk port I thought I was connecting to, I wasn't. SMH.......
-
@lewis Stop changing the switch IP. That is for management of the switch.
You add the IP of the vlan to the vlan interface in pfSense.
Do this, configure the switch so you can access it from the LAN.
Configure the new vlan in pfSense with the LAN as parent and whatever vlan id you want to use. The switchport that your LAN is connected to needs to be a trunk port. You will then leave vlan 1 untagged on that port and tag the new vlan id on it.
Then pick another switchport and untag the new vlan id on it. You may have to set the pvid on that port to the new vlan id also, some switches will do that automatically, some won't. Vlan 1 should not be on this port at all.
Plug a pc into that port, it will be on the new vlan and, if you enabled dhcp on that vlan in pfSense it will get an IP in that subnet, if no dhcp set a static IP in that subnet.
Don't change the IP in the switch at all. -
@Jarhead
OK, Didn't know a managed switch would connect on a different subnet. I always reserve a range of ip addresses for my switches and access points in the DHCP server. Call it my inner control freak. -
Stop changing the switch IP. That is for management of the switch.
I think this cannot be done using forums. The posts get too long and everyone gets out of sync and worse, frustrated because of that which is not helpful at all. It's not easy to follow all these suggestions. When some of you post, you post as if the person should know this or that then get frustrated with them when they cannot follow your suggestions.
I appreciate this post, it's well broken down but there are things which aren't clear because you know what you're talking about but I don't :).
To reiterate, the microsemi comes with vlan1 and an ip assigned to that of 192.168.0.50.
The local lan/network is 192.168.1.1/24. Not realizing this is a layer 2 switch, I simply changed the vlan1 IP to 192.168.1.122 to be on the main lan.
microsemi. Since it's using a vlan1, it could not be seen on the network as it was initially.You add the IP of the vlan to the vlan interface in pfSense.
There is no vlan interface on the pfsense. Someone said to trash that several comments ago. I tried playing with a vlan interface but was told not to.
The microsemi is using vlan1 and I wanted to use something other than vlan1. I connected port 10 of the microsemi to port 16 of the main LAN switch to have a way of testing connectivity to it. Pfsense is connected to the main LAN switch.
A terminal is connected to port 9 of the microsemi and is able to communicate with it without any vlan configuration.
Do this, configure the switch so you can access it from the LAN.
That's been the problem all along. I explained that if I change the vlan1 from its default 192.168.0.50 to 192.168.1.22 which would put the microsemi on the main network, then it pings 3-4 times each time I pull the cable but that's it. Pull the cable, put it back in, it pings 3-4 times no more.
You said above, 'stop changing the management IP of the microsemi' so you see how the post is getting confusing.
Configure the new vlan in pfSense with the LAN as parent and whatever vlan id you want to use.
I tried using vlan3 initially and I shared how making any new vlan active results in loss of access to the microsemi. I tried vlan3 on port 9 only, leaving the management vlan1/192.168.0.50 default as well.
However, as soon as I enable a port to use that vlan on the microsemi, I lose access to it completely.I need someone to take a step back, stop being frustrated, just take a little time to go over what we've talked about or better yet, let me reiterate how things are set up by going back to the starting point.
These switches come with vlan1, IP 192.168.0.50 as their default.
The main LAN is 192.168.1.1/24 on pfsense which is connected to the main LAN switch. The main LAN switch has vlan1 by default, all ports untagged.Pfsense does not have any vlans configured.
On the microsemi, the only change I can make is to vlan1 and that's the IP.
By default, it has no gateway set BTW.
If I add a new vlanx, it boots me out if I select any ports to modify with the new vlan.
I've tried selecting only port 9 since that's connected to the main switch and leaving the others so I could still communicate with it using the terminal connected to port 10. That works.
If I try to add an IP to the new vlan, it boots me out as soon as I save it. Changing the terminal to that network does not remain access. No idea what happens but the only option becomes a reset.So, how about some baby steps. How do you want me to configure the microsemi first. Again, port 9 is connected to the main lan switch. Port 10 is connected to the terminal.
-
Check out this post, it may help you to understand how ports need to be configured, and what tagging and untagging mean. Trust me I feel your pain as I just taught myself this process as well.
https://forum.netgate.com/topic/178253/vlan-on-cisco-sg-200-pfsense
Right now it doesn't seem like you're at the point where your switches can communicate. Several things have to be right and then vlans will just work.
Once you see the workflow it will all make sense.
-
@lewis said in Forced to use vlan1:
These switches come with vlan1, IP 192.168.0.50 as their default.
The main LAN is 192.168.1.1/24 on pfsense which is connected to the main LAN switch. The main LAN switch has vlan1 by default, all ports untagged.If your pfsense is 192.168.1.1, then change the switch to say 192.168.1.2/24 with its gateway of 192.168.1.1
As long as nothing else on your lan is using 192.168.1.2
-
@lewis I think I know what you're trying to do now.
You don't want to add another vlan to pfSense, you just want to stop using vlan 1 on the switch, is this correct?If so, the router doesn't care what vlan you use on the switch. You're using a physical port on the router, so whatever pvid is on the port of the switch that you plug into the router will be used.
Do this. Log into the switch. Add a vlan id that you want to use as the default vlan. Set that vlan id as pvid on any 2 ports for now. Set that vlan as management vlan.
Set the management vlan to dhcp.Plug one of the ports you used into the lan port on pfSense.Check your dhcp status and find the IP given to the switch.Plug the pc into the other switchport with the new vlan. Log into the IPyou found in the dhcp status. Set all the other switchports to the pvid of the vlan you want to use.Just looked at the picture you posted, looks like dhcp might not be an option so set a static IP like Johns post above.
-
@jarhead said in Forced to use vlan1:
you just want to stop using vlan 1
what does it matter - the default vlan 1 is untagged... Who cares what the ID is - pfsense doesn't know or care that is 1, or 100, or 223 it doesn't matter..
he should just change the ip to the ip he wants to use for the switch on is lan network and be done with it..
This isn't some enterprise setup that has some policy about the default vlan.. In this context there is zero reason to change the default vlan on the switch.. It has no meaning for this use case.. Pfsense will never see the tag, nor need to tag to it..
