[Solved] Please help with switch/vlan (802.1q) setup on Netgate 2100

furom

@rcoleman-netgate said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

@furom Assuming you have removed all other VLANs from port 4, and given it the PVID as well (when you go 802.1Q mode PVID is now set on the ports page) you should be set.

Hm. So, as I have switches and controller (+pfSense) on the native VLAN, should it work if I define a VLAN-tag as 4084 for example, with members (4,5t) and then connect it to the 2100 Switch port 4?

Should I then be able to

• on 2100 port 1: connect Unifi controller (VLAN 1)
  - and find my switches in "online" state?
• on 2100 port 4: connect a Unifi switch that will now
  - get an IP from VLAN 1, and have access to all other defined VLAN tags?
  - which then should mean that the switch config I already have, would just work?

It feels like I have bee trying this over and over and always missed something vital. Will I need any additional rules for this to work in it's most basic form, meaning continue to add rules and configuration?

Thanks

stephenw10

Importantly you need to set the PVID on port 4 to 4084 on the Ports tab. Otherwise you are untagging traffic leaving port 4 but not tagging the reply traffic coming into port 4.

@furom said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

on 2100 port 1: connect Unifi controller (VLAN 1)

• and find my switches in "online" state?

Yes, as long as those switches are also on VLAN 1.
Also important to note that VLAN1 only actually exists inside the switch. It's actually untagged traffic everywhere else.

@furom said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

on 2100 port 4: connect a Unifi switch that will now

• get an IP from VLAN 1, and have access to all other defined VLAN tags?
• which then should mean that the switch config I already have, would just work?

If you have setup VLAN 4084 as shown in the doc then a switch on port will only have access to VLAN 4084 and not VLAN1. So no it won't get an IP from VLAN1. And no it won't have access to any tagged vlan.
If that's what you want you would need to leave port 4 as an untagged member of VLAN1. Leave the PVID on port 4 as 1. And set port 4 as a _tagged_member of VLAN 4084, and any other VLANs you need at the switch.

If you post some screenshots of you setup I'm sure we will be able to see what's happening.

furom

@stephenw10 said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

Importantly you need to set the PVID on port 4 to 4084 on the Ports tab. Otherwise you are untagging traffic leaving port 4 but not tagging the reply traffic coming into port 4.

@furom said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

on 2100 port 1: connect Unifi controller (VLAN 1)

• and find my switches in "online" state?

Yes, as long as those switches are also on VLAN 1.
Also important to note that VLAN1 only actually exists inside the switch. It's actually untagged traffic everywhere else.

@furom said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

on 2100 port 4: connect a Unifi switch that will now

• get an IP from VLAN 1, and have access to all other defined VLAN tags?
• which then should mean that the switch config I already have, would just work?

If you have setup VLAN 4084 as shown in the doc then a switch on port will only have access to VLAN 4084 and not VLAN1. So no it won't get an IP from VLAN1. And no it won't have access to any tagged vlan.
If that's what you want you would need to leave port 4 as an untagged member of VLAN1. Leave the PVID on port 4 as 1. And set port 4 as a _tagged_member of VLAN 4084, and any other VLANs you need at the switch.

If you post some screenshots of you setup I'm sure we will be able to see what's happening.

Thank you, this is good. I will shortly start testing again an will manage some screenshots to I hope! :)

furom

Well, thanks to you guys I'm getting closer! I'm back up and running again with 802.1q, but I still don't see any vlans using tcpdump;

tcpdump -i enp3s0 -e

I did see them at one point, but was then connected before the switch... and nothing else worked. :)

I have come up with this so far;

Some more questions;

• Where does the 4084 comes into play as it is just defined but not used? Do I even need it as is?
• Why do I need to have vlan config both here and in Interfaces/VLANs. Guessing this was just a mapping of sorts?
• What would I need to do to pass the vlan tag to an application for example? As is now, are they really broadcasted if I cannot see them?
• Also... As I will be running the Unifi controller in a VM, which will need VLAN 1... I remember you said it only lives within the switch... So I guess I actually really need a management vlan after all... Why isn't VLAN 1 possible to send out as tagged?

Thanks

Jarhead

@furom said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

Some more questions;

• Where does the 4084 comes into play as it is just defined but not used? Do I even need it as is?

That depends on you. Why do you even have a vlan 4084 if you aren't gonna use it?

• Why do I need to have vlan config both here and in Interfaces/VLANs. Guessing this was just a mapping of sorts?

Where you are showing is the switch config. Interfaces/vlans is the router config.

• What would I need to do to pass the vlan tag to an application for example? As is now, are they really broadcasted if I cannot see them?

Applications don't use vlans. If you want to use 4084 as a separate network, all you have to do is tag 4084 on the unifi switchport that is plugged into port 4 of the router, then untag 4084 on another unifi port. If you plug into the "other" port, you will be on the vlan 4084 network.

• Also... As I will be running the Unifi controller in a VM, which will need VLAN 1... I remember you said it only lives within the switch... So I guess I actually really need a management vlan after all... Why isn't VLAN 1 possible to send out as tagged?

Thanks
The controller doesn't need to use vlan1. Mine uses vlan 160.

rcoleman-netgate

@furom said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

Where does the 4084 comes into play as it is just defined but not used? Do I even need it as is?

Nowhere? if you aren't using it I would just not enable it - thus taking some system load off your 2100.

Why do I need to have vlan config both here and in Interfaces/VLANs. Guessing this was just a mapping of sorts?

One is the switch, the other is pfSense. The 2100 cannot talk to the switch with VLANs unless they're associated on the switch as well.

What would I need to do to pass the vlan tag to an application for example? As is now, are they really broadcasted if I cannot see them?

Application layer is on top of the network layer in the OSI model. Your question doesn't have an answer.

Also... As I will be running the Unifi controller in a VM, which will need VLAN 1... I remember you said it only lives within the switch... So I guess I actually really need a management vlan after all... Why isn't VLAN 1 possible to send out as tagged?

VLAN1 is typically untagged on your network. Not the best idea moving forward to rely on that VLAN except that for the sake of the switch built into the 2100 this is the best situation as the idea is that all ports on the LAN will work out of the box.

furom

Thanks guys,
I removed the redundant 4084, but I am still wondering.. I need my hypervisor to see the vlan tags to assign correct networks to the VM's. I'm just asking so I know if there is any point in even trying - I did not see any tags with tcpdump, so my guess is they aren't available with this config? What will I need to do for that to work?

stephenw10

Where are you running that tcpdump? How is it connected?

As you have configured any traffic on those VLAN will leave port 4 tagged. So if you have the hypervisor connected to port 4 it will see them. If there's another switch in between that will need to pass those VLANs tagged.

It's important to realise than packet tagged with VLAN 1 is not the same as untagged packets. Those two are often conflated and both shown as 'VLAN1'. So, yes, you could pass out VLAN1 packets tagged but it's almost certainly not what you want to do!
https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan-1

Steve

furom

@stephenw10 said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

Where are you running that tcpdump? How is it connected?

As you have configured any traffic on those VLAN will leave port 4 tagged. So if you have the hypervisor connected to port 4 it will see them. If there's another switch in between that will need to pass those VLANs tagged.

It's important to realise than packet tagged with VLAN 1 is not the same as untagged packets. Those two are often conflated and both shown as 'VLAN1'. So, yes, you could pass out VLAN1 packets tagged but it's almost certainly not what you want to do!
https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan-1

Steve

Perfect! Then I'll add some to the switch to enable port 3 as well for the hypervisor with the vlans I need :) I will also take a moment to document what I have learned and configured.

Thank you so much for great help!

furom

@furom I still have much to configure, but one thing I notice is it became a LOT snappier!! So happy, would there be any reason for that or is it just more efficient to run vlans in 802.1q mode?

furom

This post is deleted!

stephenw10

Hmm, nothing specific I can think of. Not for normal use. Possibly you had something it was trying to query it couldn't access that now it can. Things on the dashboard can cause delays if they can't access resources.

furom

@stephenw10 said in [Solved] Please help with switch/vlan (802.1q) setup on Netgate 2100:

Hmm, nothing specific I can think of. Not for normal use. Possibly you had something it was trying to query it couldn't access that now it can. Things on the dashboard can cause delays if they can't access resources.

Well, I must have had that from the beginning, it is blazing fast in comparison... But must be as you suggest, some miss-configuration. I will pay close attention when enabling all I had before where/if it slows it down much.

Thanks :)

stephenw10

@furom said in [Solved] Please help with switch/vlan (802.1q) setup on Netgate 2100:

it is blazing fast

Nice.