[Solved] Please help with switch/vlan (802.1q) setup on Netgate 2100

Jarhead

@furom said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

Some more questions;

• Where does the 4084 comes into play as it is just defined but not used? Do I even need it as is?

That depends on you. Why do you even have a vlan 4084 if you aren't gonna use it?

• Why do I need to have vlan config both here and in Interfaces/VLANs. Guessing this was just a mapping of sorts?

Where you are showing is the switch config. Interfaces/vlans is the router config.

• What would I need to do to pass the vlan tag to an application for example? As is now, are they really broadcasted if I cannot see them?

Applications don't use vlans. If you want to use 4084 as a separate network, all you have to do is tag 4084 on the unifi switchport that is plugged into port 4 of the router, then untag 4084 on another unifi port. If you plug into the "other" port, you will be on the vlan 4084 network.

• Also... As I will be running the Unifi controller in a VM, which will need VLAN 1... I remember you said it only lives within the switch... So I guess I actually really need a management vlan after all... Why isn't VLAN 1 possible to send out as tagged?

Thanks
The controller doesn't need to use vlan1. Mine uses vlan 160.

rcoleman-netgate

@furom said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

Where does the 4084 comes into play as it is just defined but not used? Do I even need it as is?

Nowhere? if you aren't using it I would just not enable it - thus taking some system load off your 2100.

Why do I need to have vlan config both here and in Interfaces/VLANs. Guessing this was just a mapping of sorts?

One is the switch, the other is pfSense. The 2100 cannot talk to the switch with VLANs unless they're associated on the switch as well.

What would I need to do to pass the vlan tag to an application for example? As is now, are they really broadcasted if I cannot see them?

Application layer is on top of the network layer in the OSI model. Your question doesn't have an answer.

Also... As I will be running the Unifi controller in a VM, which will need VLAN 1... I remember you said it only lives within the switch... So I guess I actually really need a management vlan after all... Why isn't VLAN 1 possible to send out as tagged?

VLAN1 is typically untagged on your network. Not the best idea moving forward to rely on that VLAN except that for the sake of the switch built into the 2100 this is the best situation as the idea is that all ports on the LAN will work out of the box.

furom

Thanks guys,
I removed the redundant 4084, but I am still wondering.. I need my hypervisor to see the vlan tags to assign correct networks to the VM's. I'm just asking so I know if there is any point in even trying - I did not see any tags with tcpdump, so my guess is they aren't available with this config? What will I need to do for that to work?

stephenw10

Where are you running that tcpdump? How is it connected?

As you have configured any traffic on those VLAN will leave port 4 tagged. So if you have the hypervisor connected to port 4 it will see them. If there's another switch in between that will need to pass those VLANs tagged.

It's important to realise than packet tagged with VLAN 1 is not the same as untagged packets. Those two are often conflated and both shown as 'VLAN1'. So, yes, you could pass out VLAN1 packets tagged but it's almost certainly not what you want to do!
https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan-1

Steve

furom

@stephenw10 said in Please help with switch/vlan (802.1q) setup on Netgate 2100:

Where are you running that tcpdump? How is it connected?

As you have configured any traffic on those VLAN will leave port 4 tagged. So if you have the hypervisor connected to port 4 it will see them. If there's another switch in between that will need to pass those VLANs tagged.

It's important to realise than packet tagged with VLAN 1 is not the same as untagged packets. Those two are often conflated and both shown as 'VLAN1'. So, yes, you could pass out VLAN1 packets tagged but it's almost certainly not what you want to do!
https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan-1

Steve

Perfect! Then I'll add some to the switch to enable port 3 as well for the hypervisor with the vlans I need :) I will also take a moment to document what I have learned and configured.

Thank you so much for great help!

furom

@furom I still have much to configure, but one thing I notice is it became a LOT snappier!! So happy, would there be any reason for that or is it just more efficient to run vlans in 802.1q mode?

furom

This post is deleted!

stephenw10

Hmm, nothing specific I can think of. Not for normal use. Possibly you had something it was trying to query it couldn't access that now it can. Things on the dashboard can cause delays if they can't access resources.

furom

@stephenw10 said in [Solved] Please help with switch/vlan (802.1q) setup on Netgate 2100:

Hmm, nothing specific I can think of. Not for normal use. Possibly you had something it was trying to query it couldn't access that now it can. Things on the dashboard can cause delays if they can't access resources.

Well, I must have had that from the beginning, it is blazing fast in comparison... But must be as you suggest, some miss-configuration. I will pay close attention when enabling all I had before where/if it slows it down much.

Thanks :)

stephenw10

@furom said in [Solved] Please help with switch/vlan (802.1q) setup on Netgate 2100:

it is blazing fast

Nice.