VLAN not working what am I doing wrong
-
@xokia ok where is your cam that plugged into what port your tplink switch... Would assume your pfsense is on port 8.. because you have vlan 1 untagged and 23 tagged on that port.
But if you want a cam on vlan 23, plug it into say port 7, and put vlan 23 untagged on that port, and the pvid set to 23 on that port.
-
@johnpoz PFsense is not directly connected to any of these ports. This switch is connected to another switch. There are 2 other switches before it reaches the PFsense router.
I have a Lorex DVR that has its own DHCP server. That Lorex DVR then connects to the POE Camera via its own POE network.
I am trying to put the Lorex DVR on its own VLAN. The Lorex DVR connects to port 6 of the TPLINK switch. I created a VLAN in PFsense I am trying to get it to transverse the network and then have just port 6 of the TPLINK attached to this VLAN so the DVR will be the only thing on this VLAN. I am probably missing something basic here.
maybe I am thinking this is easier then it is. I assumed all messages tagged as VLAN 23 in pfsense would get sent to port 6 of the switch.
-
@xokia said in VLAN not working what am I doing wrong:
PFsense is not directly connected to any of these ports.
Doesn't matter what is upstream, pfsense and other switch..
network --- 1U,23T -- switch -- 23U -- device.
I have a lorex NVR (N847A6) and 3 cameras (E893AB) that are on the network behind the nvr wired poe.. You understand this a different L2 network, you will not be able to directly access the cameras from any of your other network without a little trickery..
My NVR is on its own vlan off of pfsense, 192.168.110.0/24, but the cameras are on a different network provided by NVR 10.1.1.0/24
You won't be able to directly access the cameras without putting a leg of pfsense into this network behind the NVR.
I can draw up how I do it if you want.. But the NVR itself is on its own network/vlan, and then I have a leg into this 10.1.1.0/24 network where I source nat my other networks into.. So I can directly access feed off any camera from my PC with just vlc and a rtsp url, and can also view the feeds off the cameras with some software that runs on my rokus. So any tv in the house I just just turn on the IP Camera channel and see all 3 of my feeds. I can also get my alexa show to show a specific camera feed. But its slower to access than just switch the tv to the channel to see them or click a bookmark on my PC.
-
@johnpoz said in VLAN not working what am I doing wrong:
I can draw up how I do it if you want.. But the NVR itself is on its own network/vlan, and then I have a leg into this 10.1.1.0/24 network where I source nat my other networks into.. So I can directly access feed off any camera from my PC with just vlc and a rtsp url, and can also view the feeds off the cameras with some software that runs on my rokus. So any tv in the house I just just turn on the IP Camera channel and see all 3 of my feeds. I can also get my alexa show to show a specific camera feed. But its slower to access than just switch the tv to the channel to see them or click a bookmark on my PC.
That would be awesome if you want to take the time to do that I would appreciate it. I am not new to basic networking but new to VLANs
I have 2 mokerlink managed 9 port switches and 1 Tplink 8 port managed switch
Just so you know what I have:
mini PC i5-12450h with two 2.5G ports one WAN one LAN
Proxmox running PFsense. I have the WAN port passed through to PFsense.
the LAN port is setup as a bridge vnet0.WAN->pfsense vnet0->mokerlink 2.5g port 6->10gig port (upstairs port 9) ->mokerlink 10gig port (downstairs port 9)-> 2.5g port port 8-> tplink 1g port1->TPlink port 6 ->Lorex NVR-> 8 wired POE IP cameras
I have been meaning to do this for a while figured this would be a good case to learn VLANs. Everything works great for the basic network. But I'd like to get things more secure and get some VLANs running.
-
@xokia Did you trunk the ports on the other 2 switches?
You have to send the vlan through all the switches.Just looked at the switch config again, you didn't trunk a port on that switch so gonna guess you didn't trunk the other 2 either.
The port connected to pfSense had to be trunked with the tagged vlan, and so did the ports that go from switch to switch. -
@Jarhead I "think" I did but I dont know if I did it correct.
WAN->pfsense vnet0->mokerlink 2.5g port 6->10gig port (upstairs port 9) ->mokerlink 10gig port (downstairs port 9)-> 2.5g port port 8-> tplink 1g port1->TPlink port 6 ->Lorex NVR-> 8 wired POE IP cameras
upstairs mokerlink switch
Downstairs mokerlink switch
TPLink
-
@xokia That looks better.
Still not working?Correction, the TP Link should have port 6 as untagged with vlan 23.
-
-
@xokia Yes you need a pvid set on the port your going to connect a device that you want to me in vlan 23... Because its not going to be tagging traffic so how would the switch know what vlan the traffic is suppose to be in.
You understand your cameras are not going to get IPs from this vlan 23 right... Just your NVR..
-
@johnpoz said in VLAN not working what am I doing wrong:
@xokia Yes you need a pvid set on the port your going to connect a device that you want to me in vlan 23... Because its not going to be tagging traffic so how would the switch know what vlan the traffic is suppose to be in.
You understand your cameras are not going to get IPs from this vlan 23 right... Just your NVR..
I tried setting port 6 of the TPLINK to PVID=23 still didnt work. Probably something I am missing but I haven't figuring it out.
Yes I know the IP cameras do not get the IP address from the VLAN they get it from the NVR DHCP. The IP cameras are 10.1.blah . With the current config they work with Alexa and I can ask to see a specific cam on a echo show. The NVR gets its IP from the 192.168.3.1 DHCP server currently. I'd like to move it to the VLAN 192.168.3.60 DHCP server.
The NVR was just a test subject since it needed to be routed through several switches. I thought it would be a good test case to learn. I was going to take a laptop statically assign the IP and try pinging 192.168.60.1 from port 6 of the TPLINK which should be the VLAN DHCP server. Running out of ideas though.
I am going on vacation tomorrow for 2 weeks so will probably skip the VLAN until I return. If you guys see something I did wrong please call it. I'll have to tackle when I return
-
@xokia it doesn't matter how many switch you put in line..
network --- 1U,23T -- switch -- 23U -- device.
if you add another switch..
network --- 1U,23T -- switch1 -- 1U,23T -- switch2 -- 23U -- device.
Both ports that connect your 2 switch would both be set 1UP,23T
Where 1 is the PVID for the ports that connect switch1 and 2. Only the end device, your nvr in this case would the port be set for 23UP (untagged pvid).
That tplink I showed, that is the 3 switch in a daisy chain.. I have this
pfsense -- sg300-28 -- sg300-10 -- tplink
Well I also have a sg250-8 that hangs off the sg300-28 as well. You can carry as many vlans you want between the switches or to a downstream switch.. My sg250 hanging off the 28, is only subset of my vlans. And its management IP is actually on a different vlan than my other switches... Its on my 192.168.200 vlan, while my sg300 management is on my vlan 9 (untagged lan port on pfsense)..
But to this sg250 switch it thinks this 192.168.200 vlan of mine is vlan 1.. Same with my tplink it puts untagged traffic it sees coming into its port that connects it the network as its vlan 1.. While my other sg300 switches the default vlan for it (untagged) is vlan 9.
You can only ever have 1 untagged network on a port.. If you carry more than 1 network, the other networks have to be tagged. You could also tag all of them if you wanted if they are just uplinks between switches. But normally vlan 1, ie the switches default vlan is never tagged.
If you are running dhcp on this vlan 23 of yours.. If you were setup correctly then any dhcp device you plug into your last port in the line of switches where 23 is untagged then it would get an IP from pfsense dhcpd for vlan 23.
-
@johnpoz said in VLAN not working what am I doing wrong:
network --- 1U,23T -- switch1 -- 1U,23T -- switch2 -- 23U -- device.
If you are running dhcp on this vlan 23 of yours.. If you were setup correctly then any dhcp device you plug into your last port in the line of switches where 23 is untagged then it would get an IP from pfsense dhcpd for vlan 23.
I think I have this unless I am missing something.
-
@xokia well if you plug a device into your last switch in your lines port that is 23 untagged, or as cisco calls them an access port. And you don't get an IP from your dhcpd running on your vlan23 on pfsense, then yeah your missing something.
If you create a port on your first switch in your line that is in 23 UP (untagged, pvid) does it get an IP from dhcp? If so then do the same test on your 2nd switch in your line.. etc..
You mention your pfsense on VM, you sure its not stripping the tags? Been a while since I Played with proxmox - but VM software normally have to be setup to either not strip tags or put specific port groups or vswitches into specific vlan.. With esxi, I know you need to set the vswitch to vlan ID 4095 I think so that it doesn't strip tags.
I would test with that first switch coming off your proxmox -- put a port in 23UP, does it get dhcp from pfsense from vlan 23?
-
@johnpoz I can ping 192.168.60.1 from my desktop that is connected to the same mokerlink switch as the pfsense router running the VLAN. (Desktop IP is in the 192.168.3.x range)
The moment I set port 9 to VLAN tagged 23 I can no longer ping 192.168.60.1. If I set just port 6 (this is the port pfsense is connected to) to VLAN Tagged 23 I can still ping 192.168.3.60 if I touch port 9 I am hosed.
I have the mokerlink 9 port managed switch. Port 9 has a 10gig SFP+ module in it. Port 9 on these 2 switches connect my upstairs to downstairs using 10G SFP+ modules.
Maybe I can try skipping the SFP+ module and try it with one of the 2.5G ports. Maybe there is some issue with the SFP+ module? I assume the SPF+ is just a phy and the management is done in the link or protocol layer.
-
I can confirm setting it up on just the first switch in the chain works and DHCP pulls the correct IP. Passing it to the next switch seems to be the issue.
-
@xokia said in VLAN not working what am I doing wrong:
The moment I set port 9 to VLAN tagged 23
Is that your first switch? where is the port you put in 23 untagged that your connecting your laptop?
This is how it should look for testing...
Move your laptop to the different switches you run this 23 vlan through.. I take it vlan 23 is 192.168.3 on pfsense.. Your devices should pull a dhcp address from your dhcpd running on pfsense.
U = Untagged
P = PVID
T = Tagged. -
What software are you using to draw that? Maybe I can use the same to make it easier to understand. I do have Visio but don’t have the fancy pics that I’m aware of.
For the working case yes the first switch in the chain works as expected with VLAN passing it from switch 1 to switch 2 seems to be where things stop working. Port 9 on both switches is what’s used to pass data from one switch to the other.
Local network: 192.168.3.1
VLAN network: 192.168.60.1I’m on my way to Cancun will be back next week to tackle this again. So delayed response. Thanks for the help folks.
-
@xokia Just an old copy of visio.. 2007 ;) Still works!! heheeh
I use the latest and greatest for work, but my home pc I just have the old version.
-
Same for me. Whatever the last version they didn’t require a yearly payment that’s the version I have at home. I’ll poke around when I get back from Cancun and see if it has a network plugin if not I’m sure I could draw up something basic.