New VLAN setup

A Former User

vlan1

wifi vlan 100

marcelloc

change port1 vlan1 from U to T and wifi port on vlan100 toU

A Former User

@marcelloc:

change port1 vlan1 from U to T and wifi port on vlan100 toU

ok, i am going to do that now, but this is why i am confused

"The default vlan id is 1 and default configuration for all ports are vlan id 1 untag, so you do not need to do anything, just check if it's configured on your switch"

makes it seem like i need to leave everything as is on the default vlan…but like i said, i am changing it now.

A Former User

@marcelloc:

change port1 vlan1 from U to T and wifi port on vlan100 toU

when i go to make these changes on vlan1 it tells me i might lose web management connection.

also, is the wifi port, port 1 as well, or should i use port 2 for that?

marcelloc

change configuration with a machine connected to any port other then ports you are changing

leave port 1 for firewall machine as you are tagging vlan on it and use port 2 for the wifi router as you are not changing anything there.

when you use tagged ports, the machine/router plugged on this port must have vlan tags configured to work

when you use untag portsm the machine does not need to know that it is on a vlan.

just pay attention to do not use tag and untag on same port.

A Former User

@marcelloc:

change configuration with a machine connected to any port other then ports you are changing

leave port 1 for firewall machine as you are tagging vlan on it and use port 2 for the wifi router as you are not changing anything there.

when you use tagged ports, the machine/router plugged on this port must have vlan tags configured to work

when you use untag portsm the machine does not need to know that it is on a vlan.

just pay attention to do not use tag and untag on same port.

vlan1

T U U U U U U U

vlan 100 (wifi)

E T E E E E E E

is what i should end up with?

marcelloc

this way:
vlan1

T E U U U U U U

vlan 100 (wifi)

T U E E E E E E

port 1 firewall

port 2 wifi

A Former User

@marcelloc:

this way:
vlan1

T E U U U U U U

vlan 100 (wifi)

T U E E E E E E

port 1 firewall

port 2 wifi

ok, so once a port is tagged, it has to be marked as tagged in every vlan you create?

i just made those changes…moving to pfsense now.

A Former User

here is pfsense setup

i am not done, i am stuck, here.

i cant set two things on re1.  only one at a time.

marcelloc

Lan will be vlan1 on re1 and opt1 will be vlan100 on re1.

Disconnect re2

A Former User

and then i can plug in my 16 port netgear into a port on the HP that i didnt configure yet…we forgot to calculate that.  everything on that 16 port netgear is on 192.168.1.0 /24 network...do i need to tag another port on the hp vlan switch?

so it will look like this

isp-----cable modem-------pfsense-------hp vlan switch--------16 port netgear

marcelloc

Or use re2 as opt2 to connect netgear.

A Former User

@marcelloc:

Or use re2 as opt2 to connect netgear.

but isnt network 192.168.1.1 already existing on re1?

marcelloc

If both switches are on same network, just plug netgear on port 3

podilarius

Tagging a port means it can be in multiple VLANS. Using a port untagged means that anything on the port is in the VLAN that you assigned. Excluded means that port is not participating in that vlans. If you assign untagged in 2 different vlans on the same port, then the second ignored.

So re2 (vlan1) goes into port 8 and services the main LAN.
Then re1 goes into port 1 (vlan100).
Your wifi goes into port 2
your other switch you want in with vlan100 goes into port 3.

Then setup vlan like so.

VLAN1
e,e,e,u,u,u,u,u

VLAN100
u,u,u,e,e,e,e,e

Do not setup re1 for a vlan since you are port grouping on the switch. You will setup re1 as if you are just using a different switch.

You would only tag port 8 if you wanted only 1 physical port on the pfsense firewall to access both vlans. Since you are using physically seperated nics and you only want to setup 2 different LANs, this would be ideal.

good luck.

A Former User

@podilarius:

Tagging a port means it can be in multiple VLANS. Using a port untagged means that anything on the port is in the VLAN that you assigned. Excluded means that port is not participating in that vlans. If you assign untagged in 2 different vlans on the same port, then the second ignored.

So re2 (vlan1) goes into port 8 and services the main LAN.
Then re1 goes into port 1 (vlan100).
Your wifi goes into port 2
your other switch you want in with vlan100 goes into port 3.

Then setup vlan like so.

VLAN1
e,e,e,u,u,u,u,u

VLAN100
u,u,u,e,e,e,e,e

Do not setup re1 for a vlan since you are port grouping on the switch. You will setup re1 as if you are just using a different switch.

You would only tag port 8 if you wanted only 1 physical port on the pfsense firewall to access both vlans. Since you are using physically seperated nics and you only want to setup 2 different LANs, this would be ideal.

good luck.

i am going to try to decipher all of this tomorrow.  too much happening right now.

i appreciate all the help.  you are telling me to set it up slighty different than what marcelloc said.  if not, then i mis understood him.

one thing we didnt bring up yet was port priority.  i saw that under the vlan section of the HP switch and decided i had enough for tonight.

thanks again guys.

marcelloc

Podilarius, you missed some posts, the setup is done.

Re2 is not needed as both networks 192 and 10 are tagged on port 1 and assigned on pfsense.

The second switch is on same 192 network, so no need to tag, just uplink.

podilarius

Sorry about that then. I did miss them. Dang, I missed a whole page of posts. marcelloc, your setup is the whole basis on why vlans are even used. It does just depend on what you want to do though. Didn't mean to confuse things.

marcelloc

never mind, there were many posts since your last visit  ;)

stephenw10

Turn your back for a second and BAM the thread goes up to 4 pages!

Why all manufacturers can't agree on a standard naming scheme for VLANs is beyond me. Cisco in particular seem to have their own names for everything.

The labeling of ports as Tagged, Untagged or Excluded is confusing. It is basically describing what action the switch will take to traffic leaving that port.

The section of network between the firewall and the switch that carries all the vlan tagged traffic from several vlans is known as a vlan trunk. Though I think that could be Cisco's naming it's pretty much universal!

Traffic within the switch, on a particular VLAN, destined for the firewall must exit onto the trunk connection and remain tagged. Hence that port is labeled Tagged.

Traffic within the switch, on a particular VLAN, destined for a client computer must exit from one of the ports with clients connected and have vlan tagging removed. Hence those ports are labeled Untagged.

All the ports which are neither a trunk connection nor an exit port for that particular vlan are labeled Excluded.

I hope that makes some sort of sense to you.

If your goal here was to get some VLAN experience then I think you're right on target!  ;)

Steve