New book: VLANS in pfSense for absolute non-technical noobs
-
The switch configuration (HP V1910-16G, smart switch)
 -
The wireless access points (2x), 1x UAP-PRO (dual band), 1x UAP (single band), having both my 'normal' wireless (in the 192.168.2.x - LAN-range) and the new VLAN40 as two different SSID's.
-
pfSense configuration:
 -
Continued:
 -
Final:
 -
This concludes me fotographing my screen ;D ;D ;D
Once again, thank you very much for your help; it is extremely appreciated. I will gladly buy you a coffee once I get this to work. Then I have it all: a great firewall, Squid, Squidguard, Snort, FreeRadius EAP-TLS, and VLAN's to further secure my network. Then I can die a happy man. Once I have saved enough money to ensure I have a second pfSense as a fallback machine ;D
Thank you very much,
Bye,
-
Something I want to throw in here was when I was trying to use powerline to move a noisy server into my garage while I configured it, I came to the conclusion that my powerline adapters (Belkin F5D4076-S v2) didn't properly pass VLAN tags. I ended up replacing the powerline adapters with a 50-foot cable and it all fired right up. IIRC, I went from powerline back to the cable a couple times to verify. I have not put them on the bench to see exactly what was happening.
Another opinion: If your prem is wired for Cable TV, MoCA blows powerline away. And VLAN tags pass just fine.
-
Also, if your LAN is untagged and your VLAN40 is tagged and they're on the same interface/port, you might have to do something special in the switch. Some "Trunk" ports will discard untagged traffic. It might have to be configured as a "general" (cisco small business) or "dual-mode" (brocade) port. In these instances you tell the switch on which VLAN you want untagged traffic placed.
I would just not have a pfSense LAN interface assigned to the main hardware (untagged) interface. Create VLAN tags for all networks and tag/trunk everything. I find it more straightforward.
-
Thank you all very much for replying ;D
I have good news. It is working, but I have no clue why :-[
I found the remark about cheap hardware which couldn't transfer the VLAN-tag very plausible, but: it still works :o
I had to ask WIFE if she understood the HP manual, which it appears she did (and she can cook too :-X). So she messed around in the switch, 'oh, easy, I'll just tagg these ports' (duh), and next I told the Ubiquity WAP that the WLAN was to be have the tag 'VLAN70'. This ubiquity is connected wired to a cheap unmanaged switch downstairs, which in turn is connected to the power circuit to send the signal upstairs to the managed switch, so 2 devices that can not transfer VLAN70 with it.
But still it works ???
The smartphones and the laptop are sent to VLAN70, getting an IP from that range (192.168.7.x) whenever they connect wireless, and are sent to LAN, getting the default 192.168.2.x IP, when they connect wired.
No clue why it works, but it does.
And it doesn't.
( ;D)
Because: doing exactly the same for a second VLAN, VLAN60, with pre-ci-se-ly the same settings? Does not work. Neither smartphones nor laptop get an IP in 192.168.6.x, and they also don't get any in 192.168.2.x. They 'can't connect'.
Shoot me ???
Anyway, thank you all for your kind replies, new years eve for now :(
( >:( = parents in law. Like WIFE, don't like parents in law ;D).
-
You can't plug the Ubiquity into an unmanaged switch and expect VLAN tags from the access point to be maintained.
You don't have to spend a lot to get a VLAN-capable, managed switch:
http://www.amazon.com/D-Link-EasySmart-Managed-Gigabit-DGS-1100-08/dp/B008ABLU2I
It's quite possible that the one VLAN that's working is actually functioning as untagged on the default VLAN after going through the unmanaged switch (and possibly the powerline adapters, as I mentioned earlier.)
-
You can't plug the Ubiquity into an unmanaged switch and expect VLAN tags from the access point to be maintained.
It's quite possible that the one VLAN that's working is actually functioning as untagged on the default VLAN after going through the unmanaged switch (and possibly the powerline adapters, as I mentioned earlier.)
Thank you for your reply ;D
Yes, I found it very plausible that it isn't possible, I agree with you.
Is there a way for me to find out if it is currently doing what you say it is doing? What should I look for in the HP Switch configuration screens? (I know it sounds dumb, but I am rather very dumb when it comes to this subject :-[).
Thank you ;D
EDIT: forgot: I have no problem buying a new managed switch for downstairs, but that will still not solve the fact that the switch then travels via powerline.
-
The powerline is nothing else but a network cable in another form… It shouldnt alter the traffic unless routing or otherwise is a part of the equation.
To get VLAN's working you need to set the same VLAN's on the switch with the same tags as the ones on your Pfsense. Simples.
Then it transfers the tagging and traffic across with no issues. I have about 600 VLAN's running here on 2 physical HP switches configured for failover.
-
The powerline is nothing else but a network cable in another form… It shouldnt alter the traffic unless routing or otherwise is a part of the equation.
To get VLAN's working you need to set the same VLAN's on the switch with the same tags as the ones on your Pfsense. Simples.
Then it transfers the tagging and traffic across with no issues. I have about 600 VLAN's running here on 2 physical HP switches configured for failover.
Thank you for your reply Supermule ;D
Just to be make sure I completely understand you: you are saying that only a managed switch downstairs is sufficient? So powerline is not a problem (as that was written before)?
EDIT: But still I should need to find out why it appears to working right now then, even 'though the laws of dictate it shouldn't.
Thank you ;D
-
You can't plug the Ubiquity into an unmanaged switch and expect VLAN tags from the access point to be maintained.
[snip]
It's quite possible that the one VLAN that's working is actually functioning as untagged on the default VLAN after going through the unmanaged switch (and possibly the powerline adapters, as I mentioned earlier.)
I discussed with WIFE, who is sysadmin of BRAINS, and she posed an interesting question. If what you say is true (which we interpret as 'the VLAN-tag data is 'stripped' from the packets by the unmanaged switch, so before it arrives at pfSense), then how come that they get an IP-address in the VLAN-range from pfSense, and not an IP-address in the LAN-range?
Like said:
Laptop, wireless via WAP -> 192.168.7.10
Laptop, wired via HP-switch -> 192.168.2.10 -
@Hollander:
I discussed with WIFE, who is sysadmin of BRAINS, and she posed an interesting question. If what you say is true (which we interpret as 'the VLAN-tag data is 'stripped' from the packets by the unmanaged switch, so before it arrives at pfSense), then how come that they get an IP-address in the VLAN-range from pfSense, and not an IP-address in the LAN-range?
Like said:
Laptop, wireless via WAP -> 192.168.7.10
Laptop, wired via HP-switch -> 192.168.2.10Update, just to be absolutely sure I wasn't misunderstanding what I was seeing, I tested one final thing:
- My hardware setup was this:
–- Upstairs: pfSense -> HP switch -> LAN, all wired
-------Upstairs, one Ubiquity WAP, wired to the HP switch, VLAN70.
--- Downstairs: the other Ubiquity WAP -> unmanaged cheap switch -> powerline -> to upstairs -> HP switch
-------Downstairs WAP = also VLAN70 (you tag this in the WAP).
Now, both Ubiquities do something together called 'seamless roaming', whereas when you move around between the two WAPs they will transfer you between them.
So what I could think of was that because WAP upstairs is VLAN70 and hardwired to the HP Switch (which had that port tagged as VLAN70), the 'seamless roaming' for some magically reason also made it possible that the WAP downstairs for some reason to be on VLAN70.
So I shut down WAP upstairs, and enabled only WAP downstairs. So there is no, by no means, connection from WAP downstairs to the HP switch other than where the powerline connection from downstairs enters the HP switch.
Still, WAP downstairs remains VLAN70, and so do the smartphone and the laptop, with their corresponding VLAN70 IP's (192.168.7.x, and not the LAN IP's of 192.168.2.x).
So, for whatever reason, WAP downstairs, via unmanaged switch and powerline, is capable of being in VLAN70.
I don't know why, and you all do know 1000 times more about this than I do, I am just telling you what is happening here ;D
- My hardware setup was this:
-
Lets be sure we're talking about the same thing…
(Edit: I just dug up those powerline adapters and put them on the bench. They pass VLAN tags just fine and pass unfragmented ICMP at a full 1472 so I don't know what I was seeing before. Unmanaged switch is still not what you want.)
-
That is the diagram I imagined also. If the dumb switch and powerline devices are really good and dumb, then they can just pass ethernet frames blindly between source and destination MAC addresses and the smart AP with multi-SSID and VLAN knowledge should effectively have a pipe to the HP smart switch with the corresponding VLANs trunked. (and untagged frames from other devices downstairs would also happily arrive untagged at the HP switch and the HP switch can be configured to put them in a selected VLAN.)
But, if they are not dumb enough then they might mess with the VLAN packets.
Given all of that, if the VLAN70 configuration works, then so should VLAN60. -
But they might pass frames at 1518 (MTU 1500) and discard at 1522 (MTU 1500 + dot1q). "it depends."
Get a dot1q switch.
They're US$60.
-
Thanks Phil ;D
And thanks Derelict ;D And you I would like to ask: but what is the problem with my current setup then? I mean: it appears to be working(?)
-
Glad it's working. Sounded like you were still having issues.
