Single Nic - thin client
-
Hello,
Thank you for responding.
I'm not sure if I can "You should dedicate a port on the switch which would have both VLANs tagged"
I can tag and un tag any ports with VLAN 10 or 20, But I can't create a port without being in a VLAN group ? does that make any sense.
I understand that 1st port should be outside of 10/20 ?
I can setup
VLAN's
LAG
and PVID on this switch, But I don't think that it supports port trunking … Is that a problem ?:( -
Most switches has different names for same features.
Configure it as a trunk and/or define a pvid out of 10/20.
tag vlans 10 and 20,…
-
Simplify… Don't VLAN the LAN. VLAN the WAN and use the physical for LAN.
pfSense WAN - bge0_vlan10
pfSense LAN - bge0pfSense connected switch port: PVID 1 (default), Untagged Member of VLAN 1, Tagged Member of VLAN 10 (WAN)
Modem connected switch port: PVID 10, Untagged Member of VLAN 10 (WAN).
All other switch ports: PVID 1 (default), Untagged Member of VLAN 1 (default)
This is the setup I use with single NIC pfSense.
-
I can tag and un tag any ports with VLAN 10 or 20, But I can't create a port without being in a VLAN group ? does that make any sense.
Can you tag a port with both VLAN10 and VLAN20?
Or can you set it to have both tagged and untagged traffic? -
NYOB thank you that worked !
robi, Thank you as well !
One problem looks like I can't access the web gui anymore ? Is there anything special that needs to be done.
-
If you can ping pfSense from the client but can't access the web gui. Then probably the web gui is not running and needs to be restarted (can be done at the console), or it is being locked out by the firewall.
Others may need to chime in here as I'm not real familiar with the web gui firewall lock out stuff.
-
Others may need to chime in here as I'm not real familiar with the web gui firewall lock out stuff.
It happens if you disable anti lock rule or have a misconfigured interfaces.
You may need to reboot the firewall after changing interface setup and/or addresses/mask.
-
Simplify… Don't VLAN the LAN. VLAN the WAN and use the physical for LAN.
pfSense WAN - bge0_vlan10
pfSense LAN - bge0pfSense connected switch port: PVID 1 (default), Untagged Member of VLAN 1, Tagged Member of VLAN 10 (WAN)
Modem connected switch port: PVID 10, Untagged Member of VLAN 10 (WAN).
All other switch ports: PVID 1 (default), Untagged Member of VLAN 1 (default)
This is the setup I use with single NIC pfSense.
NOYB, what is VLAN 1?
Also, why is Modem Untagged on VLAN 10? Shouldn't it be tagged? -
Simplify… Don't VLAN the LAN. VLAN the WAN and use the physical for LAN.
pfSense WAN - bge0_vlan10
pfSense LAN - bge0pfSense connected switch port: PVID 1 (default), Untagged Member of VLAN 1, Tagged Member of VLAN 10 (WAN)
Modem connected switch port: PVID 10, Untagged Member of VLAN 10 (WAN).
All other switch ports: PVID 1 (default), Untagged Member of VLAN 1 (default)
This is the setup I use with single NIC pfSense.
NOYB, what is VLAN 1?
Also, why is Modem Untagged on VLAN 10? Shouldn't it be tagged?Wow, kind of an old thread.
Typical default port configuration for most switches is PVID=1, untagged (VLAN 1). In this case used as the LAN on the native physical interface.
No, the switch port the modem is plugged in to should not be tagged. Not unless the modem is VLAN aware.
Three main components of VLAN configuration are, Port VLAN ID (PVID), Tagged/Un-Tagged, and Membership.
Obviously some switches use various different terminologies.Here is a simple way to think about VLAN's.
Port VLAN ID (PVID) value is the VLAN tag that gets assigned to untagged ingress packets.
Un-Tagged strips the VLAN tag from egress packets.
Tagged does NOT strip the VLAN tag from egress packets.
Ports participate in each VLAN they are a member of. -
Thanks NOYB, that is one quick turnaround. See below for additional questions.
For the PfSense switch port, ingress packets would be the ones coming from the pfSense thin client. Those would be the ones targeted to the LAN. All packets directed towards the WAN would be tagged by PfSense based on the fact that the WAN has VLAN associated with it.
Any packets coming from the Cable Modem/WAN will be left tagged as that is what that port's PVID will do.
"Untagged Member of VLAN 1" is where I get confused. Why do I even need to set that?
For the Modem switch port, "Untagged Member of VLAN 10 (WAN)." is confusing me the same way.
Perhaps the confusion stems by the mixing together of tag/untag terminology together with membership.
BTW, my switch is a Zyxel GS1900-16.
Here's what's available as port configuration:
On One screen you can set tagging/untagging
Tag Ports belonging to the specified VLAN tag all outgoing frames transmitted.
Untag Ports belonging to the specified VLAN don't tag all outgoing frames transmitted.Another screen has these settings:
VLAN Port
VLAN ID Select the ID of the VLAN you want to configure.
Port Displays the port index value.
Membership Select Forbidden if you want to prohibit the port from joining this VLAN group.
Select Excluded to remove the port from the VLAN.
Select Tagged to set the port TX tag status to tagged in the VLAN.
Select Untagged to set the port TX tag status to untagged in the VLAN.On a separate screen you can set this
PVID This is the port VLAN identification number.
A PVID (Port VLAN ID) is a tag that adds to incoming untagged frames received on a
port so that the frames are forwarded to the VLAN group that the tag defines.
Accept FrameType
This field displays the type that is accepted by the frame.
Specifes the type of frames allowed on a port. Choices are All, Tag Only and Untag
Only. All accepts all untagged or tagged frames on this port. This is the default
setting. Tag Only accepts only tagged frames on this port. All untagged frames will be
dropped. Untag Only accepts only untagged frames on this port. All tagged frames will
be dropped.
Ingress Filter If set, the Switch discards incoming frames for VLANs that do not have this port as a
member.
VLAN Trunks Enable VLAN Trunking on ports connected to other switches or routers (but not ports
directly connected to end users) to allow frames belonging to unknown VLAN groups to
pass through the Switch. -
"Untagged Member of VLAN 1" is where I get confused. Why do I even need to set that?
That is the typical switch default for all ports (PVID=1, untagged member of VLAN 1). Within the switch all packets are tagged. VLAN 1 is the default. In this case that is what handles the LAN packets. The packets arrive from pfSense as untagged, get assigned to VLAN 1, and passed on to the appropriate port that is a member of VLAN 1.
For the Modem switch port, "Untagged Member of VLAN 10 (WAN)." is confusing me the same way.
Untagged packets arrive from the modem and are tagged according to the PVID (10 in this case), then passed on to the appropriate port that is a member of VLAN 10 (such as the port that pfSense is connected to). Since the pfSense port is a tagged member of VLAN 10, the tag is not striped and arrives at pfSense tagged as VLAN 10 (pfSense WAN).
Being an untagged member of VLAN 10 means that when packets tagged as VLAN 10 exit the port the VLAN tag is stripped from the packet. Otherwise the modem probably wouldn't know how to deal with it.
Perhaps the confusion stems by the mixing together of tag/untag terminology together with membership.
Ports can be a member of one or more VLAN's.
Being an untagged member of a VLAN means the VLAN tag is stripped from the packet on egress (transmitted from the port and placed on the wire).
Being a tagged member of a VLAN means the VLAN tag is NOT stripped from the packet on gress (transmitted from the port and placed on the wire). In this case the device at the other end of the wire needs to be VLAN capable.If this doesn't clear it up you'll either need to do some self learning or someone who can explain it better that I will needed.
-
NOYB, I got it. I just needed to translate it to the Zyxel interface. You were very helpful and extremely clear. Thanks
