VLAN Trunk Link and Performance

johnpoz

Your using a sg200, I would assume this is pretty close to sg300.  I think its missing some of the snmp features and can't do layer 3, etc..  But the commands should be the same and would assume the web interface is the same, etc.

So here is interface that is just lan that connects to pfsense

interface gigabitethernet2
description "esxi lan"
switchport mode access
!
and there is switch that trunk mode because it does have tagged vlans on it, but you see there is also a vlan that is just native

interface gigabitethernet3
description "esxi wlan trunk"
bridge multicast unregistered filtering
switchport trunk allowed vlan add 100,200,300,500
switchport trunk native vlan 20

Here is a port that is just in a vlan 20 and not trunked, its just access port to my printer that is in vlan 20

interface gigabitethernet10
description printer
switchport mode access
switchport access vlan 20

Which is my 192.168.2/24 network, my lan network is 192.168.9/24 those other vlans some are wifi ssid are like 192.168.3, 192.168.4, etc.

seed

@johnpoz:

interface gigabitethernet2
description "esxi lan"
switchport mode access
!
and there is switch that trunk mode because it does have tagged vlans on it, but you see there is also a vlan that is just native

interface gigabitethernet3
description "esxi wlan trunk"
bridge multicast unregistered filtering
switchport trunk allowed vlan add 100,200,300,500
switchport trunk native vlan 20

I guess I'm going to have trouble on this one. Let me try and articulate what I need to do.

I have 6 pfSense Interfaces. We'll use igb1-igb3 for simplicities sake.

Set up each LAN on their own subnet and enable the service and DHCP.

On the switch:

TRUNK port 1 for VLAN 10
TRUNK port 2 for VLAN 20
TRUNK port 3 for VLAN 30

set ports 5-10 to access and untagged VLAN 10?
set ports 11-15 as access and untagged VLAN 20?
set ports 16-20 as access and untabbed VLAN 30?

Jack igb1 to port1
Jack igb2 to port2
Jack igb3 to port 3

Does that isolate each port to its own VLAN in the switch, and upstream to its own interface on the pfSense router?

Derelict

Looks like, yes. unless there is some other layer 3 routing involved in the switch itself.

set ports 5-10 to access and untagged VLAN 10?

These ports are not isolated from each other absent some other configuration on the switch, naturally.

johnpoz

you do not need to trunk.. Just set them as access and put in the vlan you want them in.  Just like your other ports..  You only need to trunk when your going to be having tagged traffic.  Access port is fine sine your not going to another switch, etc.

seed

You guys are gods in my book. Will make the change tonight and see how it goes.

To think I was all excited that I figured out how to configure VLANS only to realize I didn't need to.

Seed

seed

Hmm this isn't working as I had hoped. Sometimes I feel like it's intuitive then it fails me.

I have the default VLAN 1 that is set to untagged on all ports 1-26 on an SG200-26

I have igb3 and igb4 setup on the pfSense box with DHCP and services running.

I can then access the switch that is plugged into port 25 @ 193.168.3.100 which it received from pfSense

Once I set that port 25 to untagged it's dead and I can't access it.

ports 1-12 are untagged and access for VLAN 103
ports 13-24 are untagged and access for VLAN 104
port 25 is untagged and access on VLAN 103
port 26 is untagged and access on VLAN 104.

Once i set untagged to port 25 from excluded, I can't access the switch anymore. Is this a management thing?

Derelict

The switch is probably listening for management traffic on VLAN 1.

I don't have an SG200. There is probably a way to make it listen for management traffic on another VLAN. Yes, it's easy to lock yourself out of a switch messing around with this stuff. You have to make a port on the management VLAN, configure everything, then switch the management VLAN to what you want it to be (probably 103 or 104) then physically move the connection to a port that's untagged on that VLAN.

seed

Nice Derelict. When i think about it I think that's what's happening cause the default VLAN ID for Admin and 1 is set on the port I'm connected too trying to change that one to 103. I'm going to dedicated one port as a management port from the router to the switch so I always have an in, I hope. I was successful as well in the VLAN config within the switch but only if I set the two igb3 and igb4 ports from the pfSense router to trunk. They access for 1-12 (103) and 13-24 (104) setting trunk on 25 (103) and trunk on 26 (104). Going to keep trying. I think i'm close.

seed

Success!

Thank you all for your help. Time for a small donation to the firewall foundation. Love pfSense!

Seed

johnpoz

why are you setting trunk??  If your not going to use tags you do not have to trunk!!

You still need to configure vlans, but only on your switch.  Again trunks are only for when there is tagged traffic.  When packets from more than 1 vlan are on an interface you need a way to know which packets are in what vlan, ie tags.

So if your going to send multiple vlans out an interface, and the something connected to figure out what packets are what then its trunk.  Ie sending to 1 interface in pfsense and pfsense has vlans setup that says tag 10 is in this vlan and 20 is in this vlan, etc.  Or if sending to another switch the other switch also set to trunk and with the different vlans knows hey these packets are vlan 10, and those are 20 and then I can send them to the ports in those vlans, etc.

You still have to setup vlans in your setup - but just on the switch.

Maybe this drawing help you get your head around it, I did this for another thread.  So you see the color coding on the switch those ports are in that vlan.  And then see the trunk where ports will carry multiple vlans.  So the wlan interface in pfsense will have vlans setup for the wifi vlans, you need trunks to your AP since they will also carry tagged vlans.

seed

I THINk this is a terminology thing with this Cisco switch.

By default ALL ports are set to trunk which I don't understand by the definition of trunk, they are set as untagged though. When I setup the switch to use VLANs everything works fine. All ports are set to access untagged but the ports that are linked to the pfSense switch are set to trunk, not access, but they are still untagged. This was the only way I could get the switch to talk to the pfSense box.  I'm not sure what else to do. All 3 interfaces in pfSense are just LAN igb2,3,4 for example and physically jacked to port 25, 49 and 50.

Again, maybe this is a newb thing but it seems that Cisco used trunk and tagged as the same thing in some cases? If trunk wasn't required then why are the defaults all trunk untagged?

I'm still down to keep testing though but this was the only way I could get it to work so far.

johnpoz

I have a sg300, and have been using cisco for years and years.  Its what I currently get paid to do ;)  there should be no reason why all the ports would be trunk by default.  Their for sure is not reason for them to stay that way.  Just put them in access mode..  if your not going to carry more than 1 vlan then the port should be access..

seed

Ill do a full reset tonight and take a screen grab. I did find one online however. This is how my switches look when they're factory reset. They are all updated boot and firmware. Im fairly certain this is a terminology thing with tagged vs trunk but not sure. See screen:


xman111

John was nice enough to help me get my network up and running with VLANS, that pic above was for me.  I was pretty confused with setting everything up, especially native vlan and tagging.. here is a picture of my Vlan management page on one of my Cisco switches.  You can see that port 6 and 7 are trunk ports that carry my native Wireless Lan (untagged) and VLANS 30 and 60 (actual VLANS) to my 2 wireless access points.  Port 10 is my trunk that carries all networks coming in from my main Cisco switch.

seed

@xman111:

John was nice enough to help me get my network up and running with VLANS, that pic above was for me.  I was pretty confused with setting everything up, especially native vlan and tagging.. here is a picture of my Vlan management page on one of my Cisco switches.

Can you elaborate more to your setup? What's plugged in where and what VLANs and such? Hard to understand what I'm looking at without more context.

Thanks!

xman111

this might help.. sorry, i am at work.  Vlan 10 is my LAN (physical), 20 is WLAN (physical), 30 is Guest Network (Virtual), 40 is VPN (Physical), 50 is Cameras (Physical), 60 is Wireless VPN (Virtual).  Believe me, it's been a work in progress.. :)  The only ACTUAL VLANS I have are 30 and 60, everything else is a physical interface.  If you need any more screenshots, i can provide when i get home.  The screenshots John provided me was how I eventually got it working.  A picture goes a long way.

Here is another shot of my VLAN page of one Cisco and a couple of pfsense…

.jpg)
.jpg_thumb)
.jpg)
.jpg_thumb)
.jpg)
.jpg_thumb)

seed

Thanks Xman,

A couple questions:

1. Do you have trunk set for the links to the pfSense NIC that are not on VLANs or is it access for that link? Can't tell from the diag.
2. Are your APs powered directly from the SG300 switch without the injectors?

Thanks,

C

xman111

here is a screenshot of the Cisco page,  should answer your questions.  Also,  my APs are powered right off the Cisco, with no injectors.  The 10 is the P model with POE . I have the pro versions of the AP,  because they use standard POE,  the cheaper models need the injectors.  Also, keep in mind on the Sg300-28 screenshot, i haven't set up most of the ports as I am waiting for our new house to be built and am not using most of the ports at the moment.  The SG300-10 is setup properly.

.jpg)
.jpg_thumb)
.jpg_thumb)
.jpg)

seed

ok cool. I have the 50P and a bunch of UAP-AC-PROs that I'm hoping to put on the switch as well. Will test tonight.

Also interesting you're TRUNK everywhere. I am still having trouble understanding why everyone says access. My stuff works but links to the pfSense box are on TRUNK untagged where all internal ports are access untagged. So your diag tells me this is correct in that it has to be TRUNK to work uplink. I don't have VLANS on pfSense if I can avoid it. Can I see your Interface Port to VLAN assignments?

xman111

I fixed the SG300-28 picture with the trunk and access ports fixed.  also,  to switch networks,  i just have to go into the port settings and change the port membership and whatever is connected to that port will switch networks.  ie. a computer plugged into port 10 can switch from regular network over to my vpn by changing the VLAN port membership of that port.

Is this the screen you are after or are you talking about PFsense screenshot?