Folks I need Help!

johnpoz

If you want a device in vlan 1 you would need to make a switch port in that vlan yes.  Unless your going to not use vlan 1?  Is quite common in the enterprise not to use the default vlan one.  You would change the management vlan to something else.  And not use it.. This is in the enterprise!!  In a home setup, its fine to use vlan 1.. I use it in my home setup.. I am not worried about someone plugging into a switch port that has not been configured and sitting in vlan 1 and that user getting access they shouldn't ;)

So I don't see anything wrong with that.  Did you run the sho vlan command?

its quite possible your vlans have not actually been created on the switch.. Do you see them listed in your run, when you do show run?

So lets see your vlan config on pfsense.  Rules on your vlan, your dhcp server enabled on the vlan, etc.

Just because you tell a trunk port to allow vlan X, doesn't mean vlan X actuallay exist in the switches database - if it doesn't then its not going to work.. Post the output of show vlan on your switch.

Are you using vlans 1001-1005 ?  Out of the box vlans 1 through 1005 would be allowed on a trunk port.  No real reason to call out specifics.. Like that to be honest..
The 1 thing when you set to dot1q, its quite possible your tagging vlan 1?  Which if you don't have setup in pfsense then that vlan would not work.. I would put a switch port in just vlan 1, ie just switchport mode access..  Does that work??  If vlan 1 is not working then remove the dot1q statement.  And vlan 1 from your trunk allow..  Off the top vlan 1 is the default vlan and would be untagged and on the trunk.  Your other vlans you add would be tagged by default and you wouldn't need that dot1q statement..

We don't use vlan 1 at work, so been awhile since I played with how it functions with that statement.  I use it here on my home network, but its used on a interface that has no vlans on it.  I do tag it up trunk uplink to another switch, etc. And use it on some ports in my switch..  But I run two uplinks to pfsense.. 1 is my native lan network, and then another uplink is for another network and my vlans..

jehu

I've checked the logs on the pfsense firewall and this is what I get…I'm starting to believe the switch settings are good.

/status_services.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1 em1_vlan100' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.4 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 29 leases to leases file. Listening on BPF/em1_vlan100/00:14:5e:77:61:9d/192.168.2.0/24 Sending on BPF/em1_vlan100/00:14:5e:77:61:9d/192.168.2.0/24 Listening on BPF/em1/00:14:5e:77:61:9d/192.168.1.0/24 Sending on BPF/em1/00:14:5e:77:61:9d/192.168.1.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp ser

jehu

pfsense vlan settings


johnpoz

Yeah that looks fine.. Is that the only rule you have on the wifi vlan?

So your saying your devices on this vlan 100 are not getting an IP from pfsense?

Then yeah you have a problem with the switch config, or connectivity.  So is your lan, or vlan 1 working??  How are you accessing the pfsense gui?

jehu

@johnpoz:

Yeah that looks fine.. Is that the only rule you have on the wifi vlan?

So your saying your devices on this vlan 100 are not getting an IP from pfsense?

Then yeah you have a problem with the switch config, or connectivity.  So is your lan, or vlan 1 working??  How are you accessing the pfsense gui?

Lan is working fine on vlan 1…I have one vlan for now until I can get it working, vlan 100 wifi.
If I plug into any ports on the switch it all works except for port 10 connected to vlan 100.
On vlan 1 I have no problems getting ip from dhcp 192.168.1.x
On vlan 100 I cannot get an ip from dhcp 192.168.2.x

johnpoz

so going to ask for the 3 times..

did you run the command show vlan on your switch??

jehu

Sorry yes I did…see below

VLAN Name                            Status    Ports

---

1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/4
                                                Gi1/0/5, Gi1/0/6, Gi1/0/7
                                                Gi1/0/8, Gi1/0/9, Gi1/0/11
                                                Gi1/0/12, Gi1/0/13, Gi1/0/14
                                                Gi1/0/15, Gi1/0/16, Gi1/0/17
                                                Gi1/0/18, Gi1/0/19, Gi1/0/20
                                                Gi1/0/21, Gi1/0/22, Gi1/0/23
                                                Gi1/0/24, Gi1/0/25, Gi1/0/26
                                                Gi1/0/27, Gi1/0/28
100  Wifi                            active    Gi1/0/10
1002 fddi-default                    act/unsup
1003 token-ring-default              act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID      MTU  Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---

1    enet  100001    1500  -      -      -        -    -        0      0
100  enet  100100    1500  -      -      -        -    -        0      0
1002 fddi  101002    1500  -      -      -        -    -        0      0

NeoDude

Correct me if I'm wrong but you only appear to have VLAN100 tagged on one port?

jehu

@NeoDude:

Correct me if I'm wrong but you only appear to have VLAN100 tagged on one port?

Yes…do I need more ports?
I did try that and it didn't work

NeoDude

You need VLAN100 tagged on the port that connects to your WiFi AND the port that connects back to pfSense. VLAN1 should remain untagged but active on all ports. Your AP also needs to be VLAN aware, what one are you using?

jehu

@NeoDude:

You need VLAN100 tagged on the port that connects to your WiFi AND the port that connects back to pfSense. VLAN1 should remain untagged but active on all ports. Your AP also needs to be VLAN aware, what one are you using?

Sorry really green at this…vlan 100 to tagged to port 10 and port that connects to pfsense is port 3.
If you can help me with the commands I would appreciate it, see below, show run command...thx

interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,1001-1005
switchport mode trunk
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
switchport access vlan 100
switchport mode access

johnpoz

ok so port 10 is in vlan 100

Can you do a show interfaces trunk

Or how about
sho int switchport G1/0/3

That is the port you have in trunk mode to pfsense right..

I would remove this from your port 3
switchport trunk encapsulation dot1q

conf t
int gi1/0/3
no switchport trunk encapsulation dot1q

Then show the commands of the ones I gave above.

Then once you have a device that you connect to on port 10, we can worry about connecting a AP on another trunk port that does vlans, etc.

NeoDude

I wouldn't have a clue about commands, my switch has a Web GUI  8)

But if pfSense is on port 3 then that also needs tagged to VLAN100

jehu

@johnpoz:

ok so port 10 is in vlan 100

Can you do a show interfaces trunk

Or how about
sho int switchport G1/0/3

That is the port you have in trunk mode to pfsense right..SW#show interfaces trunk

Port        Mode            Encapsulation  Status        Native vlan
Gi1/0/3    on              802.1q        trunking      1

Port        Vlans allowed on trunk
Gi1/0/3    1,100,1001-1005

Port        Vlans allowed and active in management domain
Gi1/0/3    1,100

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/3    1,100

Yes port 3 is trunk…see below

johnpoz

We already went over what needs to be tagged where.. Yes completely agree with you

Port to pfsense needs vlan 100 tagged.. And then any uplinks to any AP that would be doing vlan 100 on SSID also tagged, etc.

But he can not seem to get vlan 100 to work..

NeoDude

Have we established that his AP is VLAN aware? and set up to use VLAN100?

jehu

@NeoDude:

Have we established that his AP is VLAN aware?

AP is vlan aware it's a Ubiquiti UniFi AP-AC-Pro AP…but if I plug my laptop in that port I can't get and ip

johnpoz

He is not doing that yet - he is just connecting a device to is vlan port 10.. And its not getting an IP from pfsense, or can not talk to pfsense.  If he can not get a simple access port to work.. Then what is the point of moving to AP?

on your pfsense box can you do a ifconfig and post the output so we can see that your nic actually supports vlan tagging..

example

em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
        options=9b<rxcsum,txcsum,vlan_mtu,<strong>VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:50:56:00:00:03
        inet6 fe80::250:56ff:fe00:3%em2 prefixlen 64 scopeid 0x3
        inet 192.168.2.253 netmask 0xffffff00 broadcast 192.168.2.255</rxcsum,txcsum,vlan_mtu,<strong></up,broadcast,running,promisc,simplex,multicast>

jehu

here you go

em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=5009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:14:5e:77:61:9c
        inet6 fe80::214:5eff:fe77:619c%em0 prefixlen 64 scopeid 0x1
        inet 24.23.x.x netmask 0xfffff800 broadcast 24.239.15.255
        nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=5009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:14:5e:77:61:9d
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
pflog0: flags=100 <promisc>metric 0 mtu 33160
pfsync0: flags=0<> metric 0 mtu 1500
        syncpeer: 224.0.0.240 maxupd: 128 defer: on
        syncok: 1
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        nd6 options=21 <performnud,auto_linklocal>em1_vlan100: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=3 <rxcsum,txcsum>ether 00:14:5e:77:61:9d
        inet6 fe80::214:5eff:fe77:619d%em1_vlan100 prefixlen 64 scopeid 0x7
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 100 vlanpcp: 0 parent interface: em1</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast>

NeoDude

Your laptop won't work on port 10 because it's not a member of VLAN1 and I'm guessing the laptop isn't VLAN aware.