Trying to figure out VLANs, 3 LAN's, 1 Ubiquiti AP
-
I've never tried VLANs before so I'm assuming I'm making a dumb mistake somewhere.
What I want to do:
Add two VLANs, one for Guest use, the other for Internet of Things. I want both of them to be wireless via my Ubiquiti AP.
My Network:
pfSense igb3 > Web Managed Switch (SG108E) Port 1 >> Ubiquiti AP AC PRO Port 3 -&- Desktop Port 7
What I did:
- pfSense:
created two VLANs and assigned them to igb3
Guest: Tag=10, Priority=0
IoT: Tag=20, Priority=0
Enabled each VLAN interface, assigned them static IPs, and enabled each of their DHCP servers accordingly
Guest: 192.168.10.1/24
IoT: 192.168.20.1/24
Added Firewall Rules to the Guest & IOT Interface
For now to ensure rules aren't the issue, it's an allow anything rule- Switch (SG108E):
Enabled 802.1Q VLANs
VLAN 1: Default_VLAN/Members: 1-8/Tagged:-/Untagged:1-8VLAN 10: Guest/Members: 1,3/Tagged:1/Untagged:3
VLAN 20: IoT/Members: 1,3,7/Tagged:1/Untagged:3,7
NOTE: What I'm trying to do is setup two more WiFi SSID's for the Guest VLAN and the IoT VLAN. The AP is on port 3. I would also like to be able to access the IoT VLAN on my desktop on port 7 (but that really isn't important).
The guide I followed said to assign a PVID to each port for the VLAN I'm using on it. However, I can only assign one PVID to each port. So how does that work when I need to put two VLANs through the same port? Also, from my understanding the PVID is assigning a tag to traffic coming to the switch from the port, so that the traffic is tagged on its way to the tagged port (1). On my Ubiquiti AP, I can select a VLAN tag for each SSID, so why is PVID necessary? TL;DR, I didn't add any PVIDs, every port is the default 1.
- Ubiquiti AP AC PRO
Added a Guest SSID and enabled VLAN tag
Selected to use VLAN with VLAN ID: 10
I haven't added the IoT SSID yet
The problem: When I try to connect to the Guest SSID, it can't get an IP address. I've tried restarting the DHCP services, resetting state tables, but the problem remains. I'm sure I've screwed this up somehow I just don't know how. Can anyone guide me here?!
-
Port 3 needs to be untagged on VLAN 1 and tagged on 10 and 20. VLAN tags are how the AP tells the switch what network the traffic from the different SSIDs belongs on.
-
Damn that was fast and concise! Thank you!
-
pfBasic,
I also have never tried VLANs. I'm trying to setup something very similar to what you are except I have 3 Cisco SLM2008 switches and one Ubiquiti AP AC PRO, may add one more. I wonder if you'd mind telling me what guide you refereed to in your original post?
The guide I followed
Thanks,
Doug
-
It was just the one from the manufacturers website:
http://www.tp-link.com/us/faq-788.htmlSo, what are PVIDs for? Since they aren't needed in this implementation?
-
Those TPLINK switches are piles of junk imho. You should set the PVID to the same value as the untagged VLAN on the port. You, inexplicably, apparently have to set both. Same with the crappy little netgears.
Maybe there is something you can do there with asymmetric VLANs and port isolation which is why they make you set both.
-
Yeah certainly not top notch products, but they get you VLANs for like $25.
-
John_galt/all,
I am not sure if this will help you out with switch setup but I was on the phone with dlink tech(2x for an hour) support and they walked me thru the following configuration for my switch and VLANs. I also use a Ubiquity Pro. The VLANs are working…that is I am able to connect to each of the ssids wirelessly(I need to do some more study to make sure I have isolated them correctly on my pfsense)Some notes:
- My pfsense box/LAN is connected to eth1 of my switch
- My Unifi AP is connected to eth2 of my switch (Apple TV is connected to eth3 of the switch)
- My VLAN 12, 25 and 64 all have separate ssids on my Ubiquity AP pro(all working)
- VLAN 38 is for my Apple TV (Apple TV does not support VLANs), not connected to my AP
- Make sure to input the VLAN ID and check the "Use VLAN with VLAN ID" box in the Wireless Networks->Advanced Options-> VLAN of the Unifi Contoller on you computer(can't access this from the mobile app)
Disclaimers-
I am by no means an expert!
Sorry for the rookie screen shots?..I manage my network from a dedicated computer with no internet access.While your switch might be different I thought this might help with tagging, untagging and member configuration.
-
Thanks for the information pfBasic & Velcro
-
"PVID is assigning a tag to traffic coming to the switch from the port"
Not sure where you read that.. not really tagging anything.. Its just saying hey if I see untagged traffic coming into this interface its going to be on the PVID vlan..
As Derelict was mentioning.. Maybe there is some odd thing you could do where you set the pvid different than untagged traffic. Normally setting the pvid would automatically mean that is untagged traffic why you would have to go in and also say vlan X is untagged not sure. Maybe you don't actually have to do that? I have a gs108ev3 in my av cabinet I could test that. But with use of their gui its no big deal to set untagged vlan same as the pvid.
The only ports that should have tagged traffic on them would be ports connecting to something that is going to understand the tags and use them.. Ie pfsense, ie uplink to another switch, your AP..
With your setup vlan 1 should/could be all the ports and untagged.
You would just your vlans as tagged to the ports connecting to pfsense on the switch and the port connecting to AP on the switch.
-
Just gone through this with my setup.
As I understand:
PVID is used to tag traffic from a vlan unaware source with that vlan tag in the switch. So if you connected a PC to the switch and put the PVID in as 10 on the port that PC is connected to then that PC would then be on VLAN 10.
Equipment that is VLAN aware such as your AP does not need the PVID setting as this is tagging the traffic already. So based on the SSID each packet will get assigned to a VLAN. This is setup by the WLAN AP
To get the VLANS to work together you need to be able to get them through the switch. So you need to tell the switch to expect tagged packets from VLAN aware equipment, so the ports that you attach the WLAN AP to and the one that PF sense is connected to. You should only need to tag the different VLANS, your untagged normal network shouldn't need to be tagged (i.e. VLAN1).
-
"PVID is used to tag traffic from a vlan unaware source with that vlan tag in the switch."
Where are you getting the idea that this tags it??
Yes this is correct..
"if you connected a PC to the switch and put the PVID in as 10 on the port that PC is connected to then that PC would then be on VLAN 10."But you are the 2nd person in this thread that has associated this with tagging…?? If your thinking of inside the switch?? Ok but its not really "tagged" unless it leaves the switch and the port it leaves on is set to tag that vlan. If you have a device on port 1 with pvid 10, and device on port 2 with pvid.. These devices will never see any tag when talking to each other.
Yes the PVID sets the vlan for what the switch sees coming into that port that does not have a tag on it.. But keep in mind that its not really tagged, if it helps to think of it as tagged "inside" the switch ok I guess. But tagged and untag really only come into play when entering or leaving the switch..
-
I am beginning to think that these switches are using "Untagged" for transmitted traffic (remove the tag on traffic sent out that port from this VLAN) and "PVID" for received traffic (Traffic received without a tag on this port is placed on this VLAN) on a port.
Though I am struggling to think of a scenario where you wouldn't want them both the same under normal circumstances.
-
Agreed I don't see why you have to actually set the untagged vlan on the port if your setting the pvid.. Should really be a given they are the same - but I guess it makes a bit easier to keep track of their 2 different ui.. They have where you can look at the ports pvid and then you can look to at a specific vlan and see the ports being tagged or untagged on that vlan. So in this case it makes it easy to see that yup all those ports are in vlan X untagged.
-
If I thought about it a while I could probably come up with a way to leverage that into multiple broadcast domains downstream (think big wi-fi) with a single layer 3 upstream.
"Asymmetric VLANs" are sort of a poor-man's Private VLAN.
I have three ports:
1 PVID 10 Untagged 10
2 PVID 10 Untagged 11
3 PVID 10 Untagged 12I put pfSense on port 1.
Broadcasts from ports 2 and 3 reach pfSense but not each other
So 2 cannot communicate with 3, 3 cannot communicate with 2, but both can communicate with 1. Ports 2 and 3 are on separate VLANs but both egress the switch untagged.
Unexplained is broadcasts from port 1 to ports 2 and 3 in that case, however.
-
Derelicts instructions were exactly what I needed, all is working.
I didn't ever do anything with PVIDs, they are all set to the default VLAN 1. The discussion here helped me understand what they are used for. Thank you too all!
-
You really need to change the pvid from 1 if your going to put a port into an untagged vlan. If your only using it for say an uplink to pfsense that does the vlans and or a AP then no there is no reason to change the pvid if your going to use vlan 1 (default) vlan as your main network with all devices on the switch being in vlan 1.
-
Setup has pfSense on port 1,
The AP in on the switch
A desktop PC
And an HTPC
Everything is currently working. How should I change the PVIDs and why?
-
You shouldn't unless you need/want to.. You mean your switch is your AP?
"The AP in on the switch"
Are you using some old wifi router with a built in switch as your AP. The native firmware of these rarely support vlans on the switch ports. Now if running some 3rd party firmware on it and the hardware supports then sure you can do vlans.
You can use vlan 1 just fine, its common practice in an enterprise/work network not to use vlan 1. But in a home/lab/smb there is no reason why you can not just use the default vlan 1 as your main vlan.
Your PC and HTPC are connected to your switch.. If you don't want these on the main vlan, then you would change the pvid of those ports.
-
Ok great thanks. The switch is a web managed switch. The AP is a Ubiquiti connected to the switch
