SG-3100: How do I assign port(s) to a VLAN
-
Hi,
I've been setting up my new SG-3100, and I'm stuck trying to figure out how to properly set up VLANs and allocate port(s) to them.
Here's what I have so far:
-
WAN (mvneta2) - Directly connected to ADSL router 1
-
OPT1 (mvneta0) - Directly connected to ADSL router 2
-
LAN1 (mvneta1) - Connected to unmanaged switch
-
LAN2…4 (mvneta1) - Currently disconnected
Now I have a separate unmanaged switch that would be in my DMZ, and I'd like to assign LAN2 to a separate VLAN and configure an interface in the DMZ on that port (so I can configure WAN-to-DMZ and DMZ-to-LAN rules).
The onboard Marvel 6000 switch seems to not have any configurable options. I have created a VLAN on "mvneta1", but not sure where to go next - I need traffic on the 4 LAN ports (or at least on 1 of them) to be separate from the rest.
EDIT: I should add that I have found the Switch options pages, but these are all read-only; specifically the Interface/Switch/VLANs page, shows 5 groups, all configured as "Default System VLAN", with all 5 ports assigned to all of them (I assume 5 ports as 1 is the internal uplink port of the switch).
How would I go about doing this?
Thanks,
-Alex -
-
Hi Alex,
Unfortunately we were not able to get the code into the GUI to configure the switch in time for 2.4.1. However if you wish to use it before a snapshot with the gui code is available I can give you some instructions on configuring it manually. The hardware and config code is there already.
Let me know and I'll run some tests here to confirm a working setup.
Steve
-
Steve,
Yes some help would be appreciated!
I should add, a few minutes ago I came across this post: https://www.netgate.com/blog/ive-got-99-problems-but-a-switch-aint-one.html. On a hunch, I tried manually browsing to https://<pfsense ip="" and="" port="">/switch_vlans_edit.php, and the page is there - just no way to browse to it from the GUI.
I haven't tried anything yet, in case this is not working (or even worse actually breaks something).
So I'll await your suggestions.
Thanks!
-Alex</pfsense> -
Hi Alex,
That page is not functional yet.
Ok, so to do this we need to use the command line tool etherswitchcfg. That needs to be run at boot because the switch reverts to its default config when the sg-3100 is rebooted. There are a number of ways to do that but I prefer to use the shellcmd package as it stores all the values in the config file and makes it easy to read and edit them from the gui. So first go to the package manager and install the shellcmd package which will then appear in Services > Shellcmd.
In this example I am setting port 1 (LAN1) to be available as VLAN100 on the LAN interface.
Whilst it's possible to merge some of these commands I did it use four separate commands for clarity. So add new shellcmds for each one:
Set the switch to 802.1q VLAN mode
etherswitchcfg config vlan_mode DOT1Q
Remove port 1 from the default VLAN
etherswitchcfg vlangroup0 vlan 1 members 2,3,4,5
Create a new VLAN group set that as VLAN 100 and add port 1 as untagged and port 5 (the internal port) as tagged
etherswitchcfg vlangroup1 vlan 100 members 1,5t
Set port 1 to tag incoming traffic as VLAN 100
etherswitchcfg port1 pvid 100
You can apply those manually at the command line or just reboot to have the shellcmds run and you should see that config applied. You can check by running etherswitchcfg with no arguments or via the Interfaces > Switches > VLANs page. See attached screenshots.
Once that's in place you can create a VLAN100 interface on LAN in pfSense in the normal way and it will affectively be port 1.
Steve
-
Thanks, I'll give that a shot! Seems straightforward enough… (famous last words ;) )
-Alex
EDIT: Worked like a charm, thanks!
-
Great :)
That should be relatively easy to replace with the GUI options when they are added to a snapshot. Though those commands will remain effective in all likelihood. I expect (though I can't be 100% sure!) the shellcmds to apply after the interface setup in the boot sequence so they would override it.
Steve
-
Just to update this, the code to do this via the GUI is in 2.4.2 so you should use that now.
If you were using shellcmds make sure to apply all the settings via the GUI. When you first move to it the VLAN tag settings appear to be present if they've been set by shellcmds but are not in the config and will be removed when you save unless they are re-created there.
Steve
-
Further update because this is not obvious.
On the VLANs tab in the switch configuration the save button will apply a default config to the switch to change it to DOT1Q or Port based VLANs depending on the setting of the check box.
That means that if you click save there when it's already set to DOT1Q it will remove any settings you have added.
The only time you need to click that save button is to switch between VLAN modes.
Steve
-
Line 215 of /usr/local/www/switch_vlans.php
is:
foreach ($config['switches'] as $cswitch) {
wants to be:
foreach ($a_switches as $cswitch) {
-
Thanks, I'll try the GUI once I update to 2.4.2… though from the latest post by jwt, is that referring to a bug and I should avoid using this for now?
I assume the shellcmd approach will continue to work, as long as I don't also use the GUI at the same time...
-
The shellcmds will continue to work though the gui will look like dot1q is not selected.
The GUI works fine as long as you are aware of what that save button on the VLANs tab does. You ONLY need to use it to save the switch from port based to dot1q VLANs.
The confusion is resolved in current 2.4.3 snapshots. Clicking the save button no longer does anything if the VLAN mode has not been changed. Snapshots are currently almost identical to 2.4.2 so you can run that if you wish.
Steve