SG-3100 Switch Configuration
-
Added to Reply #2 for reference.
-
Ok I am having a bit of problem… This seems pretty straight forward... But doesn't seem to be be working with sg-3100 running 2.4.3
This should work with just the gui right??
So I set opt1 to be a 192.168.2.0/24 network so wouldn't lock myself out. I then setup the switch to be in q mode, and set port 1 with pvid 100. An set new vlan group and put port 1 in it untagged and 5 tagged
I setup dhcp server on this vlan interface. And move my connection over to lan1 and nothing... Maybe its late??
Connection is straight from my machine to the switch.. So can not be messing up any switch ports and same wire and interface grabs a 192.168.2 address when IP out in opt1 and access the gui that way. But when I move it over to port 1 nothing.
If just did it from the cmd line
[2.4.3-RELEASE][root@pfSense.localdomain]/root: etherswitchcfg etherswitch0: VLAN mode: DOT1Q port1: pvid: 100 state=1 <disabled>flags=0<> media: Ethernet autoselect (1000baseT <full-duplex>) status: active port2: pvid: 1 state=1 <disabled>flags=0<> media: Ethernet autoselect (none) status: no carrier port3: pvid: 1 state=1 <disabled>flags=0<> media: Ethernet autoselect (none) status: no carrier port4: pvid: 1 state=1 <disabled>flags=0<> media: Ethernet autoselect (none) status: no carrier port5: pvid: 1 state=1 <disabled>flags=1 <cpuport>media: Ethernet 2500Base-KX <full-duplex>status: active vlangroup0: vlan: 1 members 2 vlangroup1: vlan: 100 members 1,5t</full-duplex></cpuport></disabled></disabled></disabled></disabled></full-duplex></disabled> -
Yeah there's something not being done correctly when you switch to dot1q mode. All of those ports are disabled.
Edit/save the ports page and reboot. Those should say "FORWARDING" not "DISABLED"
I am pretty sure that has been fixed in 2.4.4, and is only necessary when you switch from port-based to dot1q mode. Subsequent config changes in dot1q mode should be fine.
If you don't want to reboot, run these:
etherswitchconfig port1 forwarding
run again for ports[2-5] -
Yeah I just woke up… Did a reboot and bam... Working WTF..
[2.4.3-RELEASE][root@pfSense.localdomain]/root: etherswitchcfg etherswitch0: VLAN mode: DOT1Q port1: pvid: 100 state=8 <forwarding>flags=0<> media: Ethernet autoselect (1000baseT <full-duplex,master>) status: active port2: pvid: 1 state=8 <forwarding>flags=0<> media: Ethernet autoselect (none) status: no carrier port3: pvid: 1 state=8 <forwarding>flags=0<> media: Ethernet autoselect (none) status: no carrier port4: pvid: 1 state=8 <forwarding>flags=0<> media: Ethernet autoselect (none) status: no carrier port5: pvid: 1 state=8 <forwarding>flags=1 <cpuport>media: Ethernet 2500Base-KX <full-duplex>status: active vlangroup0: vlan: 1 members 2 vlangroup1: vlan: 100 members 1,5t [2.4.3-RELEASE][root@pfSense.localdomain]/root:</full-duplex></cpuport></forwarding></forwarding></forwarding></forwarding></full-duplex,master></forwarding>Knew it was straight forward ;) Thought I had rebooted after putting in q mode though… Should of caught the disabled ;) DOH!!!
-
Yeah there's something not right there.
I did load 2.4.4-DEV and everything I saw that was wonky in the switch in 2.4.3 seems to be fixed, except the webgui field problem when you edit the Port VIDs. (Click then clear out the field completely if you need to change that.)
I'd stay at 2.4.3 for the time being though if you rely on that device.
-
Is possible I didn't reboot after… First time I did it was testing the other thread where he lost connectivity on the change.. Yeah for sure you can lock yourself out ;)
So then I fired up the opt interface and consoled in as well.. So no way to lock myself out - I knew the disabled was odd ;) But it was late last night and my brain wasn't working correctly or should of caught that it wasn't showing forwarding.
Thanks for kick to the ass ;) hehehe
Maybe I will reset it and play with actual set to forwarding mode. I plan on putting this box into production today and wanted to get some play time with the switch before I did that..
-
It's not a kick. You shouldn't have to reboot.
There is also a problem going from dot1q back to Port-based VLAN mode, which is also already fixed in 2.4.4, but I can't see a reason to do that. :)
Though there is a way to do port isolation in that mode which might have a niche somewhere.
-
Though there is a way to do port isolation in that mode which might have a niche somewhere.
Maybe if you want to isolate some devices, but still want them on the same network for easier traffic shaping.
-
I agree shouldn't have to reboot… But I was staring at those disabled and it wasn't clicking they should be showing forward. I was thinking they were showing disabled because I had nothing connected. And then when moved my client over since I couldn't get to the web interface couldn't tell.
But then when I looked at it via the console and saw disabled even on the interface I was connected too - it never clicked.. Lack of sleep and sure the beers didn't help ;) So the kick was pointing out that disabled.. Which thanks for that!
Before I even read your thread I had rebooted it when I woke up first thing as I was consoled in.. Wanted to see what it said about the switch while it booted.. And then when I looked at etherswitchcfg saw the forwarding mode... DOH ;)
We are up and running in it here at the office.. We really only needed 2 lan side interfaces. Have the opt as management and switch ports are all currently lan with just 1 connection.. But left it in q mode in case we need to break out some other networks at a future date, etc.
Nice to see speed you paying for finally. The old juniper we had on the connection was only 10/100 so max ever saw was like 90ish.. Now seeing 120mbps.. Few more to order for the other branch offices ;)
Its only the guest internet connection.. Love to get rid of beasts of cisco's they have here for the dual mpls connections - such a waste.. Pair of 4860s would be screaming overkill even.. Maybe at some point they will let me rotate those out.. But for now happy to get all the branch offices on netgate even if just for the guest internet connects..
-
Just to understand the switch/VLAN layout (before being able to put my hands on one of those units myself):
- A "VLAN Group" is just the row number in the VLAN table or can it do more than that?
- if mvneta1_port#5 is the uplink to the core then shouldn't it be port #0 rather than port #5? This seems counter-intuitive.
-
Doesn't much matter. It is what it is.
-
Thanks.
"VLAN Group" is or does what?
-
It depends on whether it is in port or dot1q mode.
You can make what amount to "independent" switches with VLAN groups in port mode. But you probably don't want to put more than one group on port 5 if you intend them to be different broadcast domains.
You can also make a poor-man's port isolation in a single broadcast domain using something like the attached. In that config all four ports communicate with the "trunk" back to the layer 3 interface in the firewall but do not communicate with each other.
In dot1q mode each "group" is the collection of ports that have that VLAN tagged or untagged.
