Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN Help Requested: I Give....diagram & screenshots included

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 5 Posters 2.9k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pfnguser114 @heper
      last edited by

      @heper said in VLAN Help Requested: I Give....diagram & screenshots included:

      there is never a need for multiple pvids on a single port.

      this isn't rocket science.

      pc (or other dumb device) <----> switch = untagged on vlan x | pvid = untagged_vlan_id_x
      pfsense <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)
      AP <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)

      Also note:
      zyxel allows you to untag multiple vlans on the same port. YOU DO NOT DO THIS in any normal situation.... it causes problems.

      you clearly have issues understanding the vlan concepts. try googling some docs from reputable sources -- there is a lot of bad advice around

      Please take a look at the attached screenshots and confirm that Port 1 & 2 are configured correctly for VLANs 1, 10, 20, & 30. I believe they are.

      This configuration results in WiFI devices connecting to the network with "no internet connectivity". The DHCP leases in pfSense are correct for devices on each VLAN (example 192.168.10.100 for a device on VLAN 10).

      So if they AP is set up right, the switch is setup right, where do I go looking next?

      Thanks

      alt text
      alt text
      alt text
      alt text
      alt text

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Looks reasonable.

        You are tagging all traffic and have nothing assigned to the untagged igb2 interface.

        That is fine.

        Quick test:

        Make an unused port on the switch untagged VLAN 10 PVID VLAN 10. Connect a laptop. Does DHCP and access work? Repeat on the same port for VLANs 20 and 30.

        With that out of the way you can move on from the pfSense- to-switch trunk to the Access Point.

        You have to determine what VLAN you are using for AP management. Many APs (Ubiquiti) like management traffic to be untagged, with tags on certain wireless networks. That, or you have to specifically set a management VLAN.

        I am personally completely unfamiliar with any TP-Link APs and how they do things or what they expect of the management network.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        P 1 Reply Last reply Reply Quote 0
        • P Offline
          pfnguser114 @Derelict
          last edited by

          @derelict said in VLAN Help Requested: I Give....diagram & screenshots included:

          Looks reasonable.

          You are tagging all traffic and have nothing assigned to the untagged igb2 interface.

          That is fine.

          Quick test:

          Make an unused port on the switch untagged VLAN 10 PVID VLAN 10. Connect a laptop. Does DHCP and access work? Repeat on the same port for VLANs 20 and 30.

          With that out of the way you can move on from the pfSense- to-switch trunk to the Access Point.

          You have to determine what VLAN you are using for AP management. Many APs (Ubiquiti) like management traffic to be untagged, with tags on certain wireless networks. That, or you have to specifically set a management VLAN.

          I am personally completely unfamiliar with any TP-Link APs and how they do things or what they expect of the management network.

          The TP-Link AP has the option for a management VLAN. The default setting is NOT enabled and the default VLAN ID is 1. So it's an option. I have not enabled it.

          Set up your described scenario on Port 8. Laptop would connect to "unidentified network" and had no internet. It did not appear in the DHCP Lease table within pfSense.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Is there a DHCP server enabled and properly-configured on that VLAN's interface?

            You might also want to post the switch config for the port you're testing - to be sure it's correct.

            If your AP is expecting untagged management traffic and the untagged VLAN there is 1, I am not sure how you expect that to work since VLAN 1 isn't set to anything on Layer 3 / pfSense.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            P 1 Reply Last reply Reply Quote 0
            • P Offline
              pfnguser114 @Derelict
              last edited by

              @derelict said in VLAN Help Requested: I Give....diagram & screenshots included:

              Is there a DHCP server enabled and properly-configured on that VLAN's interface?

              You might also want to post the switch config for the port you're testing - to be sure it's correct.

              If your AP is expecting untagged management traffic and the untagged VLAN there is 1, I am not sure how you expect that to work since VLAN 1 isn't set to anything on Layer 3 / pfSense.

              1. See screenshot

              2. Screenshots

              3. I apologize, but I do not follow what you are saying. It's over my head on what you are getting at. I've attached a screenshot of my options here.

              Thank you so much for the help!!!

              alt text
              alt text
              alt text
              alt text

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Forget about the AP until a DHCP client connected to port 8 works.

                Concentrate on one VLAN until that works then duplicate for the rest.

                Based on what you have posted, the SECURE interface is tagged VLAN 10 out igb2 and patched to port 1 on the switch. DHCP is enabled on SECURE. VLAN 10 is tagged on switch port 1. VLAN 10 is untagged on switch port 8 and a DHCP client device is connected there.

                If all that is true, the device on port 8 should get a DHCP address. If it doesn't doublecheck that all of that is still the case.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                P 1 Reply Last reply Reply Quote 0
                • P Offline
                  pfnguser114 @Derelict
                  last edited by

                  @derelict said in VLAN Help Requested: I Give....diagram & screenshots included:

                  Forget about the AP until a DHCP client connected to port 8 works.

                  Concentrate on one VLAN until that works then duplicate for the rest.

                  Based on what you have posted, the SECURE interface is tagged VLAN 10 out igb2 and patched to port 1 on the switch. DHCP is enabled on SECURE. VLAN 10 is tagged on switch port 1. VLAN 10 is untagged on switch port 8 and a DHCP client device is connected there.

                  If all that is true, the device on port 8 should get a DHCP address. If it doesn't doublecheck that all of that is still the case.

                  pfSense is patched to switch on Port 1
                  SECURE - VLAN 10 on igb2
                  VLAN 10 is Tagged on Port 1 on switch
                  VLAN 10 is Untagged on Port 8 on switch

                  Windows 10 laptop connected to Port 8 does not get DHCP address or internet.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Packet capture on the VLAN10 interface on pfSense and see what's happening there.

                    For grins do a full stop and start of the DHCP service on the firewall. I have seen adding VLANs there not be picked up before without a restart though it's been quite some time.

                    Else it's Layer 2. I would expect what you have done to work but I have never configured one of those ZyXEL switches so there may be some caveats there.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      heper
                      last edited by

                      you have multiple vlans untagged on port 3-8 ... thats big no no (in almost any situation)

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        A real switch wouldn't allow that.

                        ZyXELs are generally well thought of. But it might be getting in the way here. Nice catch.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        H 1 Reply Last reply Reply Quote 0
                        • H Offline
                          heper @Derelict
                          last edited by

                          @derelict

                          lots of 'real' switch i know, allow it.

                          only thing i've seen that actively prevents it are some dlink & ubiquiti gear

                          1 Reply Last reply Reply Quote 0
                          • DerelictD Offline
                            Derelict LAYER 8 Netgate
                            last edited by

                            SSH@6450-223#sh vlan 223
                            Total PORT-VLAN entries: 37
                            Maximum PORT-VLAN entries: 64

                            Legend: [Stk=Stack-Id, S=Slot]

                            PORT-VLAN 223, Name MAIN_LAN, Priority level0, Spanning tree Off
                            Untagged Ports: (U1/M1) 2 4 5 6 7 8 11 28
                            Tagged Ports: (U1/M1) 35 36 41 44
                            Tagged Ports: (U1/M2) 2 4
                            Uplink Ports: None
                            DualMode Ports: (U1/M1) 3 26 43
                            Mac-Vlan Ports: None
                            Monitoring: Disabled

                            SSH@6450-223#config t
                            SSH@6450-223(config)#vlan 224
                            SSH@6450-223(config-vlan-224)#untagged eth 1/1/11
                            error - port ethe 1/1/11 are not member of default vlan

                            Adding port 1/1/11 untagged on a second VLAN denied.

                            SSH@6450-223(config)#vlan 223
                            SSH@6450-223(config-vlan-223)#no untagged eth 1/1/11
                            SSH@6450-223(config-vlan-223)#vlan 224
                            SSH@6450-223(config-vlan-224)#untagged eth 1/1/11
                            Added untagged port(s) ethe 1/1/11 to port-vlan 224.

                            Remove 1/1/11 from untagged 223 and adding untagged to 224 allowed.

                            A port on two untagged VLANs is nonsense.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 1
                            • P Offline
                              pfnguser114
                              last edited by pfnguser114

                              I am back trying to solve this problem.

                              One thing I have noticed on the wireless clients is I can get them to connect to the VLAN ONLY if the interface is selected as the same as my LAN interface.

                              Example:

                              LAN is on igb1 (switch is patched to this physical port to port 1 on switch)
                              VLAN10 set to igb2 = No IP address on wireless device (phone)
                              VLAN10 set to igb1 = IP address connects and appears in DHCP table correct (192.168.10.100)

                              From there, the phone says "Connected, no internet" which leads me to believe the issue is with the firewall rules. I believe my Pass rule is correct but would like to know if I need to add NAT rules. A recent post in this category had a guy connecting a Ubiquiti AP to an unmanaged switch and he required a NAT rule as well as a firewall rule. I have attempted to duplicate both but cannot make it out to the internet.

                              As always the help is appreciated.

                              UPDATE:

                              Progress. The phone is now on the internet. I had to select the SECURE interface in the DNS Resolver in addition to the already selected LAN & localhost.

                              I still have the firewall rules but deleted the NAT rules I was trying to make. So I'm still looking for answers there.

                              ETA: IT WORKS!!!

                              I chased this all night but it came down to my NAT rules being set to manual due to an older OpenVPN setup. One click on Auto and all devices have internet.

                              Talk about a nightmare. I'll get to setting up the VPN later.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.