SG-1100 Running Real VLANs
-
@bsd29 said in SG-1100 Running Real VLANs:
WAN works. I see WAN traffic. LAN does not, I see no traffic coming in to mvneta0.3.
My LAN switch sends VLAN tagged frames out the port and I'm replacing an x86 pfSense box so I know the VLAN and switch config works.
Am I missing something? Can this device not do "real" VLANs?Sorta, You need to set the VLAN's up in the WebUI, and assign them to the interface (tagging them as needed), see the guides @Rico sent over
I am also curious ... is this really just a single 1GBit port (ie; total bandwidth)?
No, it's Two 1 Gigabit Ethernet Ports, configured as dual WAN or one WAN one LAN
plus four-port 1 gbps Marvell 88E6141 switch, uplinked at 2.5 gbps to the third port on the SoC for LAN. -
@penicheiro said in SG-1100 Running Real VLANs:
Add VLAN10, for IoT, and VLAN 20 for Guest to Port 2 (LAN) Mostly from default config, so far defined VLAN, and interface (doesnt appear to associate to a port) and set DHCP server. Do I need to add anything under switches (like VLAN 10 0t, 2t) and have existing LAN VLAN 4091 set as 0t, 2t as well?
Yes/No.
Yes, you need to add the VLAN's on the interfaces and tag them
No, 4090/4091/4092 are VLAN uplinks and should rarely be changed.I chose to do VLAN/port segregation from switch, How can I make LAN and OPT1, 2 port switches with same attributes?
From above, 4090/4091/4092 are VLAN uplinks and should rarely be changed. This is one of the few times where you change the uplink to match.
I think whats throwing me off is that there isnt native hard ports to select on interface assignments
They are different, but once you get them, they behave in a similar fashion
Lots of documentations on switch configs for SG-3100, XG-7100 and many others, but since SG-1100 is so new there isnt much out there, although I know concept is the same
They are the same. One has 3 ports, the others have 4 and up. You are right, the concepts are the same.
-
@chrismacmahon said in SG-1100 Running Real VLANs:
No, it's Two 1 Gigabit Ethernet Ports, configured as dual WAN or one WAN one LAN
plus four-port 1 gbps Marvell 88E6141 switch, uplinked at 2.5 gbps to the third port on the SoC for LAN.Did you confuse the 3100 with the 1100 there, I don't see 6 ports on the 1100.
-
https://store.netgate.com/pfSense/SG-1100.aspx
Network Interfaces 1x Marvell 88E6141 networking switch
3x GbE Ethernet (WAN/LAN/OPT)We only use 3 of the 4 ports on the sg-1100, the 4th is the miniPCIe Bus (wifi)
-
@chrismacmahon said in SG-1100 Running Real VLANs:
https://store.netgate.com/pfSense/SG-1100.aspx
Network Interfaces 1x Marvell 88E6141 networking switch
3x GbE Ethernet (WAN/LAN/OPT)We only use 3 of the 4 ports on the sg-1100, the 4th is the miniPCIe Bus (wifi)
So looking at the official ESPRESSObin schematics your information seems to be wrong. The switch is linked to the SOC and then offers 3 Ethernet ports, which also aligns with the default VLAN configuration. So these are not dedicated Ethernet interfaces and it is in essence a router on stick with the switch already included.
Additionally miniPCIe does not carry Ethernet, unless you cooked up something completely outside the standards there.
-
Your correct, looks like the material was old I was pulling from:
https://www.cnx-software.com/2016/09/23/marvell-espressobin-board-with-gigabit-ethernet-sata-pcie-and-usb-3-0-to-launch-for-39-and-up-crowdfunding/
Network Connectivity
1x Topaz Networking Switch
2x GbE Ethernet LAN
1x Ethernet WAN
1x MiniPCIe slot for Wireless/BLE peripherealsMy pre-caffeine google fu was not the best.
-
@penicheiro said in SG-1100 Running Real VLANs:
Do I need to add anything under switches (like VLAN 10 0t, 2t) and have existing LAN VLAN 4091 set as 0t, 2t as well?
In the following configuration, whatever is connected to switch port 2 (OPT) will need to be configured for:
Whatever you want the existing OPT network, untagged. For consistency this should probably be VLAN 4092 in the switch. If you would like 4092 tagged to the switch, just check tagged on port 2 in Interfaces > Switches, VLANs and edit the PVID on port 2 to VLAN 1 (or some other unused VLAN id) in Interfaces > Switches, Ports
VLANs 10 and 20 tagged.
Just edit, enable, and number OPT2 and OPT3 as desired, make desired ingress firewall rules, configure DHCP servers, Captive Portals, etc.
-
@derelict You must have been typing as I edited those. VLANs now working!! All of the tutorials i had viewed made no mention of the VLANs TAB under SWITCHES. That was it. Added VLAN 10 and 20, tagged 0 and 2, and that was it, everything else I had configured. THANK YOU. Working very Stably right now.
Onto my next task. In order to make LAN and OPT port work as a switch.
-Under SWITCH/PORTS edit port VLAN on OPT from 4092 to 4091.- Add Port 1 to TAGGED VLANS 10 and 20
Is the last step to add port 1 to VLAN 4091 (untagged), and delete VLAN 4092?
Just want to confirm I am not missing anything, and that I wont get locked out AGAIN. lol
Thanks
-
Just posted this a couple hours ago lol
https://forum.netgate.com/topic/140000/sg-1100-configuring-lan-and-opt-to-be-on-the-same-vlan
-
@derelict MIND READER!!! Thank you SIR!! Still adjusting to this interface, coming from tomato, and so far... I am impressed.
-
Ok, I have been reading through many threads and watching all the videos on vlan setups. I have tried just about everything and spent hours trying to get my vlans set up on my sg-1100. I can never get DHCP working on my unifi AC, if I try and set it up on extra vlans. Are you saying you got yours to work? This is driving me crazy.
-
Yes, they work. post your interface and switch configuration and describe what you are trying to do.
-
I also have the firewall rules for each vlan, as well as the DHCP set for each. However clients are never able to grab a DHCP address. I am hoping its just something simple I am missing.
-
And the pfSense switch ports tab?
-
-
That all looks fine for managing that AP on a LAN address if it is connected to port 2.
Anything in the DHCP logs? DHCP has automatic rules for any interface with a DHCP server enabled.
Based on what you have posted I'd look at the DHCP logs and packet captures on UDP port 67.
Does the smooth network work?
-
Nothing showing up in the DHCP logs then I try to connect to the Work or Guest network. I can connect just fine to the regular Smooth network, clients connect and get a DHCP address. Port two is connected to a switch. I had a similar setup working with untangle, just want to make the jump to pfsense.
-
Well, you have to tag VLANs 10 and 20 through to the AP on the switch on the ports connected to pfSense and the AP.
-
If the L2 is setup correctly check the L3. How are the networks configured, a common beginner mistake is to use the default /32 CIDR for example.
-
Yep, doublechecked /24
and vlan set on the switch port
-
OK. On what switch port are 10 and 20 tagged to the AP?
-
All to port 1
-
OK, on what port are 10 and 20 tagged to pfSense port 2?
-
Not sure I follow, are you talking about the switch on the sg-1100?
-
No. What switch port on your switch is connected to pfSense port 2? That port needs 10 and 20 tagged as well.
-
Brilliant! Ok well that was easy. That worked. Thanks for all your help!
-
@pfsmooth Tag 10 and 20 on switch port 2 and I think you will be pleased with the results.
-
Well all was running smooth for a while, had it all set up and all of a sudden I get flooded with " Default deny rule IPv4 (1000000103) " and things like my plex server wont allow external connections. If I rebuild pfsense from scratch it is fine until i add the vlans. Then boom plex falls off. Any ideas?
-
From that description, no. Not enough information.
-
Not sure if I should start a new thread. But basically the port forwarding is not working directly to 32400. I have set the NAT rule and the FW rule with no luck. A search shows this pops up often but I haven't been able to pin down a solution.
-
That would probably be better in a NAT thread. If pfSense is both receiving the traffic to be forwarded on WAN (verified by Diagnostics > Packet Capture on WAN) and can Diagnostics > Test Port to the address/port it is being forwarded to, then you likely did the port forward incorrectly.
-
your switch only shows port 1 with tagged vlans on it, where is the port connecting to pfsense?
Your vlans will have to be tagged on the port going to pfsense, and the port going to AP.
How is everything connected exactly? What is the point of tagging vlans to your what looks like a sg108e if no other ports are using those vlans, and no other uplink to another device like AP that is tagged?
-
Thanks John, yes. I figured out that the port pfsense was plugged into needed to be tagged to the same vlan as the port the AP was plugged into. All good there.
-
I fell over this as I restored a backup to a new SG-1100 and seem to have "preserve switch config" active.
So I kept the underlying VLANs 4090-4092 as intended but my other VLANs from the backup weren't applied, as far as I understand.Could someone point me to some information what that column "Members" in the VLAN table means exactly?
I'd like to understand that and not only blindly fill in "0t,2t" there, thanks !
-
They signify the switch port number and whether or not the VLAN is tagged or untagged there.
Port 0 is the uplink to the ARM SoC. mvneta0 is the interface name on the SoC. That port should always be tagged. VLAN 200 on
0t
will be mvneta0.200 (VLAN 200 on mvneta0).An untagged port on the SG-1100 switch also has to have the PVID set to the proper untagged VLAN on the Ports tab.
The default settings are:
Name VLAN Ports Untagged Port PVID pfSense Interface WAN 4090 0t,3 3 4090 mvneta0.4090 LAN 4091 0t,2 2 4091 mvneta0.4091 OPT 4092 0t,1 1 4092 mvneta0.4092 Some examples here: https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/switch-overview.html
-
@Derelict thanks a lot, will look into it asap
-
In the middle of this topic, Tom from Lawrence technology post a video configuring the vlans on a sg 1100, and is quite different to other models because the Marvell SoC they use in there works like a single port with 3 vlans
The video is here: https://www.youtube.com/watch?v=Bp_B79-WLlU
I have a 1100 with Dual LAN (FailOver, no load balancing) with 5 vlans working with a TP-Link SG108E and a Unifi Wi-Fi AP with no problem at all, so if you have a question please feel free to ask and let's see if a have an answer
-
@sbeeche Thanks you. I was able to saw that video and did my initial setup. Appreciate it.
-
@sbeeche Thank You! This was my missing piece!
-
@pfsmooth Just to throw this in there, in case it helps someone else someday having issues with PLEX. I discovered a long time ago that for PLEX to work properly with PfSense you have to add an entry under Services/DNS Resolver/ General Settings > Down at the bottom of the page under custom options enter:
server:
private-domain: "plex.direct"I am uncertain if PfSense has made any changes that negates this entry, but its worked for me for a long time.