SG-1100 No VLAN Communication
-
If there is a switch between the AP and the pfSense LAN port, YES, there need to be tags there too.
You can put that untagged 4090 traffic on any VLAN on the switch that you want. Just make the VLAN id the PVID on that switch port.
For consistency, it would be best if that is 4091.
You can either:
Run with different untagged VLAN IDs on the LAN network which should work fine.
If the switch really commandeers VLANs 4010 - 4094 you can make a new untagged VLAN on the pfSense switch, assign LAN to that, and make the same untagged VLAN on the switch port. -
@derelict Are there any downsides to creating another VLAN that has tagging on both the 0 member and the 2 member? It seems that the only way that I can get the VLANs to work is in that configuration.
-
Not really, you can add as many VLANs that way as you want, within reason.
You can reassign the LAN to that new VLAN once it's added there and it will be tagged out of the 'LAN' port on the 1100.
You will be locked out when you make that switch though so be sure to be connected via one of the other VLANs before you do it.
Steve
-
@stephenw10 After adding another VLAN named MainNet and adding the proper firewall rules, I still can't ping another network. In fact, somehow doing this leaves the communications worse off as now the VPN VLAN can't ping the new MainNet VLAN.
Same situation where the system pinging does not have a VLAN ID in the packet.
Any suggestion.
Below is the new switch configuration, VLAN assignments, and the new VLANs on the switch:
-
I went ahead and did a restart and that seems to work (the configuration of a new VLAN for the main network so it can be placed in the Switch's VLAN table. I think all should be good: I'm able to receive pings from other hosts on each network.
-
The new problem is, it does not seem that you can have a Unifi switch on a VLAN. I wasn't really expecting there to be so many caveats with the SG-1100 when I bought it.
-
@zachzez said in SG-1100 No VLAN Communication:
it does not seem that you can have a Unifi switch on a VLAN
Huh?? What exact switch are you running and what firmware. Their management vlan before had to be untagged but quite some time ago they changed firmware (atleast on their AP) to support tagged management vlans.. So have to assume you can do that with their switches as well.
And even if mangement vlan has to be untagged it simple enough to accomplish that.
Users scream they want switch ports switch ports on the router, how do I bridge I want more than 1 port in the same vlan.. Then they get what they ask for and what they really want is actual interfaces ;)
-
@johnpoz I can only speak for my short time in the industry so I don't think I was around when Unifi had a management VLAN. When I assigned a VLAN to the controller, everything began to fall apart (the switch and AP refused to acknowledge the controller and gradually went down hill from there) to the extent that I just started fresh: reset the switch, reset the firewall (god knows what else I messed up there so might as well) and put everything back to a flat network.
The controller works great on an untagged network, once I moved things to a tagged network is where it got a bit iffy. Also, now it seems that the LAN is functioning and routing properly after a reset of the firewall (full reinstall), so maybe something got misconfigured there as well.
Just my experience so far. I am running their 8 port POE with their most recent firmware.
I agree on the actual interfaces. I've never really been in the mindset of using a firewall as a switch as well. That's what a switch is for :D.
-
You can't please all the people all the time.
But this should work. It's clearly a bit more work setting it up for tagged traffic leaving the ports but certainly should be possible.
Steve
-
@zachzez said in SG-1100 No VLAN Communication:
The new problem is, it does not seem that you can have a Unifi switch on a VLAN. I wasn't really expecting there to be so many caveats with the SG-1100 when I bought it.
That has nothing to do with the SG-1100. By default all interfaces are untagged. If anything it's a limitation of the switch because you should be able to put the management interface on any VLAN you want.
If you want to start tagging management VLANs, ANY managed switch is going to have to be configured correctly, the one in the SG-1100 included.
-
@derelict Either way, I have it working on the untagged LAN after a reinstall of the pfSense software and all should be good.
-
So again unifi management vlan can be tagged or untagged.. They added it to the AP something like 6 months or more ago.. The switches could use a tagged management vlan before the AP could.
So your management vlan can be either tagged or untagged.. Before they made the change you could not set a tagged vlan and it had to be untagged. As long as your running somewhat current controller and switch firmware you can do it either way.
