PfSense VLAN + switch tagging trunk questions

AndyC

On HP tagging != trunking. Trunking is used for link aggregation. No need to touch that if you just need VLAN functionality.

A Former User

Thanks Andy. I did a bit more digging and found that same answer too.
Cheers.

stephenw10

…..and there's the confusion! ;)

But that's especially confusing. Good to know. Thanks.

Steve

jwhitewick01

@SR190 has anyone been able to resilve this as i have not been able to transport vlan traffic to tagged ports

Here is my setup

Port 48 goes to my pfsense firewall

Untagged vlan 1 by default on port 48
Vlan 11 tagged on port 48
Vlan 12 tagged on port 48
Vlan 13 tagged on port 48

The switch model is hpe 1820-48G

JKnott

@jwhitewick01

Have you configured those VLANs on pfSense?

jwhitewick01

@JKnott yes all vlans are configured on pfsense.

JKnott

@jwhitewick01

Well, fire up wireshark, to see what's happening. Wireshark has a column for VLAN ID, but you have to enable it.

stephenw10

I assume you have those VLANs untagged on other ports on the switch where you testing connecting hosts to them?

NogBadTheBad

@JKnott said in PfSense VLAN + switch tagging trunk questions:

@jwhitewick01

Well, fire up wireshark, to see what's happening. Wireshark has a column for VLAN ID, but you have to enable it.

Screenshot 2020-02-20 at 16.24.42.png

JKnott

@NogBadTheBad

All I can see is there's no VLAN traffic at whatever point you're looking at. Are the VLANs configured on that interface? You'll have to do something to generate traffic on the VLANs, such as pinging a non-existent address. This will cause multiple ARP broadcasts, which give you something to watch for.

NogBadTheBad

The ID column shows traffic tagged vlan 4, 5 & 6.

JKnott

@NogBadTheBad

Sorry, my mistake. I haven't had my morning beer yet.

So, you have VLANs enabled on that switch. Is that traffic coming from the switch where you're monitoring or is it being received by it? With managed switches, you can test at each end and then see what happens. So, if you see those tagged frames coming in, are they being sent out on the appropriate port? I see STUN packets. That implies VoIP or perhaps games? Where is that port you're monitoring in relation to your Internet connection. Hopefully, you're not trying to send VLAN frames out to the Internet.

NogBadTheBad

@JKnott

Yup vlan 4 is my IOT vlan and vlan 6 is VOIP, the screen shot was just to show @jwhitewick01 what to set as a column rule.

I did a capture on my pfsense parent interface.

JKnott

@NogBadTheBad

Then why is VLAN4 showing a STUN packet? That should be on VLAN6. Is that packet incoming to pfSense? Or outgoing? I also see a router advertisement on there. I assume that MAC address matches the pfSense port and you don't another router out on VLAN5. And that 172.16.6.1 is pfSense on VLAN6. There is at least some communication between 172.16.6.2 and .1 Is that .2 on the correct VLAN?

NogBadTheBad

The STUN packet would appear to be from my Apple-TV.

Screenshot 2020-02-20 at 17.39.08.png

I don't normally resolve hostnames.

The capture was done on my pfSense interface hence the RA.

Ah they do use STUN.

https://support.apple.com/en-us/HT202944

JKnott

@NogBadTheBad

Whoever it it, it's a STUN packet on a VLAN that's supposed to be IoT, You'd normally only see STUN with VoIP or some games. Also, the VLAN IDs on pfSense don't appear to match up with those on the switch. They must be the same everywhere. So, if you have IoT on VLAN4 in pfSense, then it must also be VLAN4 on the switch trunk port.

NogBadTheBad

The VLAN IDs are correct both end as I said previously "vlan 4 is my IOT vlan and vlan 6 is VOIP"

The STUN packets on vlan 4 are from 2 x Apple-TVs.

I'd see STUN packets on vlan 4 (IOT) and vlan 6 (VOIP).

JKnott

@NogBadTheBad said in PfSense VLAN + switch tagging trunk questions:

The VLAN IDs are correct both end

Then what's this?

Port 48 goes to my pfsense firewall

Untagged vlan 1 by default on port 48
Vlan 11 tagged on port 48
Vlan 12 tagged on port 48
Vlan 13 tagged on port 48

Those certainly don't look like 4, 5 & 6 to me.

NogBadTheBad

@JKnott said in PfSense VLAN + switch tagging trunk questions:

@NogBadTheBad said in PfSense VLAN + switch tagging trunk questions:

The VLAN IDs are correct both end

Then what's this?

Port 48 goes to my pfsense firewall

Untagged vlan 1 by default on port 48
Vlan 11 tagged on port 48
Vlan 12 tagged on port 48
Vlan 13 tagged on port 48

Those certainly don't look like 4, 5 & 6 to me.

LOL I'm not @jwhitewick01 !

JKnott

@NogBadTheBad

That's what happens when someone takes over anohter's thread.

Your trunk 4, for example, where is it supposed to go? Does it get there so that you can see those STUN packets arriving where they're supposed to? I don't know what you have and haven't seen much in useful info to help with whatever your problem is?

Scrolling back, the first post I see from you is in response to my suggestion that the OP use Wireshark. Why did you post a capture there? All you seem to be doing at that point is creating confusion.

Also, I don't know about others here, but I don't sit around watching a thread all day. I'm at my desk, with the forum open. I see when there's a new post in some thread and then read it, so I'm not paying close attention to what happened earlier. When you posted in the thread with only the capture and no other comment, what was I supposed to assume?