Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    XG-7100, switch configuration issues

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    7 Posts 2 Posters 900 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aealith
      last edited by

      Hi,

      I'm having a problem with a XG-7100.

      Basically, the topology of my network is as follow :

      AP CISCO > SWITCH CISCO > PFSENSE > ISP MODEM

      AP CISCO :

      IP CTRL 172.16.100.16
      IP AP 172.16.100.17

      3 SSID
      3 VLAN (110/120/130)
      3 DHCP (172.16.110.0/24, 172.16.120.0/24, 172.16.130.0/24)

      SWITCH CISCO :

      PORT 1 : ACCESS : PC
      PORT 2 : ACCESS : NAS
      PORT 3 : ACCESS : PRINTER
      and so on until...
      PORT 15 : TRUNK : AP CISCO
      PORT 16 : TRUNK : UPLINK 2 PFSENSE

      4 VLAN (100/110/120/130)
      4 VLAN INT :
      172.16.100.10 (DHCP from PF)
      172.16.110.2 (STATIC)
      172.16.120.2 (STATIC)
      172.16.130.3 (STATIC)

      XG-7100 :

      ETH1 : WAN (up TO ISP BOX DMZ : 192.168.1.1)
      ETH2 : LAN (from SWITCH PORT 16)

      INT VLAN 110 : 172.16.110.1/24
      INT VLAN 120 : 172.16.120.1/24
      INT VLAN 130 : 172.16.130.1/24

      My LAN is 172.16.100.0/24 (DHCP on XG-7100). No problem for accessing internet from it.

      The problem is none of my 3 VLAN from the AP can reach the internet or access another vlan (according to the rules set).
      So no internet for 110/120/130 and no intervlan routing.

      Right now, I only experiment on vlan 110.
      From my phone (on VLAN 110), I can ping the vlan interface on pfsense (172.16.110.1) and that's about it.

      I guess my problem lays with the switch port configuration : https://flic.kr/p/2k4fr2j
      I think the port 2 should be a trunk (on VLAN Group 2) but when I try to tag it, I lose communication with GUI (my PC IP is 172.16.100.11).
      I'm missing somthing here and I must admit I'm mostly lost with the switch port configuration.

      The whole thing used to work on DIY router with two intel NIC on a regular motherboard.

      I did try to move to port vlan mode but it cuts me out right away and I got to restore the previous config.

      Any suggestion most welcome ;-)

      Eric

      1 Reply Last reply Reply Quote 0
      • I
        IT_Dept
        last edited by IT_Dept

        Hello Eric,

        your current switch config on the XG-7100 is fine, just take into account that if you want to reach the Internet or have interVLAN communication from WIFI GUEST and WIFI IoT, then you'll need to add "9t,10t" on VLAN groups 4 and 5.

        You can reach the VLAN 110 interface from your phone but can not reach the Internet. Then go to "Firewall --> Rules" and on the WIFI interface add a "pass" rule using "WIFI net" as source, "any" as protocol, and "any" as destination as the first rule. Can you now reach the Internet from your phone ?

        A 1 Reply Last reply Reply Quote 0
        • A
          aealith @IT_Dept
          last edited by

          @IT_Dept
          Thank you for your reply.

          The VLAN GUEST and IOT are not yet configured since I cannot get PRIVATE to work but of course it is planned.
          Now, I already got a rule (only for testing purpose) on the INT WIFI : PASS WIFI NET ANY ANY and still can't get out. The phone detects the SSID as a No internet type of connection (the usual symbol plus '!').
          The funny thing is if I capture packets about host 172.16.110.16 (my phone), I see packets reaching out on the internet but still, I cannot get to a single web page. It's like the packets couldn't make it back.

          On the intervlan front, it seems it's working now i.e. I can browse my NAS stuff from VLC on the phone. That's weird but I guess I was doing something wrong on the phone.

          So, I guess it's half solved but still no internet :-/

          1 Reply Last reply Reply Quote 0
          • I
            IT_Dept
            last edited by

            maybe a dumb question, but I don't know if you are browsing the NAS through its IP address or through its FQDN, so, have you verified if your phone (or any device in VLAN 110) can properly resolve FQDNs?

            I would also perform a traceroute against a public IP from VLAN 110, to see where does it fail.

            A 1 Reply Last reply Reply Quote 0
            • A
              aealith @IT_Dept
              last edited by aealith

              @IT_Dept
              For accessing the NAS from the phone or anything on 110, the IP works fine. No resolution but right now that is not a priority since it is working fine.

              A traceroute to 1.1.1.1 from a computer on WIFI (vlan 110) shows :

              1. 172.16.110.1
2. * * *
3. * * *

              and so on.

              So it reaches the vlan interface on pfsense and nothing more.

              A 1 Reply Last reply Reply Quote 0
              • I
                IT_Dept
                last edited by

                it does not even reach your WAN interface (192.168.1.(2?))...

                Within pfSense the last option of the "Diagnostics" section is Traceroute, you can enter there and select the source interface from which to perform the trace, select your WIFI address/network as source and try, the results could be different than when performed from your computer.

                I'm a little bit out of ideas. You can find many things to check in the following link,

                https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

                Regards

                1 Reply Last reply Reply Quote 0
                • A
                  aealith @aealith
                  last edited by

                  Ok, I figured it out.

                  When configuring the vlan interfaces, at first I hadn't noticed, it was set with a mask of /32.

                  The rules being generated automatically, the NAT was set for the interface, with the same mask but not for the network with the right mask.

                  I fixed the VLAN interface mask a while ago but the NAT was still wrong.

                  Working like a charm now!

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.