basic VLANS - Noob

chrischambers

@chrischambers said in basic VLANS - Noob:

I have the port profile set to All,

How is pfsense to know what is vlan 1 (lan) or vlan 20? For pfsense to know what traffic is what the traffic is ether tagged or untagged.

In this case since lan is native on the igb1 interface it would be untagged. Since you added vlan 20 to this same interface this traffic has to be tagged. You need to edit unifi to tag the vlan 20 traffic when it sends it to pfsense port.

sorry if this all sounds a bit dump but I am I trying to get my head around this: I through that when you enter in a number for the VLAN, in my case 20 and this match's the VLAN on pfsense then this is the tagging.
unifi 20 VLAN Settings.JPG

johnpoz

No that just creates a vlan.. Where do you say when its tagged or not tagged

Untagged or Native is when that traffic has no tag on it.. like when connected to a pc.. Or when your sending that traffic to a device that has multiple vlans on it.. Like a port on pfsense, or AP etc..

1 vlan, can be untagged or native. Any other vlans on that port need to be tagged.. So the router, the other switch the AP, etc. can tell the traffic apart.

Since you are having more than 1 network(vlan) on your igb1.. 1 vlan can be untagged (lan) and the other vlan 20 has to be tagged..

https://help.ui.com/hc/en-us/articles/222183968#3
Vlan Tagging.

To be honest - the docs for unifi to work with other devices and tag or untagged seems hard to find.. They use to have a doc when working with other switches.. But can not seem to find it..

From what I can tell if set to all, vlan 1 would be untagged.. Any other vlans would be tagged.. So the port connected to pfsense should be set to ALL, and then other port connected to PC would be just vlan 20..

Does your client get on this port get dhcp from vlan 20 on pfsense? If so that is working correctly most likely.. But you should really be able to see what vlans are tagged and untagged on what ports..

rameshk

@chrischambers
Don’t worry mate I have spent hours / days / months with these trying learn and keep my knowledge updated.
Looking at your details I assume that the connection from your Router to Switch (trunk) doesn’t carry both VLANs to the switch. Therefore the switch don’t have any information about the route back to your router/gate way.
I have attached a sketch below to explain.

chrischambers

@rameshk said in basic VLANS - Noob:

yea that is my set. if I am reading it with that vlan1 is the default traffic and vlan 20 is my test

rameshk

@chrischambers
Check your settings on Unifi controller and let us know how it went.

chrischambers

@rameshk said in basic VLANS - Noob:

@chrischambers
Check your settings on Unifi controller and let us know how it went.

ok I am still having the same issues, I did watch a video about tagging and untagging, but he was creating a DHCP on the switch and not passing the DHCP range through a VLAN.

I did try creating a profile setting the Native network but this didn'twork as I got the same results, that I was able to ping from VLAN to anything but no from LAN to VLAN

and here is a little picture of my network, showing there my DHCP are

johnpoz

If your client is getting dhcp from your dhcp server for vlan 20... This means your tagging is correct.. Or your traffic would never hit the vlan dhcp server.

Not being able to ping some device on vlan 20.. You sure there is no firewall on this device. Out of the box windows for example is not going to allow some device from anything but its local network to ping it.

Simple sniff on pfsense vlan 20 interface while you ping the vlan 20 pc IP from lan.. Do you see the ping request go out?

That pic of tagging makes NO sense.. What port is that on.. Your saying vlan 20 is native.. but then you say tag all?

edit: One last time..

P1 on your switch vlan 1 (lan) untagged. Vlan 20 Tagged. Port 15.. Vlan 20 untagged..

chrischambers

@johnpoz I take pics as it might be easier then trying to explain.

Switch port 1.JPG
switch port 15 - Testing.JPG

johnpoz

And lets see these profiles.

Tagging vlan 1 to port 15 makes ZERO sense.. The only thing on that port should be 20 and it should be untagged.

chrischambers

===@johnpoz said in basic VLANS - Noob:

se prof
is this the profile you wanted ?

Switch port Profiles.JPG

johnpoz

Show the profile on port 1 (pfsense), and the profile on port 15 (pc)

chrischambers

@johnpoz said in basic VLANS - Noob:

Show the profile on port 1 (pfsense)

sorry I am cunfused. profile on pfsense - are you asking for the interface information ?
and want do you mean by profile of port 15. is this from the switch ?
please give examples

chrischambers

@chrischambers I have just check my firewall and this is turn off.
I also just check that the port is working the LAN range and this works, with no issues.
it is just something with VLAN 20 that is missing

just found the old video I used to create my vlans minus the blocking of extra vlans
https://www.youtube.com/watch?v=hhPGN4UJHAM

johnpoz

Port 1 from your drawing is connected to pfsense... What is the profile you have assigned to port 1 on your switch..

Port 15.. What you showed is WRONG... The only vlan on that should be native vlan 20.. nothing tagged, no other vlans

chrischambers

@johnpoz said in basic VLANS - Noob:

Port 1

on port 1 as shown in my drawn the profile is " All "
on port 15 the only profile on is "Test 20 "
switch port 15 - Testing.JPG
with the following settings
unifi 20 VLAN Settings.JPG

chrischambers

@johnpoz said in basic VLANS - Noob:

Port 15.. What you showed is WRONG... The only vlan on that should be native vlan 20.. nothing tagged, no other vlans

forget this I was trying something. it is now deleted.

johnpoz

Ok if you have your vlans setup correctly on your switch.. And your pc on vlan 20 interface on your switch gets an IP from dhcp on pfsense for vlan 20..

And it has internet I take it?

But you can not ping it from lan?

What are the rules on lan? Your not policy routing traffic out some vpn are you?

Post up rules on lan and vlan 20 interfaces on pfsense.

chrischambers

@johnpoz

Ok if you have your vlans setup correctly on your switch.. And your pc on vlan 20 interface on your switch gets an IP from dhcp on pfsense for vlan 20.. -- Yes I do
And it has internet I take it? -- not at the moment as I have no rules for outbound
But you can not ping it from lan? -- That is right
What are the rules on lan? Your not policy routing traffic out some vpn are you? -- yes I do have a VPN
Post up rules on lan and vlan 20 interfaces on pfsense.

WAN
Wan Rules.JPG
LAN
LAN Rules.JPG

johnpoz

Ok your forcing traffic out your gateway that 1.9 IP to plextv? Not sure what is the point of that?

That is wan and lan - where is vlan 20?

As long as your not coming from 1.9 and going to whatever is in that alias for plextv - you would be able to go to your vlan 20 via your lan net source any any rule.

So makes no difference what rules you have on vlan 20. lan should be able to ping anything on vlan20

So again sniff on vlan 20 interface while your pinging from lan - do you see the ping go out.. If so then problem is not pfsense..

Are you sending everything out some vpn.. I don't understand why your trying to policy route traffic out your wan gateway? Unless you have everything else going out some vpn?

chrischambers

@johnpoz said in basic VLANS - Noob:

VLAN 20

VLAN 20 Rules.JPG

I have a plex server sitting behind the PFsense, and looking at videos it informed me that I needed to added that rule.

is sniff the pinging within pfsense ?