VLAN Setup

  • Hi

    I have multiple DLINK switches and run pfsense

    I would Like to Tag port 38 and 39 on Switch 1 and plug an AP on  port 38  and one of the interfaces on pfsense to port39

    I have for testing purposes connected and configured it as follows:

    Switch 1
    all ports are untagged in the default except 38 and 39
    on VLAN WIRELESS with VID 2 I have 38 and 39 tagged

    I have a laptop plugged into port 38 and set to use DHCP

    I have igb2 port on the pfsense NIC plugged into port 39

    I added an Interface called wireless
    I created a VLAN for igb2 with VLAN Tag as 2 and Description as WIRELESS
    I assigned my vlan to the adapter VLAN 2 igb2 (WIRELESS)
    I then enabled DHCP on WIRELESS interface

    I then created test rules in the firewall

    IPv4 TCP * * * * GATEWAY1 none

    IPv4 * WIRELESS net * * * * none

    IPv4 * * * * * * none

    I cannot ping the Wireless interface from my laptop plugged into port 38 of the switch
    My laptop does not receive any addresses

    Any assistance is a ppreciated

  • i think you misunderstand how vlans are supposed to work.

    dumb clients (like laptops/desktops/printers/…) need/want to be attached to an untagged port.

    vlan-capable clients (like routers / switches / pro-series AP's ) can be attached on a tagged port (=vlan trunk)

  • Many thanks for the reply,

    I understood that I can segment my wireless network, as this is my aim.

    if normal traffic flowed from a laptop to a tag port, would it just not tag that traffic at the point when it hits the switch?

  • I still cant understand why you say a laptop cannot be plugged into a port that you have assigned to a VLAN?

    if there is a switch and we want to segment the network into 2 parts, one for sales (VLAN10) and one for admin(VLAN20)

    would you not just create 2x VLAN's and plug all the sales pc's on ports that are configured for VLAN10 and admin pc's on ports assigned to VLAN20?

  • You can plug a laptop in a port with a vlan. But you need to untag that port.

  • Ok so

    If I plug a Wireless AP that supports VLAN's on port 39 set the AP to use VLAN 2

    Then make port 38 part of VLAN 2 untagged
    then make port 39 part of VLAN 2 tagged (Port 39 plugs into pfsense on igb2)
    Make port 39 part of the VLAN Trunk

    Would that work?

  • Rebel Alliance Global Moderator

    "I have multiple DLINK switches and run pfsense"

    What are these switches, since you say you set vlans on ports I assume they support it.  Do you have them chained.. Can you draw your actual network showing your switches and tags and untagged ports in what vlan they are in?

    What vlan tag are you using 2?

    Lets do an example.  Where you want your wireless network on different network (vlan) lets call this network 192.168.20/24 and your Lan network 192.168.10/24
    The lan network would be untagged.  Default on any switch would be considered vlan 1.  On your switch you would create a vlan 20.  So on the port connected to pfsense interface you would set it as trunk mode in the cisco world and let it carry native or untagged the pvid of vlan 1, this is your lan network.  Then the tagged network would be vlan 20.  Any link to another switch would could carry vlan 1 untagged but vlan 20 would have to be tagged so the other switch would know what packets are what.

    You can then put whatever other ports you want devices to be in that vlan or pvid.  Untagged.

    So as you can see in the example with 2 switches. How some ports are in vlan 1 (black) and others are in vlan 20 (blue) Ports that are in red would carry tagged ports, and or could have a native pvid if going to a device that you want to have a native vlan untagged traffic on.  For example in this case your normal lan network.

    So you can see my av cabinet switch cheap ass netgear gs108eV3..  The uplink port or the port connected to my other switch has vlan 1 (native admin vlan) untagged, and vlan 20 as tagged.  Now I have lots more vlans and my AP support vlans so I have other ssids on different vlans.  But lets just play with your 1 vlan for the moment.  Since your AP don't support vlans?  And you just want all your wireless on 1 vlan.  This is my vlan 20 and is the untagged vlan for wireless users.

    So on the cisco you see ge4 is my uplink to the other switch.  And ge3 is my connection to pfsense interface where vlan 20 is native and untagged.  In your case it would be vlan 1 untagged and vlan 20 tagged.

    I hope this helps - once vlans click they are easy peasy but understanding tagged vs untagged can be the steepest part of the learning curve.

    As to those firewall rules - what interface did you those on.. your lan or vlan?  And why is your first rule pointing to a specific gateway?

    So does your AP support vlans?  And you want to have vlans on different SSIDs - if so just add say a vlan 30.. And that to your tagged list on your trunk between switches and on your connection to pfsense.

  • Wow what a LEGEND!!!!! I am really really thankful for that comprehensive reply…..

    Please see attached network diagram:

    My AP's do support VLANS but I currently do not have that setup on them, so I left the ports that are attached to them untagged
    (Switch 1 Port 39) and (Switch 2 Port 24) both on VID 2.

    I have Port 38 Tagged and part of VID2 and Configured pfsense igb2 (VLAN2 on igb2) and setup DHCP on igb2.

    If I connect via the Boardroom AP I get an IP and I can surf the Net (Cool) But now switch 2 is located in another building that is linked by SFP ports how would I get the Switch to relay that VLAN info to Switch as I cannot make the SFP ports link a trunk?

  • Rebel Alliance Global Moderator

    what do you mean you can not make the sfp links a trunk?  What would be the use of them if you can not trunk traffic over them for an uplink?

  • LOL, let me rephrase that…..

    I do not know how to mark a SFP port into a trunk.

    quick question:

    If VLAN2 is setup on Switch 2 wouldn't it  be able to communicate with pfsense? Currently I do not receive an IP if I connect to AP in the training room

  • Rebel Alliance Global Moderator

    "If VLAN2 is setup on Switch 2 wouldn't it  be able to communicate with pfsense? "

    How is the vlan tagged data going to get to pfsense from a downstream switch if your uplinks do not allow the tagged traffic?

    I have no exp with that model switch..  But this is pretty basic stuff.  So you have 2 fiber connections between your switch 1 and 2, do you have them in a lagg/etherchannel?  On the lagg you would trunk.

  • I managed to get it to work by ticking the following in the Trunk Settings:

    port 47 & 48 (Switch 1)
    port 45 & 46 (Switch 2)
    port 45 & 46 (Switch 3)

    I now get an IP for the Training AP, the thing that confused me is the SFP ports are marked 48F etc and I did not see the correlation with port 48, I could not find anything in the documentation.

    Seeing as my Ap's support Vlans, it probably would be a good idea to utilise that? I could have used an ap without VLAN support in Hindsight.

    So basically I could have segmented the network without tagging any ports? Is the only reason to use tagging to prioritise traffic?

  • Rebel Alliance Global Moderator

    You have to TAG traffic if a connection is going to carry more than 1 vlan, it doesn't prioritize anything..

    How would you get traffic on more than 1 vlan to another switch without tagging?  Sure if you only had 1 switch and 2 nics in pfsense you could just put your different ports into the different vlans.  And guess if you wanted you could run uplinks to the other switch for each vlan in question.

    You have to tag traffic when multiple vlans will go across the same wire, be it a uplink to another switch or to a nic that will use the tagging to determine what traffic is what.

    So you don't have your 2 ports in a lagg or etherchannel?  So your just letting stp turn off one of the connections and you want 2 connections only for failover if 1 of your fiber connections fail vs any sort of loadsharing of bandwidth?

    So I am a bit curious.. You have 4 wan connections, and 3 48 port switches.. That are L3 capable… And I show retail for over $2500 a piece.. But you don't have clue one to vlans or tagging??  Did you get promoted to IT guy when the other guy quit because you knew what a switch was??

    BTW what AP did you buy??  Normally you would setup wifi that has access to your networking stuff, and then sure a guest that doesn't so having ap that do multiple vlans is a big plus..

  • I currently have it setup  just for failover, If I wanted to  add load sharing, what could I do?

  • Rebel Alliance Global Moderator

    You would lagg the connections, depending on switch maker terms might be etherchannel, or port channel or teamed.  All pretty much same term for doing the same thing binding connections together for loadsharing.

    This provides you with multiple paths for a failover issue while also allowing you to leverage more bandwidth between the switches for loadsharing.  In a typical setup you might even connect switch 2 to 3 to allow for another path if your homerun to your main switch went down you would have another path to the switch via the connect.  You would leverage spanning tree (stp) to block that connection so you don't have a loop unless the home run connection to the main switch when down.  That connection would then come up in forwarding vs blocking.

    So for example is that fiber connection only 1 gig?  If just using it as failover with 1 connection only being used all your devices on switch 2 for example are limited to this 1 gig uplink to anything on switch 1 or switch 3 or internet.  Not sure where your servers are for example.

    Typically in a case with location that has need of that many ports you would have way more than just 2 network segments/vlans.  Without understanding your environment and amount of data flow between devices and where they are connected its hard to say what your best setup would be.

    How are you leveraging those 4 wan connections?  How fat are those pipes?

    What other types of devices do do you have? Servers, printers? Voip phones?

    In a typical smb setup you might see say 5 vlans for sure..  Depends on what you want to isolate for security, what your using as your routing for intervlan.. How much intervlan traffic your going to have, compared to security concerns.  For example you might just have a data vlan and you would put all your servers/printer/users/networking infrastructure management all on this data vlan.  If you have phones this normally would be on a voice vlan, and then your wifi normally atleast 2 1 for internal use of known users and devices that need access to your other stuff, and then just a guest that has just internet, etc.

    Typical you might have

    All as different vlans.  With data possible broke up even more into servers/printers/production/etc/dmz and then depending on the number of users or different types of users you might have multiple user vlans.  This might be office users, engineers, management, sales, finance, kiosks or plant floor..

    Shoot in my home I have 7 different segments and vlans for gosh sake ;)  If anything that number would just go up.