Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    TP LINK TL-SG108E VLAN 1

    General pfSense Questions
    5
    5
    5317
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digital_janitor last edited by

      Hello community.  First, I am not a network person, but have been running pfsense for many years, however I am making my first foray into vlans and don't have a complete understanding of how vlan 1 plays into things when using tagging/trunking access port/pvid.
      When I say tagging/trunking I am using the term interchangably as I understand Cisco calls it trunking and other vendors call it tagging.
      Same with access port/pvid.

      In the past I have run pfsense with 3 nics for dual wan + LAN.  I recently bought an Intel nuc (only 1 nic) and have things set up with vmware and esx using trunking/tagging.

      There is the default vlan of 1, and I have created vlans 10,20,30.

      My switch is a TP LINK TL-SG108E using 802.q

      Port 1 is trunked/tagged to 10,20,30, a member of vlan 1, and pvid is vlan 1. It is connected to vmware esx virtual switch and a portgroup set to vlan (4095) (all) and pfsense is doing the tagging for vlan 10 wan, 20 opt1, 30 lan.  Everything is working as expected.
      Port 2 is an access port/pvid set to 10 (cable modem)(but still a member of vlan 1)
      Port 3 is an access port/pvid set to 20 (DSL)(but still a member of vlan 1)
      Port 4-8 are access ports/pvid set to 30 (LAN)(but still a member of vlan 1)

      Basically I'm using a single nic to break out to 3 ports effectively.

      So, now my real question.  On my switch you seemingly cannot do anything with vlan 1.  You can't take it down, you can't remove ports from it.  This seems to me to be a security issue.  Even with PVID/access port set, it seems like traffic can pass on vlan 1 and the goal here is to effectively isolate ports 2 and 3 from the LAN portion of my network.

      Is this because I am using a cheap switch?  I have heard in other cases being able to remove vlan 1 from ports, or being able to down vlan 1.

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • thuety
        thuety last edited by

        Any update on this?

        I'm also using the TL-SG108E with a single NIC pfsense.

        My cable modem is also connected using the untagged VLAN 10.
        If this port has PVID 10 set (forcing tagging of inbound traffic), shouldn't it be impossible to access VLAN 1 (from the internet)?

        cu

        1 Reply Last reply Reply Quote 0
        • jahonix
          jahonix last edited by

          A couple of posts regarding this device:
          https://forum.pfsense.org/index.php?topic=76022.msg727464#msg727464
          https://forum.pfsense.org/index.php?topic=123324.0

          IIRC they have a severe VLAN1 problem. Don't know if that's true for v2 though.
          Personally I use TL-SG3210s without problems but they are a bit more expensive.
          And I have a bunch of Cisco SG300s as well, which I prefer over the TL-SGs. But at home they are pretty much ok.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            They have the problem on v1, v2 and v3.. You can not remove vlan 1 from any port.  It is their design..  They also have an issue where they they seem to tagged traffic as RxBadPkt, seems to be cosmetic.. And there is a long running thread on their forums that has something to do with the chipset they are using..

            While the price makes it attractive as entry level simple switch to use where you only really need vlan support… And depending on your setup you can prob can just use vlan 1 as your untagged vlan anyway - as long as you don't have security concerns of someone access the switch gui from any port, etc.

            It sure would not be on the top of my listed of recommended switches to buy..  But if you change the pvid of a port, and then send untagged traffic it sure should not bleed over to every other port because of vlan 1..  And vlan 1 traffic should not be sent out all ports, etc..  It is there to be able to access the gui, etc..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • T
              tpham3783 last edited by

              Guys,

              Please see my post here to disable vlan1.  It is on page#5

              https://forum.pfsense.org/index.php?topic=123324.msg763557#msg763557

              1 Reply Last reply Reply Quote 0
              • First post
                Last post