Can't figure out VLANs



  • I setup a new VLAN as per the pf tutorials but it's not working.

    I setup the new VLAN 20 on my LAN connection, set an allow all rule to test it in the firewall, and setup untagged ports on my switch as VLAN 20 and once I set the ports to untagged on the switch I can no longer see them or ping them.

    What info do you guys need to help me out?



  • In pfsense, did you enable the VLAN after you created it? (Interface menu dropdown)

    Are you just trying to communicate within the VLAN itself? Your switch will do that. Are you trying to communicate from the VLAN to another VLAN/LAN? Then you'll need to have appropriate Firewall rules on both Interfaces to allow communication both ways.

    In your switch .. well, switches have differing methods of configuring VLANs. I'm not familiar with Cisco but I've used DLink and Netgear VLANs, however I know they term things differently to other vendors. YMMV.



  • @moikerz:

    In pfsense, did you enable the VLAN after you created it? (Interface menu dropdown)

    Are you just trying to communicate within the VLAN itself? Your switch will do that. Are you trying to communicate from the VLAN to another VLAN/LAN? Then you'll need to have appropriate Firewall rules on both Interfaces to allow communication both ways.

    In your switch .. well, switches have differing methods of configuring VLANs. I'm not familiar with Cisco but I've used DLink and Netgear VLANs, however I know they term things differently to other vendors. YMMV.

    Yes the OPT1 (VLAN 20) interface is enabled.

    The current firewall rule within OPT1 interface is ALLOW ALL with all * across the board.

    I'm using a Netgear Prosafe JGS managed switch. In the web interface I set ports 13 and 15 to U on VLAN 20 and all other ports are U on default. The PVID is also set to 20 for those two ports 13 and 15.

    As of right now I am just trying to get a test case working so I know how to setup VLANs properly. I have these two ports (13/15) both with physical devices available for testing.

    The default LAN IP range is 192.168.1.1/24 and this VLAN is set to 192.168.3.1/24

    For example - a device on port 15 on the router that was previously an IP of 192.168.1.105 does not pick up the new IP address of 192.168.3.X when taken off the default LAN on the switch and set to VLAN20. It retains 192.168.1.105 and becomes unpingable by anything on the LAN - which I get is probably because of a inter-LAN/VLAN rule but the devices on the VLAN cannot see the internet either way.

    The devices on the VLAN are IoT and need cloud/internet access.


  • Netgate

    A pfSense interface assigned to VLAN 20 means your switch port to pfSense needs to be tagged VLAN 20, not untagged.

    The firewall rules (layer 3) do not care what is going on with your VLANs (layer 2). They are the same regardless.



  • @Derelict:

    A pfSense interface assigned to VLAN 20 means your switch port to pfSense needs to be tagged VLAN 20, not untagged.

    The firewall rules (layer 3) do not care what is going on with your VLANs (layer 2). They are the same regardless.

    What if it's on a daisy-chained switch (second in line)? Does it care? Or do I just set the port (16 in my case) to T since that's the incoming connection cable?



  • Current switch VLAN tag settings:

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
    D      U U U U U U U U  U  U  U        U      U
    V20                                            U        U  T

    Only ports 13 and 15 have a netgear PVID of 20, 16 is still 1


  • Netgate

    The traffic on VLAN 20 has to be TAGGED to pfSense. If you are trying to use unmanaged switches to accomplish that you are wrong.



  • @Derelict:

    The traffic on VLAN 20 has to be TAGGED to pfSense. If you are trying to use unmanaged switches to accomplish that you are wrong.

    The switch is "Web Managed (Plus) Switch" so yes - it's managed.

    What does 'TAGGED to pfsense' mean? See my chart above.

    Do I have to set port 16 on switch #1 to TAGGED as well? and also the port going outbound to switch #2?

    If I set port 16 (incoming WAN from pfense) to tagged, and port 10 (outgoing to switch 2 which has the VLAN tags) I lose internet to all my devices


  • Netgate

    The switchport going to pfSense on VLAN 20 must be TAGGED for VLAN 20.




  • @Derelict:

    The switchport going to pfSense on VLAN 20 must be TAGGED for VLAN 20.

    I still don't understand what that means. There is no switchport going to pfsense on VLAN20…as I see it.

    Here is how the ethernet cords run:

    WAN -> pfsense em0 WAN in -> pfsense em1 LAN out -> In Port 16 on Switch #1 [15 physical devices on ports 1-15 which are to be default LAN] -> Out Port 10 on Switch #1 -> In Port 16 on Switch #2 [4 physical devices on ports 10-15 which are to be placed on VLAN 20]

    In your attached image above it shows the modem connected directly to the switch? Is that correct?


  • Netgate

    You really need to understand tagged vs. untagged to make any of this work.

    That diagram is of a "router on a stick." It is not meant to represent your specific network. Just tagged vs. untagged ports.



  • @Derelict:

    You really need to understand tagged vs. untagged to make any of this work.

    That diagram is of a "router on a stick." It is not meant to represent your specific network. Just tagged vs. untagged ports.

    Im afraid you're not really answering any of my questions with these responses.

    I cannot set the PVID of my port coming directly from my pfsense box to VLAN 20 as that cuts out internet for all my other devices therefore it can't be a correct action.

    Given the information I've provided above how do I go about best configuring this?


  • Netgate

    Don't know. You need to configure your switch properly. Until you understand what you're doing there I don't think I can be of much help.



  • @Derelict:

    Don't know. You need to configure your switch properly. Until you understand what you're doing there I don't think I can be of much help.

    I know how to set ports to tagged and untagged - what I am not understanding is when to use U or T and if the ports can be on both LAN1 and VLAN20 at the same time. And also if the PVID of the port needs to be of the VLAN or of the LAN itself.



  • https://www.thomas-krenn.com/en/wiki/VLAN_Basics

    you need to familiarize yourself with vlans. google all you can.



  • @heper:

    https://www.thomas-krenn.com/en/wiki/VLAN_Basics

    you need to familiarize yourself with vlans. google all you can.

    I've been googling and reading pfsense threads on various reddit/forums for weeks and can't get this to work.

    In the link above that you provided my setup is exactly as you see in the 'tagged' example. 2 switches with one physical link/cable between them.

    Does that cable which is connecting both switches need to be on both VLANs and be tagged?



  • I was able to get a device to pickup the VLAN IP somehow….but several other devices will not do so.

    I also cannot ping the VLAN from other VPN/LAN within pfsense.

    EDIT-

    Ok - the port I moved over to my VLAN was my Ubiquiti AP and it was serving VLAN IP's to all of the wifi devices that were asking to be served. I've removed that port from my vlan and now the physical/ethernet devices are still not renewing their IP's through the VLAN.



  • On your switch:
    If you have port 15 as "untagged on vlan20" (aka PVID is set to 20), untagged data entering the switch will be tagged as vlan20. That's a similar setup to how DLink websmart switches work too. That setup is normal for a device (eg a computer). If pfsense is connected to, for example, port 1 on the switch, then port 1 must be a tagged member of vlan20, because all of the packets from that device are now tagged as vlan20.

    On pfsense:
    You'll want to ensure that you have firewall rules with full access (while troubleshooting at least) for the vlan20 interface. You may want/need to have a dhcp server (or relay) operating on the vlan20 interface. If you're trying to communicate with other vlans/lans, then both the source (vlan20) and destination (other vlans/lans) interfaces will need to be allowed to talk to each other. So for troubleshooting you could just allow full access (* to ) on vlan20 and the same for the destination vlan/lan ( to * also).



  • I got it working for now.

    Thanks guys.

    Working on firewall rules at this time.