Can't figure out VLANs

Derelict

A pfSense interface assigned to VLAN 20 means your switch port to pfSense needs to be tagged VLAN 20, not untagged.

The firewall rules (layer 3) do not care what is going on with your VLANs (layer 2). They are the same regardless.

automatted

A pfSense interface assigned to VLAN 20 means your switch port to pfSense needs to be tagged VLAN 20, not untagged.

The firewall rules (layer 3) do not care what is going on with your VLANs (layer 2). They are the same regardless.

What if it's on a daisy-chained switch (second in line)? Does it care? Or do I just set the port (16 in my case) to T since that's the incoming connection cable?

automatted

Current switch VLAN tag settings:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
D U U U U U U U U U U U U U
V20 U U T

Only ports 13 and 15 have a netgear PVID of 20, 16 is still 1

Derelict

The traffic on VLAN 20 has to be TAGGED to pfSense. If you are trying to use unmanaged switches to accomplish that you are wrong.

automatted

@Derelict:

The traffic on VLAN 20 has to be TAGGED to pfSense. If you are trying to use unmanaged switches to accomplish that you are wrong.

The switch is "Web Managed (Plus) Switch" so yes - it's managed.

What does 'TAGGED to pfsense' mean? See my chart above.

Do I have to set port 16 on switch #1 to TAGGED as well? and also the port going outbound to switch #2?

If I set port 16 (incoming WAN from pfense) to tagged, and port 10 (outgoing to switch 2 which has the VLAN tags) I lose internet to all my devices

Derelict

The switchport going to pfSense on VLAN 20 must be TAGGED for VLAN 20.

VLAN-pfSense.png_thumb

automatted

@Derelict:

The switchport going to pfSense on VLAN 20 must be TAGGED for VLAN 20.

I still don't understand what that means. There is no switchport going to pfsense on VLAN20…as I see it.

Here is how the ethernet cords run:

WAN -> pfsense em0 WAN in -> pfsense em1 LAN out -> In Port 16 on Switch #1 [15 physical devices on ports 1-15 which are to be default LAN] -> Out Port 10 on Switch #1 -> In Port 16 on Switch #2 [4 physical devices on ports 10-15 which are to be placed on VLAN 20]

In your attached image above it shows the modem connected directly to the switch? Is that correct?

Derelict

You really need to understand tagged vs. untagged to make any of this work.

That diagram is of a "router on a stick." It is not meant to represent your specific network. Just tagged vs. untagged ports.

automatted

@Derelict:

You really need to understand tagged vs. untagged to make any of this work.

That diagram is of a "router on a stick." It is not meant to represent your specific network. Just tagged vs. untagged ports.

Im afraid you're not really answering any of my questions with these responses.

I cannot set the PVID of my port coming directly from my pfsense box to VLAN 20 as that cuts out internet for all my other devices therefore it can't be a correct action.

Given the information I've provided above how do I go about best configuring this?

Derelict

Don't know. You need to configure your switch properly. Until you understand what you're doing there I don't think I can be of much help.

automatted

@Derelict:

Don't know. You need to configure your switch properly. Until you understand what you're doing there I don't think I can be of much help.

I know how to set ports to tagged and untagged - what I am not understanding is when to use U or T and if the ports can be on both LAN1 and VLAN20 at the same time. And also if the PVID of the port needs to be of the VLAN or of the LAN itself.

heper

https://www.thomas-krenn.com/en/wiki/VLAN_Basics

you need to familiarize yourself with vlans. google all you can.

automatted

@heper:

https://www.thomas-krenn.com/en/wiki/VLAN_Basics

you need to familiarize yourself with vlans. google all you can.

I've been googling and reading pfsense threads on various reddit/forums for weeks and can't get this to work.

In the link above that you provided my setup is exactly as you see in the 'tagged' example. 2 switches with one physical link/cable between them.

Does that cable which is connecting both switches need to be on both VLANs and be tagged?

automatted

I was able to get a device to pickup the VLAN IP somehow….but several other devices will not do so.

I also cannot ping the VLAN from other VPN/LAN within pfsense.

EDIT-

Ok - the port I moved over to my VLAN was my Ubiquiti AP and it was serving VLAN IP's to all of the wifi devices that were asking to be served. I've removed that port from my vlan and now the physical/ethernet devices are still not renewing their IP's through the VLAN.

moikerz

On your switch:
If you have port 15 as "untagged on vlan20" (aka PVID is set to 20), untagged data entering the switch will be tagged as vlan20. That's a similar setup to how DLink websmart switches work too. That setup is normal for a device (eg a computer). If pfsense is connected to, for example, port 1 on the switch, then port 1 must be a tagged member of vlan20, because all of the packets from that device are now tagged as vlan20.

On pfsense:
You'll want to ensure that you have firewall rules with full access (while troubleshooting at least) for the vlan20 interface. You may want/need to have a dhcp server (or relay) operating on the vlan20 interface. If you're trying to communicate with other vlans/lans, then both the source (vlan20) and destination (other vlans/lans) interfaces will need to be allowed to talk to each other. So for troubleshooting you could just allow full access (* to ) on vlan20 and the same for the destination vlan/lan ( to * also).

automatted

I got it working for now.

Thanks guys.

Working on firewall rules at this time.