Trying to figure out VLANs, 3 LAN's, 1 Ubiquiti AP


  • Banned

    I've never tried VLANs before so I'm assuming I'm making a dumb mistake somewhere.

    What I want to do:
    Add two VLANs, one for Guest use, the other for Internet of Things. I want both of them to be wireless via my Ubiquiti AP.


    My Network:

    pfSense igb3 > Web Managed Switch (SG108E) Port 1 >> Ubiquiti AP AC PRO Port 3    -&-    Desktop Port 7


    What I did:

    • pfSense:

    created two VLANs and assigned them to igb3
              Guest: Tag=10, Priority=0
              IoT: Tag=20, Priority=0
        Enabled each VLAN interface, assigned them static IPs, and enabled each of their DHCP servers accordingly
              Guest: 192.168.10.1/24
              IoT: 192.168.20.1/24
        Added Firewall Rules to the Guest & IOT Interface
              For now to ensure rules aren't the issue, it's an allow anything rule

    • Switch (SG108E):

    Enabled 802.1Q VLANs
              VLAN  1: Default_VLAN/Members: 1-8/Tagged:-/Untagged:1-8

    VLAN 10: Guest/Members: 1,3/Tagged:1/Untagged:3

    VLAN 20: IoT/Members: 1,3,7/Tagged:1/Untagged:3,7

    NOTE: What I'm trying to do is setup two more WiFi SSID's for the Guest VLAN and the IoT VLAN. The AP is on port 3. I would also like to be able to access the IoT VLAN on my desktop on port 7 (but that really isn't important).

    The guide I followed said to assign a PVID to each port for the VLAN I'm using on it. However, I can only assign one PVID to each port. So how does that work when I need to put two VLANs through the same port? Also, from my understanding the PVID is assigning a tag to traffic coming to the switch from the port, so that the traffic is tagged on its way to the tagged port (1). On my Ubiquiti AP, I can select a VLAN tag for each SSID, so why is PVID necessary? TL;DR, I didn't add any PVIDs, every port is the default 1.

    • Ubiquiti AP AC PRO

    Added a Guest SSID and enabled VLAN tag
              Selected to use VLAN with VLAN ID: 10
        I haven't added the IoT SSID yet


    The problem: When I try to connect to the Guest SSID, it can't get an IP address. I've tried restarting the DHCP services, resetting state tables, but the problem remains. I'm sure I've screwed this up somehow I just don't know how. Can anyone guide me here?!


  • LAYER 8 Netgate

    Port 3 needs to be untagged on VLAN 1 and tagged on 10 and 20. VLAN tags are how the AP tells the switch what network the traffic from the different SSIDs belongs on.


  • Banned

    Damn that was fast and concise! Thank you!



  • pfBasic,

    I also have never tried VLANs. I'm trying to setup something very similar to what you are except I have 3 Cisco SLM2008 switches and one Ubiquiti AP AC PRO, may add one more. I wonder if you'd mind telling me what guide you refereed to in your original post?

    The guide I followed

    Thanks,

    Doug


  • Banned

    It was just the one from the manufacturers website:
    http://www.tp-link.com/us/faq-788.html

    So, what are PVIDs for? Since they aren't needed in this implementation?


  • LAYER 8 Netgate

    Those TPLINK switches are piles of junk imho. You should set the PVID to the same value as the untagged VLAN on the port. You, inexplicably, apparently have to set both. Same with the crappy little netgears.

    Maybe there is something you can do there with asymmetric VLANs and port isolation which is why they make you set both.


  • Banned

    Yeah certainly not top notch products, but they get you VLANs for like $25.



  • John_galt/all,
    I am not sure if this will help you out with switch setup but I was on the phone with dlink tech(2x for an hour) support and they walked me thru the following configuration for my switch and VLANs. I also use a Ubiquity Pro. The VLANs are working…that is I am able to connect to each of the ssids wirelessly(I need to do some more study to make sure I have isolated them correctly on my pfsense)

    Some notes:

    • My pfsense box/LAN is connected to eth1 of my switch
    • My Unifi AP is connected to eth2 of my switch (Apple TV is connected to eth3 of the switch)
    • My VLAN 12, 25 and 64 all have separate ssids on my Ubiquity AP pro(all working)
    • VLAN 38 is for my Apple TV (Apple TV does not support VLANs), not connected to my AP
    • Make sure to input the VLAN ID and check the "Use VLAN with VLAN ID" box in the Wireless Networks->Advanced Options-> VLAN of the Unifi Contoller on you computer(can't access this from the mobile app)

    Disclaimers-
    I am by no means an expert!
    Sorry for the rookie screen shots?..I manage my network from a dedicated computer with no internet access.

    While your switch might be different I thought this might help with tagging, untagging and member configuration.








  • Thanks for the information pfBasic & Velcro


  • LAYER 8 Global Moderator

    "PVID is assigning a tag to traffic coming to the switch from the port"

    Not sure where you read that.. not really tagging anything.. Its just saying hey if I see untagged traffic coming into this interface its going to be on the PVID vlan..

    As Derelict was mentioning.. Maybe there is some odd thing you could do where you set the pvid different than untagged traffic.  Normally setting the pvid would automatically mean that is untagged traffic why you would have to go in and also say vlan X is untagged not sure.  Maybe you don't actually have to do that?  I have a gs108ev3 in my av cabinet I could test that.  But with use of their gui its no big deal to set untagged vlan same as the pvid.

    The only ports that should have tagged traffic on them would be ports connecting to something that is going to understand the tags and use them.. Ie pfsense, ie uplink to another switch, your AP..

    With your setup vlan 1 should/could be all the ports and untagged.

    You would just your vlans as tagged to the ports connecting to pfsense on the switch and the port connecting to AP on the switch.



  • Just gone through this with my setup.

    As I understand:

    PVID is used to tag traffic from a vlan unaware source with that vlan tag in the switch.  So if you connected a PC to the switch and put the PVID in as 10 on the port that PC is connected to then that PC would then be on VLAN 10.

    Equipment that is VLAN aware such as your AP does not need the PVID setting as this is tagging the traffic already.  So based on the SSID each packet will get assigned to a VLAN.  This is setup by the WLAN AP

    To get the VLANS to work together you need to be able to get them through the switch.  So you need to tell the switch to expect tagged packets from VLAN aware equipment, so the ports that you attach the WLAN AP to and the one that PF sense is connected to.  You should only need to tag the different VLANS, your untagged normal network shouldn't need to be tagged (i.e. VLAN1).


  • LAYER 8 Global Moderator

    "PVID is used to tag traffic from a vlan unaware source with that vlan tag in the switch."

    Where are you getting the idea that this tags it??

    Yes this is correct..
    "if you connected a PC to the switch and put the PVID in as 10 on the port that PC is connected to then that PC would then be on VLAN 10."

    But you are the 2nd person in this thread that has associated this with tagging…??  If your thinking of inside the switch??  Ok but its not really "tagged" unless it leaves the switch and the port it leaves on is set to tag that vlan.  If you have a device on port 1 with pvid 10, and device on port 2 with pvid.. These devices will never see any tag when talking to each other.

    Yes the PVID sets the vlan for what the switch sees coming into that port that does not have a tag on it.. But keep in mind that its not really tagged, if it helps to think of it as tagged "inside" the switch ok I guess.  But tagged and untag really only come into play when entering or leaving the switch..


  • LAYER 8 Netgate

    I am beginning to think that these switches are using "Untagged" for transmitted traffic (remove the tag on traffic sent out that port from this VLAN) and "PVID" for received traffic (Traffic received without a tag on this port is placed on this VLAN) on a port.

    Though I am struggling to think of a scenario where you wouldn't want them both the same under normal circumstances.


  • LAYER 8 Global Moderator

    Agreed I don't see why you have to actually set the untagged vlan on the port if your setting the pvid.. Should really be a given they are the same - but I guess it makes a bit easier to keep track of their 2 different ui.. They have where you can look at the ports pvid and then you can look to at a specific vlan and see the ports being tagged or untagged on that vlan.  So in this case it makes it easy to see that yup all those ports are in vlan X untagged.


  • LAYER 8 Netgate

    If I thought about it a while I could probably come up with a way to leverage that into multiple broadcast domains downstream (think big wi-fi) with a single layer 3 upstream.

    "Asymmetric VLANs" are sort of a poor-man's Private VLAN.

    I have three ports:

    1 PVID 10 Untagged 10
    2 PVID 10 Untagged 11
    3 PVID 10 Untagged 12

    I put pfSense on port 1.

    Broadcasts from ports 2 and 3 reach pfSense but not each other

    So 2 cannot communicate with 3, 3 cannot communicate with 2, but both can communicate with 1. Ports 2 and 3 are on separate VLANs but both egress the switch untagged.

    Unexplained is broadcasts from port 1 to ports 2 and 3 in that case, however.


  • Banned

    Derelicts instructions were exactly what I needed, all is working.

    I didn't ever do anything with PVIDs, they are all set to the default VLAN 1. The discussion here helped me understand what they are used for. Thank you too all!


  • LAYER 8 Global Moderator

    You really need to change the pvid from 1 if your going to put a port into an untagged vlan.  If your only using it for say an uplink to pfsense that does the vlans and or a AP then no there is no reason to change the pvid if your going to use vlan 1 (default) vlan as your main network with all devices on the switch being in vlan 1.


  • Banned

    Setup has pfSense on port 1,

    The AP in on the switch

    A desktop PC

    And an HTPC

    Everything is currently working. How should I change the PVIDs and why?


  • LAYER 8 Global Moderator

    You shouldn't unless you need/want to.. You mean your switch is your AP?

    "The AP in on the switch"

    Are you using some old wifi router with a built in switch as your AP. The native firmware of these rarely support vlans on the switch ports.  Now if running some 3rd party firmware on it and the hardware supports then sure you can do vlans.

    You can use vlan 1 just fine, its common practice in an enterprise/work network not to use vlan 1.  But in a home/lab/smb there is no reason why you can not just use the default vlan 1 as your main vlan.

    Your PC and HTPC are connected to your switch.. If you don't want these on the main vlan, then you would change the pvid of those ports.


  • Banned

    Ok great thanks. The switch is a web managed switch. The AP is a Ubiquiti connected to the switch


  • Banned

    So on this same setup I have a question.

    I'm getting some Rx Bad Packets on the switch (TP-Link SG-108E).

    Cables are good, interfaces are good, VLANs are causing the problem. If I disable the VLAN, then 0 Bad Packets.

    I've attached screenshots of my current config, is this correct?
    -No Flow Control
    -No Storm Control
    -No Bandwidth Limiting
    -YES IGMP Snooping

    Bad Packets are pretty low right now
    ~0.04% on Port 1 (pfSense)
    ~0.003% on Port 3 (Ubiquiti AP)

    But earlier it was ~1% on Port 1 and ~2% on Port 3.

    Everything is working, but my Ubiquiti AP AC PRO seems slow. About the best I can get out of it is between 160-200Mbps via iPerf on an S7 Edge (AC, MIMO) on a clean channel with excellent reception. I got better performance out of my a TP-Link as an AP.

    I would assume this is not a pfSense problem as the AP & S7 are on the same LAN (S7 is not on VLAN), also there are no dropped packets on any interface in pfSense.

    Any suggestions on speeding up the wifi is appreciated. Ubiquiti support asked for Speedtest results to test my performance after I sent them iperf results…. They ultimately just recommended replacing the AP, I did exchange it, but the performance is the same.









  • LAYER 8 Netgate

    Not sure what to tell you there:

    sg300-223#sh interface counters gig 46

    Port      InUcastPkts  InMcastPkts  InBcastPkts    InOctets 
    –-------------- ------------ ------------ ------------ ------------
          gi46        2147428356    5953624      1534156    1958781584609

    Port      OutUcastPkts OutMcastPkts OutBcastPkts  OutOctets


    gi46        1385816636    39047110    10667840  275780164044

    Alignment Errors: 0
    FCS Errors: 0
    Single Collision Frames: 0
    Multiple Collision Frames: 0
    SQE Test Errors: 0
    Deferred Transmissions: 0
    Late Collisions: 0
    Excessive Collisions: 0
    Carrier Sense Errors: 0
    Oversize Packets: 0
    Internal MAC Rx Errors: 0
    Symbol Errors: 0
    Received Pause Frames: 0                             
    Transmitted Pause Frames: 0

    That is a tagged interface to an SG-2440 igb NIC.

    For sure the errors between the AP and the switch have zero to do with the firewall.


  • Banned

    @Derelict:

    For sure the errors between the AP and the switch have zero to do with the firewall.

    Yeah, I was just hoping I'd misconfigured something simple on the switch that would be easy for someone else to spot.


  • LAYER 8 Netgate

    I am seeing the same sort of thing on the other side of the MoCA 2 here. Not quite sure what that's about yet. Port 1 is the MoCA adapter (untagged + tagged), port 8 is the Ruckus 7372 (tagged). All the other connected ports are simple untagged ports and should be completely clean. The MoCA 2 adapters aren't really dot1q but seem to handle the frame sizes just fine. The one up here on the cisco sg300 is completely clean.

    Might have to put a brocade down there for a while so I can see what's really going on. It's a dlink right now.

    ![Screen Shot 2017-04-29 at 3.24.56 PM.png](/public/imported_attachments/1/Screen Shot 2017-04-29 at 3.24.56 PM.png)
    ![Screen Shot 2017-04-29 at 3.24.56 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-04-29 at 3.24.56 PM.png_thumb)


  • Banned

    Well I honestly don't know what a bunch of the stuff you said is, but some googling tells me that a MoCA is Multimedia over Coax.

    The closest thing I have to that on my network is the PoE injector, which really isn't close to that at all haha. Could the PoE injector be causing problems?

    My assumption was that the switch was the problem, considering that it's the weakest (cheapest) link in the network. I've been looking around eBay to see if I could pick up a better used switch for cheap, but haven't found one yet.

    Could these packet issues be related to my Ubiquiti AP slow wifi?

    The bad Rx packets are up to ~1.4% on the AP port (#3) now, but still at ~0.097% for the pfSense port (#1).


  • LAYER 8 Global Moderator

    "between 160-200Mbps via iPerf on an S7 Edge (AC, MIMO) on a clean channel with excellent reception"

    Between what an what?  What is the client, what is the server for your iperf test?

    What exactly is connect to ports 1 and 3??  Your AP?  How are they configured for your vlans?

    edit:  Just ordered one of these switches.  It was only $30 and I can replace the dumb switch I am using for my raspberry pis with it ;)  Or change out my netgear in the AV cabinet.. But having it around will allow me to test both the lowend netgear GS108Ev3 and this TL-SG108E, their seem to be lots of people using them here..

    So couple of days and I will connect it to my unifi APs that are doing vlans using poe injectors so will be able to duplicate your setup.  I see no errors on my sg300 or my netgear that my AP are currently connected to.


  • Banned

    The iPerf test I've seen pretty consistent results with multiple setups.

    I've tried S7 Edge as client and server connected to both a desktop and laptop on wired connections (both desktop & laptop have Intel NICs and get full gigabit ~944 Mbps iPerf between one another).

    The topology is:

    S7 Edge (5GHz VHT 80) <> Ubiquiti AP AC PRO (Cat 7<>Injector<>Cat 6) <> SG-108E (Port 3) <> SG-108E (Port 7) <> Desktop or Laptop Intel NIC (Cat 6)

    VLAN setup on the switch in the screenshots of this post: https://forum.pfsense.org/index.php?topic=129420.msg714891#msg714891

    VLAN setup on pfSense attached to this post. DHCP servers, firewall rules have been setup and both VLANs seem to be working fine. I don't know if I can misconfigure them in such a way that they route and access the internet but are still wrong, other than firewall rules but I've tried with allow any rules?

    I'm looking forward to seeing how a similar setup works for you!

    It's possible that the issues I'm having with both Bad Rx Packets and slow wifi stem from the Ubiquiti AP, but I've tried two different units so I kind of don't think so?



  • LAYER 8 Global Moderator

    Well be happy to duplicate your tests for sure.. Looks like the switch should be here tues.. I can fire up something and test current setup.  I have Pro, LR and lite I can test.. I make out my 80mbps internet connection.. So I haven't tested what I see normally wifi to wired.. But pretty sure last time I tested it was over 400mbps..

    Just had to grabe the 3rd underworld - we were going to watch the last one and seems we missed the one in 2012 ;)  Sunday Funday and all..


  • LAYER 8 Netgate

    I have not connected another switch down there yet but tested throughput across the MoCA bridges yesterday. Was getting a solid 750-800Mbit/sec between my Mac Mini and MBP using iperf3 TCP. Errors were not incrementing in any relevant manner during the tests.

    I think these switches might be counting something as an error that the beefier switches understand even though there is really nothing wrong. STP perhaps?

    I watched a mirror port off the dlink for a while and didn't see anything obvious.


  • Banned

    @Derelict:

    I think these switches might be counting something as an error that the beefier switches understand even though there is really nothing wrong. STP perhaps?

    That makes sense. Googling finds that there are other people having the same issue (BadRxPackets with VLAN enabled on SG-108E).
    http://forum.tp-link.com/showthread.php?83046-High-RxBadPkt-on-TL-SG108E


  • LAYER 8 Netgate

    It would not surprise me if all of these crappy little switches used the same basic chipset.

    All of the guis basically look the same.

    I just cracked a DGS-1100-08 and it's under a heatsink. It was only $35 but I don't feel like burning it.


  • Banned

    So I swapped to a zyxel GS1900-8HP and all is working without errors and BadRxPackets (almost).

    Now I can access clients across VLANs (and subnets).

    There are 4 VLANs on the switch and 2 on pfSense (I'm fairly certain this has nothing to do with pfSense config but I thought I'd mention just in case).
    VLANs:

    1: Default - SWITCH
    10: Guest - SWITCH + PFSENSE
    20: IoT    - SWITCH + PFSENSE
    99: UNUSED - SWITCH

    All used ports are UNTAGGED on VLAN 1

    Ports 3 (WAP) & Ports 1+2(PFSENSE, [LACP LAGG]) are TAGGED on VLAN 10 and VLAN 20

    All unused ports are UNTAGGED on VLAN 99

    What am I doing wrong here? Should I not TAG the LACP LAGG to pfSense and just TAG port 3(WAP) traffic?


  • LAYER 8 Netgate

    You didn't say what isn't working. All you said is everything is working.


  • Banned

    @pfBasic:

    Now I can access clients across VLANs (and subnets).

    Sorry, I should have clarified.

    This is what I meant.

    The main reason I want VLANs is to segregate traffic.

    Right now I can access clients in VLAN 20 while connected to a client on VLAN 10.
    My understanding is that I shouldn't be able to cross VLANs? So I'm assuming that I'm messing up the configuration on this.

    I also took a look at my State Table.

    If I connect to my Guest Wifi (VLAN 10) and try to connect to a client on my IoT subnet (VLAN 20) I can.
    When I go to the Guest interfaces firewall rules, and click the state table for the allow any any any rule there is a state between the two clients crossing subnets and VLANs.



  • Without reading all the history of this long thread, I will just say that you need to look at the rules on each VLAN interface in pfSense.

    If you have a "pass all" rule on an interface, then the firewall will allow all traffic originating on that interface - going to "the public internet" and to other subnets/VLANs/real LANs/… that are local to the firewall.

    If you want to stop the local connections and allow public internet access, then you will need to have a smarter rule set. e.g. put a block rule with source any, destination "the local subnets you want to block from reaching". Then have a "pass all" rule after it to let everything else out.


  • Banned

    hmm, I didn't think a pass all rule on an interface would allow traffic to route between different VLANs and Subnets.

    I also didn't really think of this traffic as "originating" at the interface. It has to first pass through the switch which is assigning VLANs before it can get to the pfSense interface. I've pretty much just thought of the pfSense firewall interface as the last place traffic goes before heading either to the internet or a different interface.

    What's the point of VLANs or subnets then? From my understanding I could have two(or many more) VLANs, an allow any rule for each of them but not have any of them be able to contact one another so long as they were all on separate VLANs.

    I also expected most if not all of this client to client traffic on my network to be happening at the switch, not the firewall/router.

    This doesn't seem correct but it's late, and I obviously am having issues understanding this anyway. I'll head to bed and see if this makes more sense tomorrow.


  • LAYER 8 Global Moderator

    "hmm, I didn't think a pass all rule on an interface would allow traffic to route between different VLANs and Subnets. "

    What did you think it would do exactly?  ???

    If you don't want vlan A talking to vlan B, then put in the rules to stop that..

    "I also expected most if not all of this client to client traffic on my network to be happening at the switch, not the firewall/router. "

    Do you have a L3 switch doing the routing?  Then how would vlan A talk to vlan B without routing - that is not done at a switch that is done at a router.. If you need to route at the switch then you need an L3 switch (router)..

    You can allow or block whatever traffic you want between your vlans - but you have to create the rules to do so, any any is just routing not firewall..

    Rules are evaluated as traffic enters an interface, first rule to trigger wins no other rules are evaluated.  If you don't want vlan A talking to vlan B, then on vlan A interface block A from going to B.. Its that simple!!

    "LACP LAGG to pfSense"

    What exactly are you trying to accomplish with your lag?  Are you really worried about cable/port failing that you need failover?  Lagg is not 1+1=2, its just 1 and 1..  You seem to have a lack of basic understanding of layer 2 and 3.. So I am thinking your not actually sure what lacp does either.. Or when it makes sense to lag.. I find it almost impossible to consider this something you would need to do in a home setup.. How many clients do you have exactly?  Your internet connection is how fast?  Why would you need/want to lag into pfsense??



  • @pfBasic:

    I also didn't really think of this traffic as "originating" at the interface.

    Technically you are correct. I could have worded it a bit better - "traffic originating from a client device downstream of/attached to the interface" might be clearer?

    And what @johnpoz says.

    There has to be a way for the firewall admin to allow traffic between 2 local interfaces (whether separate physical ethernet ports or VLANs). A "pass all" rule is one way to achieve all of that quickly.


  • Banned

    Well, unsurprisingly I completely and fundamentally misunderstood(stand) how all of this works and the experienced users on the forum pointed me in the right direction.

    Thank you to all of you for your help. I already posted the "Thank you" for the thread but applauds for all, haha!

    I adjusted the firewall rules and all is well.


  • Banned

    @johnpoz:

    "hmm, I didn't think a pass all rule on an interface would allow traffic to route between different VLANs and Subnets. "

    What did you think it would do exactly?  ???

    If you don't want vlan A talking to vlan B, then put in the rules to stop that..

    "I also expected most if not all of this client to client traffic on my network to be happening at the switch, not the firewall/router. "

    Do you have a L3 switch doing the routing?  Then how would vlan A talk to vlan B without routing - that is not done at a switch that is done at a router.. If you need to route at the switch then you need an L3 switch (router)..

    You can allow or block whatever traffic you want between your vlans - but you have to create the rules to do so, any any is just routing not firewall..

    Rules are evaluated as traffic enters an interface, first rule to trigger wins no other rules are evaluated.  If you don't want vlan A talking to vlan B, then on vlan A interface block A from going to B.. Its that simple!!

    **"LACP LAGG to pfSense"

    What exactly are you trying to accomplish with your lag?  Are you really worried about cable/port failing that you need failover?  Lagg is not 1+1=2, its just 1 and 1..  You seem to have a lack of basic understanding of layer 2 and 3.. So I am thinking your not actually sure what lacp does either.. Or when it makes sense to lag.. I find it almost impossible to consider this something you would need to do in a home setup.. How many clients do you have exactly?  Your internet connection is how fast?  Why would you need/want to lag into pfsense??**

    Thank you for your reply!

    As for the LACP LAGG, I have no use for it now. I really just tried to turn it on my Tp-Link switch just bto mess around with something new. It didn't work on the TP-link switch so I tried it again on this switch and it worked right away.

    There's nothing on my network that would make use of an LACP LAGG right now, and there may not ever be. I may very well just put it back to one port. It was really just messing around.

    As far as my current understanding of how the LACP LAGG works, I'll write it out here because I wouldn't be the least bit surprised if I was wrong.

    LACP LAGG would balance load between two Full Duplex Ethernet ports creating one etherchannel from the switch to pfSense. The benefit would  only be local as I don't have a >gigabit WAN and would probably very rarely if ever be realized on a small home network.
    About the only time I could think of it being utilized would be multiple clients transferring large files to/from a NAS that also had a LACP LAGG configured on it. So that basically more than 1 client could get full gigabit speeds at a time.

    Is that description even close? If not please set me straight.

    Again, I only set up the LAGG out of curiosity and likely won't keep it enabled because at this point all it's doing (in my understanding) is keeping power applied to two ports that I don't need on. Even with a high speed NAS I doubt I would get significant improvements on an LACP LAGG on my small home network.


Log in to reply