SG 3100 VLAN and Trunks
-
Hi folks,
I just recently purchased a SG 3100 and had a question about vlans and trunking. I followed the guide here http://blog.stefcho.eu/pfsense-on-a-stick-802-1q-trunking-with-pfsense-2-0-rc1-and-mikrotik-routerboard-rb250g-smart-gigabit-switch-with-five-ports-and-swos-v1-5/ and setup the following:- added about 5 vlans (let's use 10, 20,30,40, 50) for our example here; using parent interface LAN
- I then assigned the vlans to the interface
My next question is; How do I define a trunk interface between the PFsense and my connected switch? I have a cable connected from Pfsense (LAN port) to my cisco l3 switch. My config is pretty straightforward:
switch12072d#show run int vlan10
interface vlan 10
name "VLAN 10"
ip address 172.16.10.254 255.255.255.0
no ip proxy-arp
!
switch12072d#show run int gi5
interface gigabitethernet5
description "Trunk Port for vlans"
switchport trunk allowed vlan add 10,20,100
!
switch12072d#Given that I have a vlan with a IP of 172.16.10.2 on the PFsense hardware, I would think that I should atleast be able to ping it but no luck. I added a allow all firewall rule for the LAN and the VLAN 10 rule but no luck either. any ideas? Thanks! - Jay.
-
Assuming you're plugged into the built-in switch on the pfsense:
Go to Interfaces -> Switches -> VLANs
There you should see five ports, all members of the Default System VLAN by default. Ports 1 - 4 are the physical ports; port 5 is the internal uplink port back to the SoC.
First, enable 802.1q VLAN mode, then click Save. You'll see your configured VLANs, with their VLAN group, VLAN tag, and port members.
Edit each VLAN group you want to trunk down to the Cisco switch, and add the physical port and the SoC uplink port (port 5) as tagged members.
If you have any other ports in the built-in switch you want to use as access ports for other VLANs, pop over to the Ports tab and set the Port VID for each one for that VLAN ID, and make sure the port is an untagged member of the VLAN group over in the VLANs tab.
Important: Once you get back to the main VLANs tab, don't save the configuration a second time. This wipes out the configuration and resets it all back to default. Fortunately, all your changes are implemented in real time, and this save button isn't necessary here. This will likely be fixed in an upcoming patch.
In the end, you should see "5t" and "#t" as members of the VLAN groups that you want, indicating both ports are tagged ports. Any untagged ports on those VLANs should show up without the "t".
Edit: If you're using the other OPT port next to the WAN port, this is even easier. Assigning the VLANs to that port under Interfaces -> Assignments should take care of tagging on its own. This is how I do it now with a Cisco SG200 switch on the downstream side. I'm using the built-in switch for a management console.
-
Hi, thanks for your help.
- I did create a vlan 20 using now OPT as the parent address.
- I assigned the OPT interface to VLAN 20. I assigned an IP address to it (172.16.20.1).
- I wen tot he interfaces -> switches -> vlans and configured dot1q and added a new tag for vlan 20 with port 5 (the opt port) as tagged)
- that cable is connected directly from opt port to port 5 on my sg300 switch
- on port 5 on the sg 300 switch, i have the command shown below.
- i can arp out for it but i just can't ping it.
- I opened up firewall rules for any any on both lan and the opt interface but i am not getting any reponse either.
-
I'm trying to get a better idea of how you're cabling it up.
There are three interfaces in the SoC:
mvneta0 (OPT1 port)
mvneta1 (LAN ports)
mvneta2 (WAN port)Port 5 on the built-in switch isn't a physical port on the device - it's an internal port that uplinks LAN1-4 to the SoC.
Forgive me while I try to draw this.
mvneta1 mvneta0 mvneta2 | | | LAN5 | | | | | ---------------------------- | | | | | | | | LAN1 LAN2 LAN3 LAN4 OPT1 WAN
If you're connecting your switch to the OPT1 port, try assigning all your VLANs to the mvneta0 interface.
If you're connecting your switch to one of the LAN# ports, you'll need to assign your VLANs to the mvneta1 interface, and treat LAN5 and LAN# as trunk/tagged ports for all the VLANs you want to use on the downstream switch.
-
Hi, that's exactly right. I have some screenshots in the attached document for clarification. thanks again for your hlep.
-
I think I found something.
Page 2/3, the subnet mask is /32 which doesn't match the mask for the rest of VLAN 20. Change that to /24 and see if that changes anything.
-
Hey, that was it. I found it during my testing as well and was going to comment back. I needed to make that /24 and add ICMP for firewall rules; by default it was on for TCP I believe. Thanks for checking it out and responding!!!
-
Sure thing, glad to help.
-
@joediffiehellman said in SG 3100 VLAN and Trunks:
co switch, and add the physical port and the SoC uplink port (port 5) as tagged members.
If you have any other ports in the built-in switch you want to use as access ports for other VLANs, pop over to the Ports tab and set the Port VID for each one for that VLAN ID, and make sure the port is an untagged member of the VLAN group over in the VLANs tab.
Important: Once you get back to the main VLANs tab, don't save the configuration a second time. This wipes out the configuration and resets it all back to default. Fortunately, all your changes are implemented in real time, and this save button isn't necessary here. This will likely be fixed in an upcoming patch.
In the end, you should see "5t" and "#t" as members of the VLAN groups that you want, indicating both ports are tagged ports. Any untagged ports on those VLANs shouldIs there a way I can have multiple SG 3100 physical LAN ports trunk to my Cisco switch and assign certain VLAN's to certain ports to trunk, or am I only able to have one physical trunk link between the Sg 3100 and Cisco switch passing all VLANs?
-
@mikej47 According to the official documentation of this appliance (source: https://www.netgate.com/docs/pfsense/solutions/sg-3100/io-ports.html ), the latter: LAN1 to LAN4 ports are switched ethernet ports, and as you can see below that, there is the following warning (copied verbatim) : "The LAN ports do not support the Spanning Tree Protocol (STP). Two or more ports connected to another Layer 2 switch, or connected to 2 or more different interconnected switches, could create a flooding loop between the switches. This can cause the router to stop functioning until the loop is resolved."
-
Ok, that makes sense now after trying to configure what I wanted and reading that again.
I will try to assign multiple VLANs to the to the OPT1 mvneta0 and see if they will all trunk downstream to my Cisco switch