Help with pfsense + zyxel gs1920 VLAN configuration

  • Hi,

    Bare with me as this is my first VLAN setup.

    Just got zyxel gs1920 switch to get VLANs & LACP up on my home network. The need for VLAN's basically came with the need in separating different WIFI networks to their own segments. And also when this need arised, I deciced to also do all segmenting via VLANs which earlier was done physically. What I'm trying to succeed is as follows:

    [PFSENSE firewall with 5 vlans configured to LAGG interface])
    ||            (vlan 10,11,12,13,14 created in pfsense, all have own dhcp servers,…2.1..3.1..4.1 all gw ip's pingable from pfsense)
    [ZYXEL GS1920] ports 27, 28 lacp, trunk to pfsense
    ports 26,25 server1 vlan10, vlan 12
    ports 25, 24 server2 vlan10, vlan12
    port 22 wifi ap vlan 11,13,14

    So I have the lagg ports up in zyxel and I can confirm that 802.1Q vlan trunking is working as my 802.1Q wifi access point attached to zyxel port 22 is working ok. Only 1 VLAN/SSID yet configured but clients do get VLAN 11 ip from dhcp and access the internet.

    What I just don't understand how to configure access ports to the switch for PC's & Servers etc in untag mode. Like I'm trying for example to get port 7 to get ip from VLAN10 unsuccesfully.

    I've tried to create VLAN10 in the switch and add port 7 to it untagged even though I'm not sure is this the right approach as these VLANs have already been created in pfsense? If I create VLAN11 in the switch my wifi VLAN11 dies with no internet connectivity:

    GS1920# show vlan
      The Number of VLAN :    3
      Idx.  VID  Status    Elap-Time    TagCtl
      –--  ----  ---------  -----------  ---------------------------------------

    1    1    Static      0:00:08  Untagged :1-6,8-20    (I removed ports 21-28 from default vlan1)
                                          Tagged  :

    2    10    Static      0:35:38  Untagged :7
                                          Tagged  :

    I've tried to delete the VLAN 10 from switch and setting just PVID 10 & untagged to the port 7:
    GS1920# show interfaces config  7
      Port Configurations:

    Port No      :7
        Active      :Yes
        Name        :
        PVID        :10            Flow Control    :No
        Type        :10/100/1000M  Speed/Duplex    :auto-1000
        802.1p Priority :0

    I don't seem to understand how an access port / host port should be configured to get proper traffic.
    No matter if I have windows 7 client pc connected to port 7 via dhcp or static ip, it cannot get connection.

    • do I need to do some ip configuration to the switch regarding the vlans, ie somekind of gateway problem ?
    • am I not understanding correctly something that the switch cannot do switching from tagged traffic to untagged traffic on some particular port?
    • what kind of VLAN configuration I have to do in Zyxel switch if I have created the VLANs already in PFSense?

    I'm lost and tried all kind of configurations in the silly zyxel webui  >:( There seems to be no configure terminal option in the switch even it has ssh.. :/

  • Okay, I happened to make progress

    • At zyxel create all the same vlans vlan10, 11, 12, 13, 14
    • Vlan configuration -> static vlan
          There is 3 possibilities for a port, normal, fixed, forbidden, seems like fixed is way to go:

    Port 7 Normal Fixed Forbidden Tx Tagging unchecked

    • After that vlan configuration -> vlan port setup
        port 7, pvid 10, untag only

    And I have connection / host port / access port!

  • Late to the party here, but thanks for talking through the problem you were having. It helped me with a Zyxel. Appreciate it!!

  • Hi I'm setting up my first pfsense VLANs w/ a GS1920-24 and am having trouble getting it to work.

    I followed a FAQ and I created the VLAN in pfsense, assigned it to a interface, then added a DHCP server for that interface. And lastly created an any/all rule for the VLAN. I think that is correct.

    Where I am getting stuck is setting up the VLAN on the switch. I added the VLAN (#2) under static vlan setup. For the router -> switch port I set that to fixed w/ tx tagging.

    Then on the port I am testing on I set that one to fixed (no tx tagging). In my example that is port 17.

    Then under VLAN port setup I set port 17 to PVID 2. When I plug my laptop into that port I get no IP address, just the windows dummy one.

    Does that sound right to you? I must be missing something simple I'm just not seeing it.

    The only other thing that I can thing of is that I am running pfsense virtually in Hyper-V so not sure if I need to do something in the virtual switch to make it work.

    Any help would be appreciated.

  • Netgate Administrator

    Yeah, you will likely need to configure any v-switch in hyper-v to pass vlan 2 to the physical port also. Unless you have a NIC that is passed through to the pfSense VM directly.


Log in to reply