Help with pfsense + zyxel gs1920 VLAN configuration
Bare with me as this is my first VLAN setup.
Just got zyxel gs1920 switch to get VLANs & LACP up on my home network. The need for VLAN's basically came with the need in separating different WIFI networks to their own segments. And also when this need arised, I deciced to also do all segmenting via VLANs which earlier was done physically. What I'm trying to succeed is as follows:
[PFSENSE firewall with 5 vlans configured to LAGG interface])
|| (vlan 10,11,12,13,14 created in pfsense, all have own dhcp servers 192.168.0.1, 192.168.1.1…2.1..3.1..4.1 all gw ip's pingable from pfsense)
[ZYXEL GS1920] ports 27, 28 lacp, trunk to pfsense
ports 26,25 server1 vlan10, vlan 12
ports 25, 24 server2 vlan10, vlan12
port 22 wifi ap vlan 11,13,14
So I have the lagg ports up in zyxel and I can confirm that 802.1Q vlan trunking is working as my 802.1Q wifi access point attached to zyxel port 22 is working ok. Only 1 VLAN/SSID yet configured but clients do get VLAN 11 ip from dhcp and access the internet.
What I just don't understand how to configure access ports to the switch for PC's & Servers etc in untag mode. Like I'm trying for example to get port 7 to get ip from VLAN10 unsuccesfully.
I've tried to create VLAN10 in the switch and add port 7 to it untagged even though I'm not sure is this the right approach as these VLANs have already been created in pfsense? If I create VLAN11 in the switch my wifi VLAN11 dies with no internet connectivity:
GS1920# show vlan
The Number of VLAN : 3
Idx. VID Status Elap-Time TagCtl
–-- ---- --------- ----------- ---------------------------------------
1 1 Static 0:00:08 Untagged :1-6,8-20 (I removed ports 21-28 from default vlan1)
2 10 Static 0:35:38 Untagged :7
I've tried to delete the VLAN 10 from switch and setting just PVID 10 & untagged to the port 7:
GS1920# show interfaces config 7
Port No :7
PVID :10 Flow Control :No
Type :10/100/1000M Speed/Duplex :auto-1000
802.1p Priority :0
I don't seem to understand how an access port / host port should be configured to get proper traffic.
No matter if I have windows 7 client pc connected to port 7 via dhcp or static ip, it cannot get connection.
- do I need to do some ip configuration to the switch regarding the vlans, ie somekind of gateway problem ?
- am I not understanding correctly something that the switch cannot do switching from tagged traffic to untagged traffic on some particular port?
- what kind of VLAN configuration I have to do in Zyxel switch if I have created the VLANs already in PFSense?
I'm lost and tried all kind of configurations in the silly zyxel webui >:( There seems to be no configure terminal option in the switch even it has ssh.. :/
Okay, I happened to make progress
- At zyxel create all the same vlans vlan10, 11, 12, 13, 14
- Vlan configuration -> static vlan
There is 3 possibilities for a port, normal, fixed, forbidden, seems like fixed is way to go:
Port 7 Normal Fixed Forbidden Tx Tagging unchecked
- After that vlan configuration -> vlan port setup
port 7, pvid 10, untag only
And I have connection / host port / access port!
Late to the party here, but thanks for talking through the problem you were having. It helped me with a Zyxel. Appreciate it!!
Hi I'm setting up my first pfsense VLANs w/ a GS1920-24 and am having trouble getting it to work.
I followed a FAQ and I created the VLAN in pfsense, assigned it to a interface, then added a DHCP server for that interface. And lastly created an any/all rule for the VLAN. I think that is correct.
Where I am getting stuck is setting up the VLAN on the switch. I added the VLAN (#2) under static vlan setup. For the router -> switch port I set that to fixed w/ tx tagging.
Then on the port I am testing on I set that one to fixed (no tx tagging). In my example that is port 17.
Then under VLAN port setup I set port 17 to PVID 2. When I plug my laptop into that port I get no IP address, just the windows dummy one.
Does that sound right to you? I must be missing something simple I'm just not seeing it.
The only other thing that I can thing of is that I am running pfsense virtually in Hyper-V so not sure if I need to do something in the virtual switch to make it work.
Any help would be appreciated.
Yeah, you will likely need to configure any v-switch in hyper-v to pass vlan 2 to the physical port also. Unless you have a NIC that is passed through to the pfSense VM directly.