Help with pfsense + zyxel gs1920 VLAN configuration
Bare with me as this is my first VLAN setup.
Just got zyxel gs1920 switch to get VLANs & LACP up on my home network. The need for VLAN's basically came with the need in separating different WIFI networks to their own segments. And also when this need arised, I deciced to also do all segmenting via VLANs which earlier was done physically. What I'm trying to succeed is as follows:
[PFSENSE firewall with 5 vlans configured to LAGG interface])
|| (vlan 10,11,12,13,14 created in pfsense, all have own dhcp servers 192.168.0.1, 192.168.1.1…2.1..3.1..4.1 all gw ip's pingable from pfsense)
[ZYXEL GS1920] ports 27, 28 lacp, trunk to pfsense
ports 26,25 server1 vlan10, vlan 12
ports 25, 24 server2 vlan10, vlan12
port 22 wifi ap vlan 11,13,14
So I have the lagg ports up in zyxel and I can confirm that 802.1Q vlan trunking is working as my 802.1Q wifi access point attached to zyxel port 22 is working ok. Only 1 VLAN/SSID yet configured but clients do get VLAN 11 ip from dhcp and access the internet.
What I just don't understand how to configure access ports to the switch for PC's & Servers etc in untag mode. Like I'm trying for example to get port 7 to get ip from VLAN10 unsuccesfully.
I've tried to create VLAN10 in the switch and add port 7 to it untagged even though I'm not sure is this the right approach as these VLANs have already been created in pfsense? If I create VLAN11 in the switch my wifi VLAN11 dies with no internet connectivity:
GS1920# show vlan
The Number of VLAN : 3
Idx. VID Status Elap-Time TagCtl
–-- ---- --------- ----------- ---------------------------------------
1 1 Static 0:00:08 Untagged :1-6,8-20 (I removed ports 21-28 from default vlan1)
2 10 Static 0:35:38 Untagged :7
I've tried to delete the VLAN 10 from switch and setting just PVID 10 & untagged to the port 7:
GS1920# show interfaces config 7
Port No :7
PVID :10 Flow Control :No
Type :10/100/1000M Speed/Duplex :auto-1000
802.1p Priority :0
I don't seem to understand how an access port / host port should be configured to get proper traffic.
No matter if I have windows 7 client pc connected to port 7 via dhcp or static ip, it cannot get connection.
- do I need to do some ip configuration to the switch regarding the vlans, ie somekind of gateway problem ?
- am I not understanding correctly something that the switch cannot do switching from tagged traffic to untagged traffic on some particular port?
- what kind of VLAN configuration I have to do in Zyxel switch if I have created the VLANs already in PFSense?
I'm lost and tried all kind of configurations in the silly zyxel webui >:( There seems to be no configure terminal option in the switch even it has ssh.. :/
Okay, I happened to make progress
- At zyxel create all the same vlans vlan10, 11, 12, 13, 14
- Vlan configuration -> static vlan
There is 3 possibilities for a port, normal, fixed, forbidden, seems like fixed is way to go:
Port 7 Normal Fixed Forbidden Tx Tagging unchecked
- After that vlan configuration -> vlan port setup
port 7, pvid 10, untag only
And I have connection / host port / access port!
Late to the party here, but thanks for talking through the problem you were having. It helped me with a Zyxel. Appreciate it!!
Hi I'm setting up my first pfsense VLANs w/ a GS1920-24 and am having trouble getting it to work.
I followed a FAQ and I created the VLAN in pfsense, assigned it to a interface, then added a DHCP server for that interface. And lastly created an any/all rule for the VLAN. I think that is correct.
Where I am getting stuck is setting up the VLAN on the switch. I added the VLAN (#2) under static vlan setup. For the router -> switch port I set that to fixed w/ tx tagging.
Then on the port I am testing on I set that one to fixed (no tx tagging). In my example that is port 17.
Then under VLAN port setup I set port 17 to PVID 2. When I plug my laptop into that port I get no IP address, just the windows dummy one.
Does that sound right to you? I must be missing something simple I'm just not seeing it.
The only other thing that I can thing of is that I am running pfsense virtually in Hyper-V so not sure if I need to do something in the virtual switch to make it work.
Any help would be appreciated.
stephenw10 Netgate Administrator last edited by
Yeah, you will likely need to configure any v-switch in hyper-v to pass vlan 2 to the physical port also. Unless you have a NIC that is passed through to the pfSense VM directly.