Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense firewall micro appliance and Netgear prosafe switch

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      Tikiyetti
      last edited by

      Hi all, long time lurker but still noobie so please entertain my ignorance if you can.
      I'm setting up a home lab and currently have this network topology:

      Internet –> Arris Surfboard Modem --> Firewall Micro Appliance (4 ports) --> Netgear ProSafe switch GS724Tv4 (24 ports)

      I've configured the LAN interface on the firewall with some standard  firewall rules and enabled the DHCP service on it.
      -Subnet for LAN is 10.11.5.0/24
      -IP addr of LAN is 10.11.5.1
      -IP range: 10.11.5.10 - 10.11.5.35
      -IP of switch is 10.11.5.2

      I've added a VLAN 55 on the switch and made ports 1,2,3,4,5,6 all as tagged members, for starters.
      So port 1 is now tagged for default VLAN 1, and for my custom VLAN 55.

      I connected a cable between the LAN interface on the firewall, to port 1 on the switch.
      Then I cleared the IPv4 adapter settings on my laptop and connected it to port 2 on the switch.

      Should my laptop be getting assigned an ip in the LAN ip space (i.e. 10.11.5.11) automatically now?
      I feel like I might be missing a route on Pfsense but not sure what I'd need to add to be perfectly honest.

      Effectively, I want to have a private network off the LAN interface by plugging devices into VLAN 55-assigned ports on the switch, and get provisioned an ip through the DHCP service.

      Looking for nudges in the right direction, good reading resources, etc.. Trying to improve my networking knowledge here.
      Let me know if there is any additional information that would be useful.

      Thanks,
      ~Klaus

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        I've added a VLAN 55 on the switch and made ports 1,2,3,4,5,6 all as tagged members

        Then I cleared the IPv4 adapter settings on my laptop and connected it to port 2 on the switch.

        Should my laptop be getting assigned an ip in the LAN ip space (i.e. 10.11.5.11) automatically now?

        No. pfSense will be talking to VLAN 1. You need to add VLAN 55 to the pfSense physical interface then go assign LAN to VLAN 55 on ethX in Interfaces > Assignments

        You are also plugging your laptop into port 2 which you state is TAGGED for VLAN 55. Your laptop will also have to be configured to TAG for VLAN 55 in that case.

        Generally user ports for user devices are untagged. "Trunk" ports for connecting other VLAN-aware devices (Like router ports so-configured, other switches, access points, etc).

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T Offline
          Tikiyetti
          last edited by

          Thank you for the reply. Makes sense. Here's what I did.

          1. Created VLAN 55 with LAN interface as the parent interface.
          Interfaces > Assignments > VLANs
          Add:
          -Parent interface: em1 - lan
          -VLAN Tag: 55

          2. Assigned LAN interface to VLAN 55
          Interfaces > Assignments
          Selected "VLAN 55 on em1" from drop down menu for the LAN interface

          3. Went back into switch and untagged the ports.

          I had set them to tagged initially per this netgear KB: https://kb.netgear.com/29997/How-to-create-Layer-2-VLANs-on-NETGEAR-ProSAFE-Switches
          Step 7 describes that egress traffic will contain the VLAN id which I thought I needed.

          Anywho, once I did those steps I was no longer able to access the pfsense web configurator even if I statically set my laptop ip something on the same subnet as the LAN interface. I have a monitor connected to the device though so I was able to set the LAN interface back to just em1 and get back in. So before I assign LAN back to VLAN 55 again, do I need to add any firewall rules or do you think I was unable to access it due to a configuration on the switch?

          To be clear, once I saved, I cleared my adapter settings again, connected LAN –> port 1 on switch, and laptop to port 2 on switch.

          Thanks,
          ~Klaus

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            You have to TAG from the switch to pfSense on VLAN 55.

            Set the ports to normal devices to UNTAGGED.

            There are LOTS of different ways you can lock yourself out doing this stuff from the interfaces you are trying to change layer 2 on.

            Work back from where you are physically located.

            If you are connected to the switch, change pfSense then the switch.

            If you are connected to the switch through pfSense, change the switch then pfSense.

            Often easier to do it on another interface you are not changing at all.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T Offline
              Tikiyetti
              last edited by

              Sorry for delayed response. Was travelling for work.
              So today I was able to tinker with my set up a little more and was able to figure it out with your help. I was missing the PVID setting on my switch.

              I had to:

              1. Configure the VLANs on both the router ans switch
              2. Assign specific switch interfaces as members to my VLANs
              3. Set the PVID for the ports I tagged

              Once I did that, I was able to plug my laptop into ports 1-12 and get assigned an ip of 10.11.12.x
              13-18 an ip of 10.11.13.x
              19-24 an ip of 10.11.14.x

              Now onto the rest. Thanks for the great info @Derelict! :D

              Thanks,
              ~Klaus

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.