Pfsense + Managed Switch



  • Hi, I've setup Pfsense + Managed Switch VLANs, which is all working fine. The problem is that I can no longer see the managed switch on the network - I've assigned static IP addresses to them by matching the MAC address, but those IP addresses are not accessible. The Pfsense also shows no configured static or dynamic DHCP leases. I've also nmaped the network, but the managed switch is gone.

    The First Managed Switch contains the following interfaces - note that 1UP is the default "VLAN 1" on all managed switches.

    • GE1: Access Mode, 2UP (VLAN ID 2)
    • GE2: Access Mode, 3UP (VLAN ID 3)
    • GE8: Trunk Mode, 1UP, 2T, 3T (Untagged packers marked as 1UP, but tagged VLAN 2 and VLAN 3 also allowed) -> This is the interface connected to the another switch.

    The Second Managed Switch contains the following interfaces:

    • GE1: Trunk Mode, 1UP, 2T, 3T -> This is the interface connected to First Switch, which allows tagged VLAN 2/3.
    • GE2: Access Mode, 2UP (VLAN ID 2)
    • GE3: Access Mode, 3UP (VLAN ID 3)
    • GE8: Trunk Mode, 1UP, 2T, 3T -> This is the interface connected to Pfsense.

    The problem is that the managed switches are no longer visible after assigning the "VLAN2" interface to VLAN 2 and "VLAN3" interface to VLAN 3. In Pfsense when assigning interfaces, I can choose the following:

    • VLAN 2 on igb2
    • VLAN 3 on igb2

    The switches will be visible if I turn off the VLAN on Pfsense and instead choose the igb2 interface directly:

    • igb2

    Any ideas why I can't see the managed IPs in the pfsense. How can I best debug the issue, turning a managed switch on/off (to try obtaining the IP) is really not a viable option, but on the other hand the managed switches don't have serial port to which I could connect. Basically I'm looking to any advice about whether I missed something or possibly misconfigured the VLANs.

    Any ideas are welcome,

    Thanks


  • Netgate Administrator

    Probably because the switches UI is only listening on VLAN1 (internally) untagged (externally).

    That might be something you can change in a switch setting but many, particularly low end, switches can only ever be accessed on the default VLAN.

    You can assign igb2 directly whilst also assigning VLAN interfaces on it. You need to be sure your switches are not passing untagged traffic incorrectly if you do that though. Or restrict what can use the igb2 interface.

    Steve



  • Hi,

    I'm using the following brand of switches: http://downloads.linksys.com/downloads/userguide/1224700993654/MAN_LGS308_LGS318_LGS326_LGS308P_LGS318P_LGS326P_8820-01844_RevB01_EN.pdf

    1. Since Pfsense is connected to Switch 1 (and consequently switch 2) on GE8 (Switch1: 1UP, 2T, 3T), and GE1 (Switch2: 1UP, 2T, 3T), this means that if untagged traffic enters the switch, it will be marked as VLAN 1, right (because of the 1UP). If this is the case, I need to send untagged traffic to the switch in order to access it. T

    PFsense -> Switch 1 -> Switch 2

    Besides using "VLAN 2 on igb2" and "VLAN 3 on igb2" interfaces, can I add another interface and assign it to igb2 - will I be able to see the switches from Pfsense then?

    2. I'm not particularly sure what exactly you mean on the following, can you elaborate:

    You need to be sure your switches are not passing untagged traffic incorrectly if you do that though. Or restrict what can use the igb2 interface.

    3. Given the PDF specification, what should I search for to see if I can set the Web UI to a different VLAN? I've also tried searching for how to do this in Google, but I didn't have any success - can you recommend a search query that would work best trying to find this information?

    4. One thing is also interesting: the managed switch requires a DHCP when it starts right? But if a DHCP request is also sent as VLAN 1 (internally) or untagged (externally), why is a switch even able to get a DHCP. The more interesting thing is that even after the switch powers up and VLAN 2/3 start working, I cannot see the switches in the Pfsense DHCP leases. Any ideas why that is.

    Thank you for taking the time to explain this to me.


  • Netgate Administrator

    If you look at the section 'Access Profile' one of the things you can define is which VLAN is allowed to access the webgui. There is no screenshot but it's probably set to the default VLAN only.

    Interface—Which ports, LAGs, or VLANs are permitted to access or are
    denied access to the web-based configuration utility

    Add VLAN 2 or 3, or both, there and you should be able to access the switches without making any other changes.

    We usually recommend you do not have tagged and untagged traffic on the same interface. That is because it's all too easy to misconfigure a switch to pass traffic that ends up untagged on the parent interface and if it's assigned that might be a security issue. It should never happen if the switches are configured correctly but we have seen switches with bad firmware that pass packets that should never be allowed. Your switches are not one that I'm aware of having issues but I've never used them.  ;)

    Steve


Log in to reply