VLAN question



  • HI. I’ve been running pFsense for a couple of years now and decided to play around with VLANs just to learn more and in the end, improve my network.  I bought a couple of different switches to evaluate (Cisco SG200-08 and a TPLink SG108E).  I set up a quick VLAN for printers (which happened to be connected to the TPLink SG108E) just to test things out.  It’s VLAN 90.  So… After setting everything up and power cycling the printers so they would pick up new addresses, I can see that the printers are correctly assigned 192.168.90.90 and 192.168.90.91.  I can ping the addresses.  I can print to the devices as well.  But… I did not set up any rules in the VLAN90 interface.  In fact if I set up a rule to block all IPV4 traffic in the VLAN 90 interface, nothing gets blocked.  The rules have no effect.  If however I go to the LAN interface and block traffic destined for VLAN90 there, then I can’t ping the printers. 
    It appears as though the VLAN 90 traffic never gets to the VLAN 90 interface.  Everything seems to go to the LAN interface and gets passed or blocked there.  Am I expecting the wrong behavior?  Shouldn’t I be able to control VLAN90 traffic via rules for that interface?



  • and a TPLink SG108E

    Bad choice.  TP-Link switches, at least the cheap ones, don't handle VLANs properly.



  • @JKnott:

    and a TPLink SG108E

    TP-Link switches, at least the cheap ones, don't handle VLANs properly.

    That makes me feel better. Was contemplating whether to give them another $14 to go from a dumb to a web managed with VLAN, but decided to save$ and wait for until I really need the new features.



  • ^^^^
    Apparently, the low price switches from other makes are OK.  It's just TP-Link that has the problem.  Of course, if you have your eye on a switch or other gear, it wouldn't hurt to ask here about it.  BTW, I have a TP-Link access point that has the same problem keeping VLANs separate.  I also have the 5 port version of that TP-Link switch, but don't use VLANs with it, so it doesn't cause a problem for me.



  • I removed the TP Link smart switch and replaced it with the Cisco SG200-08.  I get the same results as before. 
    In summary I've set up a VLAN 90 with 2 printers on it but the traffic never seems to get to the VLAN 90 interface in pfsense.  I can block VLAN 90 traffic at the pfsense LAN interface but the rules don't seem to matter at the VLAN 90 interface.  For example, I can ping 192.168.90.90 (a printer) no matter what the rule at the VLAN 90 interface is (eg, block all).  I CAN however block VLAN 90 traffic at the pfsense LAN interface for traffic destined to VLAN 90.  What could be the problem? My goal is not to block traffic to the printers.  I am just testing the set up with a block all command and discovering that the VLAN 90 traffic does not seem to reach the pfsense VLAN 90 interface.



  • @slimypizza:

    I removed the TP Link smart switch and replaced it with the Cisco SG200-08.  I get the same results as before.

    That's as expected.
    Rules apply where traffic enters into an interface/"the pfSense box".
    On your VLAN90 rules tab you control where traffic from VLAN90 host may go to - NOT how they can be accessed.
    Ruling traffic from LAN to VLAN90 is controlled on the LAN rules tab. Only (except for floating rules).

    Any yes, this particular TP-Link switch is a bad choice. Others perform as expected (I have multiple TL-SG3210 but prefer Cisco SG300 or SG350 now.)

    Some users seem quite happy with D-Link DGS-1100-08 "$30 for an 8-port D-Link DGS-1100-08 would have been better money spent."