Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN help with netgear smart switch

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 843 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gibbzy2k1
      last edited by

      Hi guys I am after some help here, I have been racking my brains and it is probably something simple I have missed. Sorry this is going to be a long post but I will try and put as much detail in as possible.

      I have just bought a Netgear GS105Ev3 smart switch to try and get my home network vlanned to secure and separate things like media, office etc.

      I have configured the switch as follows through the VLAN 802.1Q settings:
      vlan 02 has port 2 untagged and port 1 tagged
      vlan 03 has port 3 untagged and port 1 tagged
      vlan 04 has port 4 untagged and port 1 tagged
      etc

      Port 1 connects to the PfSense LAN port. I will add screenshots of my config pages as attachments.

      I think the switch is configured correctly because when I set the VLANs up on PfSense I get the correct IP address for each port on the switch.

      My LAN is on 192.168.1.1/24, VLAN02 is on 192.168.20.1/24, VLAN03 is on 192.168.30.1/24 etc with PfSense handeling all the DHCP. If I plug my laptop into port 2 on the switch i get a 192.168.20.2 IP address, I am able to reach the switch which is on 192.168.1.253 and my PfSense box on 192.168.1.1 but I cannot get internet access.

      I created a firewall rule under VLAN02:
      allow : IPV4 protocol, source is VLAN02 net destination any any

      I am only guessing but as I can reach the switch and PfSense box when plugged into VLAN02 and get the correct .20 address it is likely to be a rule issue, which is why i created the above rule. Still no internet access.

      Any help is greatly appreciated. I have attached a few screenshots of my config pages if it helps.

      ![VLAN config.PNG](/public/imported_attachments/1/VLAN config.PNG)
      ![VLAN config.PNG_thumb](/public/imported_attachments/1/VLAN config.PNG_thumb)
      vlan1.PNG
      vlan1.PNG_thumb
      vlan2.PNG
      vlan2.PNG_thumb
      ![PVID.PNG
      ![PVID.PNG_thumb
      ![port status.PNG](/public/imported_attachments/1/port status.PNG)
      ![port status.PNG_thumb](/public/imported_attachments/1/port status.PNG_thumb)
      interfaces.PNG
      interfaces.PNG_thumb
      vlans.PNG
      vlans.PNG_thumb
      ![vlan02 rule.PNG](/public/imported_attachments/1/vlan02 rule.PNG)
      ![vlan02 rule.PNG_thumb](/public/imported_attachments/1/vlan02 rule.PNG_thumb)
      ![LAN rules.PNG](/public/imported_attachments/1/LAN rules.PNG)
      ![LAN rules.PNG_thumb](/public/imported_attachments/1/LAN rules.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Why the leading zeroes on the VLAN tags?

        That rule on VLAN02 looks fine. About the only thing preventing internet access would be lack of outbound NAT. Did you set manual/advanced mode there?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • G Offline
          gibbzy2k1
          last edited by

          I can't remember the reason for the leading zeros. There must have been a reason.

          I have manual NAT outbound rules in place as attached which I thought would be right?

          ![NAT rules.PNG](/public/imported_attachments/1/NAT rules.PNG)
          ![NAT rules.PNG_thumb](/public/imported_attachments/1/NAT rules.PNG_thumb)

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            No. All of your outbound NAT rules should be on WAN. Is OPT1 a WAN? Is there a gateway set on the OPT1 interface configuration? If so there probably should not be. If you have multi-wan then everything is fine except the source networks.

            You need Outbound NAT rules on WAN for all of your source networks 192.168.1.1/24, 192.168.20.1/24, 192.168.30.1/24. You might just want to re-enable auto NAT mode (the default which you decided to change for some reason) and all of this will probably just start working.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • G Offline
              gibbzy2k1
              last edited by

              OPT1 is my VPN which originally had my LAN going through. Eventually, only specific VLANS will use the VPN and the rest will go straight through the WAN.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                OK. A client connection to a VPN provider should be considered a WAN and treated like a WAN.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • G Offline
                  gibbzy2k1
                  last edited by

                  Cheers. I knew it would be something simple I missed. Had to put the outbound rule for the VLAN for OPT1.

                  Now it's all working. As soon as I type the last reply I realised my error. Sometimes it just needs a fresh pair of eyes.

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.