Netgate SG-3100 may not be routing Vlan traffic??
Hi and a big hello for my first post.
I have the following network and am trying to route Vlan traffic.
My SG-3100 is configured with Vlans on the Interfaces/Assignments/Vlans page with a default vlan 1 and New Vlan 10 using the mvneta1 (lan) interface.
I DO NOT have 802.1q enabled on the Interfaces/Switch/Vlans page.
I CAN do the following:-
PC can ping NAS on 192.168.10.1 just fine
PC can ping SG-3100 Vlan 10 Gateway address of 192.168.10.254 just fine
I cannot do the following:-
PC CANNOT ping IP Camera on 192.168.10.100
NAS on 192.168.10.1 CANNOT see IP Camera on 192.168.10.100
I am not sure where the problem is so please could one of the experts in the community assist
Many thanks in advance
Are those tplink 108e v3 or v2 or 1? V3 has a firmware update to fix their problems with vlans but previous models do not have a firmware fix and do not correctly handle vlans.
So your connected into the switch on the sg3100 or the other interfaces? How are you doing vlan 10 coming into multiple interfaces if not on the switch ports?
You say vlan 10 is tagged, but then list 802.1q not enabled on pfsense?
Also depending on camera, have seen some that do not allow for setting up a gateway. So pinging from another network would be a problem without a source nat on pfsense
Thank you for taking the time to reply and assist me.
They are tplink sg108e V3 running the latest firmware dated 2018-01-05.
I have tried both 802.1q ON and OFF without success.
When i enable 802.1q I specify a Vlan tag of 10 and member ports of 1, 2 and 5 tagged.
What's confusing is the PC can ping the NAS on 192.168.10.1 just fine so I know the Vlan is working OK
It seems to be at the point the traffic crosses the sg-3100 ports that the issues arise. i.e traffic from IP camera to NAS crossing port 2 on the sg-3100 to port 1
If the traffic originates on port 1 of the sg-3100 everything is fine. i.e PC pings NAS via it's 192.168.1.254 gateway (the sg-3100 on port 1). Traffic goes back out on port 1 to the 10 Vlan and ends up at the NAS.
Your going to need 802.1q on if your going to be doing tagging.
I think i have narrowed down the issue
There appears to be a bug in the current version of pfsense as follows
I did NOT have the DHCP server enabled on the vlan 10 interface of pfsense.
When i created the vlan 10 interface, i deliberately did NOT enable DHCP as i do not require that service for vlan 10. Also i DID Register DHCP leases in the DNS Resolver AND Register DHCP static mappings in the DNS Resolver under the DNS resolver settings so I dont know if that along with DHCP being disabled on Vlan 10 interface caused pfsense to get confused with some sort of routing table thing.
However as a test i just enabled DHCP services on vlan 10 interface and BAM traffic flowing from Camera to NAS even though both devices are on static IP addresses on the vlan 10 network.
I then disabled the DHCP services on vlan 10 and the traffic continues to flow.
Current configuration has the SG-3100 802.1q enabled as Vlan tag of 10 and member ports of 1, 2 and 5 tagged.
Very strange bug
sorry there is not bug with the dhcp server having to be on for data to flow..
Not sure what you did wrong - but bet a billion dollars (if I had it) that has zero to do with dhcp.. It has nothing to do with routing or allowing traffic on the firewall.
Now what could of been the problem is you set your IP wrong on your client, and when you changed it to dhcp it got the correct info.
Problem solved as you stated issue with client IP camera
Glad to hear... Wish I would of had that billion dollars to bet ;) hehehe
This does seem like a layer 2 (switching, vlan) problem. I don't think anything is necessarily wrong with routing, per se. Based on your diagram, the NAS should be able to ping the IP Camera.
Also, I assume you have the entire LAN on /24? I recommend assigning a different IP range to different VLANs. You could go with a /25 or /26 to divide it up.
A real test would be to wire the two TP-Link SG108E together (shown with the Netgate between them). Could the PC ping everything then? If so, add the NetGate back and look closer at the LAN/vLAN config. You'll definitely need 802.1q enabled. If not, then the answer lies with one of the switches.
Worse case, don't use VLANs, and instead use the OPT1 interface (and a different subnet) for the IP Camera network segment.