VLAN Help Requested: I Give....diagram & screenshots included

pfnguser114

Fellas I give up. I have spent all day on this.

Hardware is all installed and working except for VLANs. Wired devices are running just fine through the switch. The pfSense (J3355 build) has been up for 8 months. Switch and AP are brand new.

pfSense box >>> Zyxel GS1900-8HP >>> TP-LINK EAP225v3

The goal is a "Secured" VLAN (10) for computers and laptops (needs to be mix of WiFi & wired), "IoT" VLAN (20) for things that need to see the internet only (thermostats, doorbell, etc.), & "TV" VLAN (30) for several Fire TVs and ROKU TVs (all WiFi).

Wireless devices are connecting to the AP but I am messed up on the VLAN setup on either the pfSense box or switch. After messing with it for hours I think the issue is in the Zyxel tagged/untagged or trunking configuration. My 2nd guess is in the firewall rules. Multiple times I had wireless devices connecting but with "no internet". I believe the AP is working correctly and not causing the issues and the TPLink software, while basic, has been easy to use.

Thank you for the help!

NogBadTheBad

Isn't the parent interface igb1!

q54e3w

@nogbadthebad looks like igb1 is his lan and igb2 is parent, keeping it unassigned prevents potentially wonky behaviour.

q54e3w

Switch ports 1 & 2 look to be configured as trunks but set untagged when they probably should be tagged. I’m not familiar with that switch but worth checking.

Derelict

Yeah looks like port 1 should be tagged on 10, 20, 30 if port 1 is patched to pfSense igb2.

NogBadTheBad

@q54e3w said in VLAN Help Requested: I Give....diagram & screenshots included:

@nogbadthebad looks like igb1 is his lan and igb2 is parent, keeping it unassigned prevents potentially wonky behaviour.

On the diagram it says the LAN port is connected to the switch, that's why I said "looks like igb1 is his lan and igb2 is parent"

heper

@pfnguser114

like others have said:
all the vlans need to be tagged on your switch-port to pfsense.

this is probably also true for the switch-port connected to your AP

pfnguser114

Thanks for the replies.

I have set VLANs 10, 20, & 30 to TAGGED on both Port 1 & Port 2. Wireless devices can no now longer obtain an IP address to connect.

Also, in reference to the LAN and igb1 & igb2. igb1 is my LAN port and the cable is physically connected from LAN (igb1) to Port 1 of my switch. A lot of what I read out there said to put the VLANs on a different interface hence the igb2. I have tried it both ways and neither way seemed to work but I did find the different interface to be a head scratcher.

Still not working if anyone has any other input.

EDIT:

With Port 1 set to TAGGED on 10, 20, & 30 and Port 2 (Wireless AP) UNTAGGED on 10, 20, & 30 I get "Connected, no internet" on my wireless devices.

What am I supposed to set VLAN 1 to?

Also, what do I do with the PVID? Is it required?

heper

yes pvid is required.... its essential in any vlan switch setup.
any untagged package entering the switchport will be assign to the pvid-vlan id

pfnguser114

@heper said in VLAN Help Requested: I Give....diagram & screenshots included:

yes pvid is required.... its essential in any vlan switch setup.
any untagged package entering the switchport will be assign to the pvid-vlan id

How do I set up multiple PVID's on Port 2? Port 2 has the wireless AP that has VLAN 10, 20, & 30?

I hope I don't need a new switch as I researched this one and though it would fit my needs. However, if I need to swallow the $100 I paid for it and move on I am fine with it. I have wasted more time on this endeavor than I ever expected to.

Thanks for the help!

heper

there is never a need for multiple pvids on a single port.

this isn't rocket science.

pc (or other dumb device) <----> switch = untagged on vlan x | pvid = untagged_vlan_id_x
pfsense <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)
AP <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)

Also note:
zyxel allows you to untag multiple vlans on the same port. YOU DO NOT DO THIS in any normal situation.... it causes problems.

you clearly have issues understanding the vlan concepts. try googling some docs from reputable sources -- there is a lot of bad advice around

pfnguser114

@heper said in VLAN Help Requested: I Give....diagram & screenshots included:

there is never a need for multiple pvids on a single port.

this isn't rocket science.

pc (or other dumb device) <----> switch = untagged on vlan x | pvid = untagged_vlan_id_x
pfsense <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)
AP <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)

Also note:
zyxel allows you to untag multiple vlans on the same port. YOU DO NOT DO THIS in any normal situation.... it causes problems.

you clearly have issues understanding the vlan concepts. try googling some docs from reputable sources -- there is a lot of bad advice around

Please take a look at the attached screenshots and confirm that Port 1 & 2 are configured correctly for VLANs 1, 10, 20, & 30. I believe they are.

This configuration results in WiFI devices connecting to the network with "no internet connectivity". The DHCP leases in pfSense are correct for devices on each VLAN (example 192.168.10.100 for a device on VLAN 10).

So if they AP is set up right, the switch is setup right, where do I go looking next?

Thanks

Derelict

Looks reasonable.

You are tagging all traffic and have nothing assigned to the untagged igb2 interface.

That is fine.

Quick test:

Make an unused port on the switch untagged VLAN 10 PVID VLAN 10. Connect a laptop. Does DHCP and access work? Repeat on the same port for VLANs 20 and 30.

With that out of the way you can move on from the pfSense- to-switch trunk to the Access Point.

You have to determine what VLAN you are using for AP management. Many APs (Ubiquiti) like management traffic to be untagged, with tags on certain wireless networks. That, or you have to specifically set a management VLAN.

I am personally completely unfamiliar with any TP-Link APs and how they do things or what they expect of the management network.

pfnguser114

@derelict said in VLAN Help Requested: I Give....diagram & screenshots included:

Looks reasonable.

You are tagging all traffic and have nothing assigned to the untagged igb2 interface.

That is fine.

Quick test:

Make an unused port on the switch untagged VLAN 10 PVID VLAN 10. Connect a laptop. Does DHCP and access work? Repeat on the same port for VLANs 20 and 30.

With that out of the way you can move on from the pfSense- to-switch trunk to the Access Point.

You have to determine what VLAN you are using for AP management. Many APs (Ubiquiti) like management traffic to be untagged, with tags on certain wireless networks. That, or you have to specifically set a management VLAN.

I am personally completely unfamiliar with any TP-Link APs and how they do things or what they expect of the management network.

The TP-Link AP has the option for a management VLAN. The default setting is NOT enabled and the default VLAN ID is 1. So it's an option. I have not enabled it.

Set up your described scenario on Port 8. Laptop would connect to "unidentified network" and had no internet. It did not appear in the DHCP Lease table within pfSense.

Derelict

Is there a DHCP server enabled and properly-configured on that VLAN's interface?

You might also want to post the switch config for the port you're testing - to be sure it's correct.

If your AP is expecting untagged management traffic and the untagged VLAN there is 1, I am not sure how you expect that to work since VLAN 1 isn't set to anything on Layer 3 / pfSense.

pfnguser114

@derelict said in VLAN Help Requested: I Give....diagram & screenshots included:

Is there a DHCP server enabled and properly-configured on that VLAN's interface?

You might also want to post the switch config for the port you're testing - to be sure it's correct.

If your AP is expecting untagged management traffic and the untagged VLAN there is 1, I am not sure how you expect that to work since VLAN 1 isn't set to anything on Layer 3 / pfSense.

1. See screenshot

2. Screenshots

3. I apologize, but I do not follow what you are saying. It's over my head on what you are getting at. I've attached a screenshot of my options here.

Thank you so much for the help!!!

Derelict

Forget about the AP until a DHCP client connected to port 8 works.

Concentrate on one VLAN until that works then duplicate for the rest.

Based on what you have posted, the SECURE interface is tagged VLAN 10 out igb2 and patched to port 1 on the switch. DHCP is enabled on SECURE. VLAN 10 is tagged on switch port 1. VLAN 10 is untagged on switch port 8 and a DHCP client device is connected there.

If all that is true, the device on port 8 should get a DHCP address. If it doesn't doublecheck that all of that is still the case.

pfnguser114

@derelict said in VLAN Help Requested: I Give....diagram & screenshots included:

Forget about the AP until a DHCP client connected to port 8 works.

Concentrate on one VLAN until that works then duplicate for the rest.

Based on what you have posted, the SECURE interface is tagged VLAN 10 out igb2 and patched to port 1 on the switch. DHCP is enabled on SECURE. VLAN 10 is tagged on switch port 1. VLAN 10 is untagged on switch port 8 and a DHCP client device is connected there.

If all that is true, the device on port 8 should get a DHCP address. If it doesn't doublecheck that all of that is still the case.

pfSense is patched to switch on Port 1
SECURE - VLAN 10 on igb2
VLAN 10 is Tagged on Port 1 on switch
VLAN 10 is Untagged on Port 8 on switch

Windows 10 laptop connected to Port 8 does not get DHCP address or internet.

Derelict

Packet capture on the VLAN10 interface on pfSense and see what's happening there.

For grins do a full stop and start of the DHCP service on the firewall. I have seen adding VLANs there not be picked up before without a restart though it's been quite some time.

Else it's Layer 2. I would expect what you have done to work but I have never configured one of those ZyXEL switches so there may be some caveats there.

heper

you have multiple vlans untagged on port 3-8 ... thats big no no (in almost any situation)

Derelict

A real switch wouldn't allow that.

ZyXELs are generally well thought of. But it might be getting in the way here. Nice catch.

heper

@derelict

lots of 'real' switch i know, allow it.

only thing i've seen that actively prevents it are some dlink & ubiquiti gear

Derelict

SSH@6450-223#sh vlan 223
Total PORT-VLAN entries: 37
Maximum PORT-VLAN entries: 64

Legend: [Stk=Stack-Id, S=Slot]

PORT-VLAN 223, Name MAIN_LAN, Priority level0, Spanning tree Off
Untagged Ports: (U1/M1) 2 4 5 6 7 8 11 28
Tagged Ports: (U1/M1) 35 36 41 44
Tagged Ports: (U1/M2) 2 4
Uplink Ports: None
DualMode Ports: (U1/M1) 3 26 43
Mac-Vlan Ports: None
Monitoring: Disabled

SSH@6450-223#config t
SSH@6450-223(config)#vlan 224
SSH@6450-223(config-vlan-224)#untagged eth 1/1/11
error - port ethe 1/1/11 are not member of default vlan

Adding port 1/1/11 untagged on a second VLAN denied.

SSH@6450-223(config)#vlan 223
SSH@6450-223(config-vlan-223)#no untagged eth 1/1/11
SSH@6450-223(config-vlan-223)#vlan 224
SSH@6450-223(config-vlan-224)#untagged eth 1/1/11
Added untagged port(s) ethe 1/1/11 to port-vlan 224.

Remove 1/1/11 from untagged 223 and adding untagged to 224 allowed.

A port on two untagged VLANs is nonsense.

pfnguser114

I am back trying to solve this problem.

One thing I have noticed on the wireless clients is I can get them to connect to the VLAN ONLY if the interface is selected as the same as my LAN interface.

Example:

LAN is on igb1 (switch is patched to this physical port to port 1 on switch)
VLAN10 set to igb2 = No IP address on wireless device (phone)
VLAN10 set to igb1 = IP address connects and appears in DHCP table correct (192.168.10.100)

From there, the phone says "Connected, no internet" which leads me to believe the issue is with the firewall rules. I believe my Pass rule is correct but would like to know if I need to add NAT rules. A recent post in this category had a guy connecting a Ubiquiti AP to an unmanaged switch and he required a NAT rule as well as a firewall rule. I have attempted to duplicate both but cannot make it out to the internet.

As always the help is appreciated.

UPDATE:

Progress. The phone is now on the internet. I had to select the SECURE interface in the DNS Resolver in addition to the already selected LAN & localhost.

I still have the firewall rules but deleted the NAT rules I was trying to make. So I'm still looking for answers there.

ETA: IT WORKS!!!

I chased this all night but it came down to my NAT rules being set to manual due to an older OpenVPN setup. One click on Auto and all devices have internet.

Talk about a nightmare. I'll get to setting up the VPN later.