VLAN Help Requested: I Give....diagram & screenshots included
-
Fellas I give up. I have spent all day on this.
Hardware is all installed and working except for VLANs. Wired devices are running just fine through the switch. The pfSense (J3355 build) has been up for 8 months. Switch and AP are brand new.
pfSense box >>> Zyxel GS1900-8HP >>> TP-LINK EAP225v3
The goal is a "Secured" VLAN (10) for computers and laptops (needs to be mix of WiFi & wired), "IoT" VLAN (20) for things that need to see the internet only (thermostats, doorbell, etc.), & "TV" VLAN (30) for several Fire TVs and ROKU TVs (all WiFi).
Wireless devices are connecting to the AP but I am messed up on the VLAN setup on either the pfSense box or switch. After messing with it for hours I think the issue is in the Zyxel tagged/untagged or trunking configuration. My 2nd guess is in the firewall rules. Multiple times I had wireless devices connecting but with "no internet". I believe the AP is working correctly and not causing the issues and the TPLink software, while basic, has been easy to use.
Thank you for the help!
-
Isn't the parent interface igb1!
-
@nogbadthebad looks like igb1 is his lan and igb2 is parent, keeping it unassigned prevents potentially wonky behaviour.
-
Switch ports 1 & 2 look to be configured as trunks but set untagged when they probably should be tagged. I’m not familiar with that switch but worth checking.
-
Yeah looks like port 1 should be tagged on 10, 20, 30 if port 1 is patched to pfSense igb2.
-
@q54e3w said in VLAN Help Requested: I Give....diagram & screenshots included:
@nogbadthebad looks like igb1 is his lan and igb2 is parent, keeping it unassigned prevents potentially wonky behaviour.
On the diagram it says the LAN port is connected to the switch, that's why I said "looks like igb1 is his lan and igb2 is parent"
-
like others have said:
all the vlans need to be tagged on your switch-port to pfsense.this is probably also true for the switch-port connected to your AP
-
Thanks for the replies.
I have set VLANs 10, 20, & 30 to TAGGED on both Port 1 & Port 2. Wireless devices can no now longer obtain an IP address to connect.
Also, in reference to the LAN and igb1 & igb2. igb1 is my LAN port and the cable is physically connected from LAN (igb1) to Port 1 of my switch. A lot of what I read out there said to put the VLANs on a different interface hence the igb2. I have tried it both ways and neither way seemed to work but I did find the different interface to be a head scratcher.
Still not working if anyone has any other input.
EDIT:
With Port 1 set to TAGGED on 10, 20, & 30 and Port 2 (Wireless AP) UNTAGGED on 10, 20, & 30 I get "Connected, no internet" on my wireless devices.
What am I supposed to set VLAN 1 to?
Also, what do I do with the PVID? Is it required?
-
yes pvid is required.... its essential in any vlan switch setup.
any untagged package entering the switchport will be assign to the pvid-vlan id -
@heper said in VLAN Help Requested: I Give....diagram & screenshots included:
yes pvid is required.... its essential in any vlan switch setup.
any untagged package entering the switchport will be assign to the pvid-vlan idHow do I set up multiple PVID's on Port 2? Port 2 has the wireless AP that has VLAN 10, 20, & 30?
I hope I don't need a new switch as I researched this one and though it would fit my needs. However, if I need to swallow the $100 I paid for it and move on I am fine with it. I have wasted more time on this endeavor than I ever expected to.
Thanks for the help!
-
there is never a need for multiple pvids on a single port.
this isn't rocket science.
pc (or other dumb device) <----> switch = untagged on vlan x | pvid = untagged_vlan_id_x
pfsense <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)
AP <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)Also note:
zyxel allows you to untag multiple vlans on the same port. YOU DO NOT DO THIS in any normal situation.... it causes problems.you clearly have issues understanding the vlan concepts. try googling some docs from reputable sources -- there is a lot of bad advice around
-
@heper said in VLAN Help Requested: I Give....diagram & screenshots included:
there is never a need for multiple pvids on a single port.
this isn't rocket science.
pc (or other dumb device) <----> switch = untagged on vlan x | pvid = untagged_vlan_id_x
pfsense <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)
AP <---> switch = all vlans tagged except your management vlan | pvid = managment_vlan_id ( default 1)Also note:
zyxel allows you to untag multiple vlans on the same port. YOU DO NOT DO THIS in any normal situation.... it causes problems.you clearly have issues understanding the vlan concepts. try googling some docs from reputable sources -- there is a lot of bad advice around
Please take a look at the attached screenshots and confirm that Port 1 & 2 are configured correctly for VLANs 1, 10, 20, & 30. I believe they are.
This configuration results in WiFI devices connecting to the network with "no internet connectivity". The DHCP leases in pfSense are correct for devices on each VLAN (example 192.168.10.100 for a device on VLAN 10).
So if they AP is set up right, the switch is setup right, where do I go looking next?
Thanks
-
Looks reasonable.
You are tagging all traffic and have nothing assigned to the untagged igb2 interface.
That is fine.
Quick test:
Make an unused port on the switch untagged VLAN 10 PVID VLAN 10. Connect a laptop. Does DHCP and access work? Repeat on the same port for VLANs 20 and 30.
With that out of the way you can move on from the pfSense- to-switch trunk to the Access Point.
You have to determine what VLAN you are using for AP management. Many APs (Ubiquiti) like management traffic to be untagged, with tags on certain wireless networks. That, or you have to specifically set a management VLAN.
I am personally completely unfamiliar with any TP-Link APs and how they do things or what they expect of the management network.
-
@derelict said in VLAN Help Requested: I Give....diagram & screenshots included:
Looks reasonable.
You are tagging all traffic and have nothing assigned to the untagged igb2 interface.
That is fine.
Quick test:
Make an unused port on the switch untagged VLAN 10 PVID VLAN 10. Connect a laptop. Does DHCP and access work? Repeat on the same port for VLANs 20 and 30.
With that out of the way you can move on from the pfSense- to-switch trunk to the Access Point.
You have to determine what VLAN you are using for AP management. Many APs (Ubiquiti) like management traffic to be untagged, with tags on certain wireless networks. That, or you have to specifically set a management VLAN.
I am personally completely unfamiliar with any TP-Link APs and how they do things or what they expect of the management network.
The TP-Link AP has the option for a management VLAN. The default setting is NOT enabled and the default VLAN ID is 1. So it's an option. I have not enabled it.
Set up your described scenario on Port 8. Laptop would connect to "unidentified network" and had no internet. It did not appear in the DHCP Lease table within pfSense.
-
Is there a DHCP server enabled and properly-configured on that VLAN's interface?
You might also want to post the switch config for the port you're testing - to be sure it's correct.
If your AP is expecting untagged management traffic and the untagged VLAN there is 1, I am not sure how you expect that to work since VLAN 1 isn't set to anything on Layer 3 / pfSense.
-
@derelict said in VLAN Help Requested: I Give....diagram & screenshots included:
Is there a DHCP server enabled and properly-configured on that VLAN's interface?
You might also want to post the switch config for the port you're testing - to be sure it's correct.
If your AP is expecting untagged management traffic and the untagged VLAN there is 1, I am not sure how you expect that to work since VLAN 1 isn't set to anything on Layer 3 / pfSense.
-
See screenshot
-
Screenshots
-
I apologize, but I do not follow what you are saying. It's over my head on what you are getting at. I've attached a screenshot of my options here.
Thank you so much for the help!!!
-
-
Forget about the AP until a DHCP client connected to port 8 works.
Concentrate on one VLAN until that works then duplicate for the rest.
Based on what you have posted, the SECURE interface is tagged VLAN 10 out igb2 and patched to port 1 on the switch. DHCP is enabled on SECURE. VLAN 10 is tagged on switch port 1. VLAN 10 is untagged on switch port 8 and a DHCP client device is connected there.
If all that is true, the device on port 8 should get a DHCP address. If it doesn't doublecheck that all of that is still the case.
-
@derelict said in VLAN Help Requested: I Give....diagram & screenshots included:
Forget about the AP until a DHCP client connected to port 8 works.
Concentrate on one VLAN until that works then duplicate for the rest.
Based on what you have posted, the SECURE interface is tagged VLAN 10 out igb2 and patched to port 1 on the switch. DHCP is enabled on SECURE. VLAN 10 is tagged on switch port 1. VLAN 10 is untagged on switch port 8 and a DHCP client device is connected there.
If all that is true, the device on port 8 should get a DHCP address. If it doesn't doublecheck that all of that is still the case.
pfSense is patched to switch on Port 1
SECURE - VLAN 10 on igb2
VLAN 10 is Tagged on Port 1 on switch
VLAN 10 is Untagged on Port 8 on switchWindows 10 laptop connected to Port 8 does not get DHCP address or internet.
-
Packet capture on the VLAN10 interface on pfSense and see what's happening there.
For grins do a full stop and start of the DHCP service on the firewall. I have seen adding VLANs there not be picked up before without a restart though it's been quite some time.
Else it's Layer 2. I would expect what you have done to work but I have never configured one of those ZyXEL switches so there may be some caveats there.
-
you have multiple vlans untagged on port 3-8 ... thats big no no (in almost any situation)
