Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN Help Requested: I Give....diagram & screenshots included

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      A real switch wouldn't allow that.

      ZyXELs are generally well thought of. But it might be getting in the way here. Nice catch.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      H 1 Reply Last reply Reply Quote 0
      • H
        heper @Derelict
        last edited by

        @derelict

        lots of 'real' switch i know, allow it.

        only thing i've seen that actively prevents it are some dlink & ubiquiti gear

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          SSH@6450-223#sh vlan 223
          Total PORT-VLAN entries: 37
          Maximum PORT-VLAN entries: 64

          Legend: [Stk=Stack-Id, S=Slot]

          PORT-VLAN 223, Name MAIN_LAN, Priority level0, Spanning tree Off
          Untagged Ports: (U1/M1) 2 4 5 6 7 8 11 28
          Tagged Ports: (U1/M1) 35 36 41 44
          Tagged Ports: (U1/M2) 2 4
          Uplink Ports: None
          DualMode Ports: (U1/M1) 3 26 43
          Mac-Vlan Ports: None
          Monitoring: Disabled

          SSH@6450-223#config t
          SSH@6450-223(config)#vlan 224
          SSH@6450-223(config-vlan-224)#untagged eth 1/1/11
          error - port ethe 1/1/11 are not member of default vlan

          Adding port 1/1/11 untagged on a second VLAN denied.

          SSH@6450-223(config)#vlan 223
          SSH@6450-223(config-vlan-223)#no untagged eth 1/1/11
          SSH@6450-223(config-vlan-223)#vlan 224
          SSH@6450-223(config-vlan-224)#untagged eth 1/1/11
          Added untagged port(s) ethe 1/1/11 to port-vlan 224.

          Remove 1/1/11 from untagged 223 and adding untagged to 224 allowed.

          A port on two untagged VLANs is nonsense.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 1
          • P
            pfnguser114
            last edited by pfnguser114

            I am back trying to solve this problem.

            One thing I have noticed on the wireless clients is I can get them to connect to the VLAN ONLY if the interface is selected as the same as my LAN interface.

            Example:

            LAN is on igb1 (switch is patched to this physical port to port 1 on switch)
            VLAN10 set to igb2 = No IP address on wireless device (phone)
            VLAN10 set to igb1 = IP address connects and appears in DHCP table correct (192.168.10.100)

            From there, the phone says "Connected, no internet" which leads me to believe the issue is with the firewall rules. I believe my Pass rule is correct but would like to know if I need to add NAT rules. A recent post in this category had a guy connecting a Ubiquiti AP to an unmanaged switch and he required a NAT rule as well as a firewall rule. I have attempted to duplicate both but cannot make it out to the internet.

            As always the help is appreciated.

            UPDATE:

            Progress. The phone is now on the internet. I had to select the SECURE interface in the DNS Resolver in addition to the already selected LAN & localhost.

            I still have the firewall rules but deleted the NAT rules I was trying to make. So I'm still looking for answers there.

            ETA: IT WORKS!!!

            I chased this all night but it came down to my NAT rules being set to manual due to an older OpenVPN setup. One click on Auto and all devices have internet.

            Talk about a nightmare. I'll get to setting up the VPN later.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.