Vlan + netgear fs726T
-
Hey,
I am a bit confused with the tagged egress or untaged on the vlan switch. I have read the forums and some google post and people seem to disagree which to use
I have setup 3 vlans on pfsense called vlan10, vlan20, vlan30 and given them the ids of 10, 20, 30 respectively, attaching them to the Lan nic.
The lan nic is then plugged into port 25 on the switch and the 3 different networks i want to run on porst 2, 3 and 4. I left port 1 free.
Do i now under the vlan confiuration make a new lan with the id of 10 (for the first one) and mark port 2 as untagged and port 25 as tagged?
I understand the basic of concept of tagging packets (i think lol. like i have read up on it a bit), however, i couldn't find an answer anywhere saying what people actually use that works…
I just seem to be locking myself out of the network all the time and am getting a little furstrated.
Thanks in advance
Cheers
Robin -
If you set the port to tag egress frames, it means that the VLAN tag will be added/retained when the packet is sent out that port. If you untag the frames the VLAN tags will be stripped and the attached device won't be able to tell which VLAN each frame is associated with.
Normally you'd want to have your pfSense port set to tag the frames on all the VLANs your networks run on. Then, on each port for the networks you'd set them up to only be members of one VLAN, set the primary VLAN for that port to the proper one and untag the packets.
-
Thanks for the reply.
So then the following should work or:
Vlan10 on em0 (lan nic) – dhcp on 192.168.0.1/24
Vlan20 on em0 (lan nic) -- dhcp on 192.168.1.1/24
Vlan20 on em0 (lan nic) -- dhcp on 192.168.2.1/24
Normal Lan uses 172.168.0.1/24then on switch,
Set vlanid10 to tagged on port 25 and untagged on port 2 ---25 being the link between pfsense and the switch and 2 going out to the network which has the computers on it (no further splitting is required so tag can be removed). Then do this three times for the 3 different vlans
set VLanID1 to untagged on all ports
Anything i am getting wrong?
Cheers
Robin -
I use the FS726T in several setups.
My screenshots might help you:I have 6 different VLANs.
VLAN1: This VLAN is a "dummy VLAN".
Per default all ports are in this one. I just left it there and didnt delete it.VLAN2: This is my "admin VLAN".
I notices that you need access to port 1 to be able to manage the switch.VLAN313: This is my "unused VLAN".
All ports i'm currently not using are in this VLAN.VLAN1100, VLAN1300, VLAN1400, (there was a VLAN1200 once).
These are my users VLANs. (different offices).My pfSense is connected to port 26.
As you can see in the overview table all ports going to the users are "untagged" and the port going to the pfSense is tagged.
With the PVID table you assign ports to a VLAN.
Internally the switch always works with tagged packets. With the PVID table you tell the switch what tag to add to the frames comming in on an interface.
With the "T" and the "U" you define if packed should leave on a port tagged or untagged.
-
Thanks a bunch for that. Pictures are really worth a thousand words :)
I noticed that only your port 6 overlaps with vlan313 and vlan1100. I presume this means that this means this port is accessible to both vlans?
Again, thanks for the reply and pictures
Cheers
Robin -
You found a config error ;)
I recently moved port 6 from unused (313) to 1100.
As you can see i changed the PVID setting to 1100, but forgot to remove it from the 313 list.Essentially this means:
All ports in the 313 group can talk to port6.
But port 6 can only talk to members of the 1100 group.
(one way communication).
For bidirectional communication the ports in the 313 group would have to be members of the 1100 group as well. -
lol, newbie luck
Thanks for the help on this one. I am going to try it out now to see if it works but i am alot clearer on it.
Cheers
Robin -
Something else i just noticed (mostly cosmetic).
Port 26 has as PVID 2 (untagged traffic comming in on this interface will be assigned to VLAN2).
At the same time it's marked as tagged VLAN2.
This means tagged VLAN2 traffic is expected, but it will allow untagged traffic as well.It would be better if port 26 would have its own VLAN for untagged traffic.
After all you only want tagged communication with the pfSense only.
Mixing untagged and tagged traffic on the same interface can lead to unexpected behaviour.
(clients could in certain cases find each other directly via ARP even if they should communicate over the pfSense)