pfSense and VLAN help (HP Switch)
-
Hello All -
First off, thank you all very much for taking the time to read my post, I am hoping for some help!
I was hoping to get some help with getting the configs right for my network switches. I don't believe my issue is directly related to the vlans in my pfSense setup, rather my network switches, but please let me know your thoughts.
To make it simple, I will only use two switches, and once this is working, I can make the same changes for the third switch. I'm pretty sure my issue is that I am not understanding vlan tagging properly, so I was looking for some guidance. The goal is to ultimately segment my network and get the vlans working properly. I have security cameras I would like to put on their own segment, as well as some Access points I would also like to setup guest access for my wireless network. I also have a VLAN setup for IOT devices.
Currently, I am just untagging all ports on all switches on my default vlan, and allowing all traffic through for everything, until I can get things working properly. I have been tinkering with things for awhile now, but can't seem to get it working.
==============================================================================
Key information:Router = pfSense
All network switches = HP Procurve Switches (model 2530) one is a 24port GB switch, the other is 24port PoE.
I have a total of 5 vlans configured on all switches and in the router, the "default_vlan" is not being (per best practice).==============================================================================
Here is the setup:I am using a pfSense firewall and I have all vlans configured correctly on the router from what I can tell, the network interface from the firewall is plugged into port 1 on switch01. Port 24 on switch01 is configured as a trunk port and is plugged into port 23 on switch02.
I will post the configs for both switches below, but wanted you to be aware of what the main ports are for. You will see below in the configs, but in my testing I just patched in a laptop to Port 1 on switch02 just to see if I can pull a dhcp address for it (only able to pull an IP from my default vlan). That particular vlan I was tinkering with is titled WIFI, so I just wanted to point out this out so there isn't any confusion, while you're looking at my config.
Here are the current configs for my switches, after I've made some additional changes. I do realize that I don't need to have the IP's listed in there for each vlan, and can remove them to simplify things further, but I wanted to put them in there just to test, and rule that out.
==============================================================================
Switch01:HP-SW-01# show running-config
Running configuration:
; J9776A Configuration Editor; Created on release #YA.15.17.0007
hostname "HP-SW-01"
ip default-gateway 10.10.1.1
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-28
ip address dhcp-bootp
exit
vlan 100
name "100-DEFAULT"
untagged 1-28
ip address dhcp-bootp
exit
vlan 200
name "200-CAMERAS"
tagged 1,24
ip address 10.10.2.1 255.255.255.0
ip helper-address 10.10.1.1
exit
vlan 300
name "300-GUESTWIFI"
tagged 1,24
ip address 10.10.3.1 255.255.255.0
ip helper-address 10.10.1.1
exit
vlan 400
name "400-WIFI"
tagged 1,24
ip address 10.10.4.1 255.255.255.0
ip helper-address 10.10.1.1
exit
vlan 500
name "500-IOT"
tagged 1,24
ip address 10.10.5.1 255.255.255.0
ip helper-address 10.10.1.1
exit
primary-vlan 100==============================================================================
Switch02:HP-SW-02# show running-config
Running configuration:
; J9773A Configuration Editor; Created on release #YA.15.12.0007
hostname "HP-SW-02"
ip default-gateway 10.10.1.1
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1-28
no ip address
exit
vlan 100
name "100-DEFAULT"
untagged 2-28
ip address 10.10.1.6 255.255.255.0
exit
vlan 200
name "200-CAMERAS"
tagged 23
ip address 10.10.2.1 255.255.255.0
exit
vlan 300
name "300-GUESTWIFI"
tagged 23
ip address 10.10.3.1 255.255.255.0
exit
vlan 400
name "400-WIFI"
tagged 1,23
ip address 10.10.4.1 255.255.255.0
exit
vlan 500
name "500-IOT"
tagged 23
ip address 10.10.5.1 255.255.255.0
exit
primary-vlan 100==============================================================================
On the pfSense side:All VLans are configured in the VLANs section using the same VLAN tag, and even the description (although that shouldn't matter). While I do have additional NIC ports on my firewall, I am not physically segmenting this off at the moment, rather I am using the lan port interface for each of the vlans.
==============================================================================
Here are a few questions I had, that may help me get a better understanding of what I'm missing:-
I "presume" that the port that my router plugs into on switch01 should be a trunk port, but do all of the vlans need to be tagged (including the default vlan)? I currently have it setup so that the default vlan is untagged and all other vlans are tagged. I've tried changing this port to have all vlans being tagged (as I thought was the correct way), but then I lose connection to the internet on my main desktop that is plugged into a port on switch01 (not the laptop I'm testing on port1 above).
-
Same question as above for all trunk ports. So port 24 on switch01 that connects to port 23 on switch02 should be my trunk port, do all vlans here need to be tagged, because I currently have the default vlan untagged (this is the only way I can get traffic to pass to the second switch) and all other vlans are configured as just tagged.
-
The laptop that I'm using to test if I can pull a dhcp address on that is plugged into port 1 on switch02, should the default vlan be set to "no" and should I be just tagging that port on the WIFI vlan, or does the default vlan need to remain as untagged, while the WIFI vlan should be set to Tagged? My understanding is that you only want to tag the switch port on the vlan you want it to communicate with.
Apologies for these dumb questions, but I am having a difficult time getting things to work here. I have tried so many scenarios, but can't seem to get anything to work.
Thanks for any assistance on this! I really appreciate any help here!
-
-
I think I figured out the problem, everything appears to be working right now. I'm not sure which of all of the changes I made that actually resolved the problem. I believe it was actually an issue with my vlan configs in pfSense and not the switches themselves. If I run into anything else, I'll update this post, but I thank you all for looking.
-
If you have the following interfaces:
igb0
igb0.200
igb0.201
igb0.202The switch port connected to igb0 will need to be tagged on VLANs 200, 201, and 202 and untagged (the switch port's PVID) for whatever VLAN you want igb0 to be on.
-
C cxcmax referenced this topic on
