VLAN not passing traffic
-
Hello,
I'm having zero success getting a second VLAN to work on my Netgate 3100 (running 2.4.5-RELEASE-p1). I'm hoping more eyes will help see what I'm doing wrong, but I'm pretty sure I've gone through the steps in the documentation and various online tutorials correctly. I'm just trying to assign the VLAN to a port on the Netgate and get the most basic configuration working. This is what I've done so far:
-
Plugged in ethernet to port 2
-
Went to Interface > Assignments > VLANS tab > Clicked the +ADD button
-
Set PARENT INTERFACE to "lan" (aka mvneta1)
-
Set VLAN TAG to 66 and SAVE
-
Went to Interface > Assignments > Clicked the +ADD button next to VLAN 66 subinterface and pressed SAVE
-
Went to Interface > Clicked OPT2 > Checked ENABLE INTERFACE, set description to VLAN66, set IPv4 CONFIGURATION TYPE to STATIC IPv4, set IPv4 ADDRESS to 192.168.66.1/24 > Clicked SAVE and APPLY CHANGES. The UPSTREAM GATEWAY was left at NONE.
-
Went to Services > DHCP Server > VLAN66 > Checked ENABLE DHCP SERVER ON VLAN66 INTERFACE, set the RANGE to 192.168.66.50-192.168.66.250 > Clicked the SAVE button
-
Went to Interface > Switches > VLAN tab (Note: 802.1q is enabled since I'd like to use a trunk port at a future date)
-
Edited VLAN TAG 1 and removed port 2 from the MEMBER(S) list > Clicked SAVE
-
Clicked the +ADD TAG button > Set VLAN TAG to 66, Set MEMBER(S) to 2, and clicked SAVE
I set the firewall rules to allow all on VLAN66 and it looks like the outbound NAT entries auto created correctly.
I can ping 192.168.66.1 from the default VLAN (ie 1).
Client side packet captures show no DHCP responses from the Netgate when the client broadcasts a DHCP Request, but even setting a static client address (192.168.66.5) can't pass traffic.
I can SSH into the Netgate (via 192.168.66.1) from a VLAN 1 address and run a traceroute out to the Internet from the VLAN66 interface (traceroute -i mvneta1.66 8.8.8.8).
I can't ping the static client address (192.168.66.5) from the Netgate and the client address can't ping interface VLAN66's IP address (192.168.66.1).
Packet captures on the Netgate for the interface VLAN66 shows zero packets, even when using promiscuous mode. I tried capturing packets on VLAN66 while SSH'd into 192.168.66.1 from a VLAN 1 address and running traceroutes from the VLAN66 interface, but it's still showing zero packets.
I'm not really sure what I'm doing wrong and any insight would be greatly appreciated!!
Thanks!
-
-
This is the Guide that I followed https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/switch-overview.html
However I feel like Lawrence of Lawrence systems had a video as well but I might just be remembering the one for the SG-1100 that I also watched the at same time.
I would go to the document and step through it again hopefully that helps otherwise it seems like you went through the right steps. I am thinking that something needs to be removed that didn’t get removed or some thing got removed that shouldn’t be.
-
I set the firewall rules to allow all on VLAN66 and it looks like the outbound NAT entries auto created correctly.
At the very least, this should be a VLAN66/any, but if "allow all" means any/any then you're good from a firewall rule perspective. If not, configure an any/any rule for now.
To me, it sounds like the issue is with the switch port assignments. Typically, you'd trunk your switch to the parent LAN adapter and then configure your access ports for the appropriate VLAN. However, the SG3100 appears to have an integrated switch, so it adds a layer of complexity to your setup.
@imark77 already mentioned it, but I would go through https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/switch-overview.html
step-by-step to figure out what may have been missed or is different.If I had to guess, things may have gotten murky after step 16. Although, the videos I've watched appear to suggest that in addition to tagging the ports with the appropriate VLAN, you also need to add each port to member 0 (tagged), which is the LAN uplink in the video, but they were using an SG 1100, so the SG 3100 may be slightly different... idk.
Last but not least, obviously any downstream switches will need to have the appropriate VLAN(s) created and tagged on the uplink ports... as well as the access ports configured in the appropriate VLAN(s).
Edit - Whoa... it wasn't until I replied that I noticed the OP was almost 2 months ago and the first reply was posted 6 weeks later... smh... LoL! I'm just curious at this point... was this ever resolved?
-
I set up my 3100 with VLANs and I was planning to have all ports trunk ports. after enabling that nothing worked, I discovered that they need to be enabled and assigned in the switch otherwise you both get locked out ( temp wan admin ) and all ports act dead.
-
@imark77 Have you checked that there is an outbound nat rule for that vlan? I just solved my problem by manually adding it. See the post above