Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tagged traffic on SG-2100 802.1q port

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    13 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smk
      last edited by smk

      Hi
      I just bought a Netgate SG-2100. I’ve set up 802.1q mode on the integrated switch.

      LAN port 2 is connected to an AP that sends tagged (VLAN ID 2) and non-tagged traffic.

      I can't figure out why TCP dump on tagged interface shows nothing? Need Help TCP dump on non-tagged interface on the same physical port is OK.

      AP is configured to correctly send traffic on VLAN ID 2.

      Integrated Switch configuration:
      b46854e9-5fbf-47b7-abe7-f345b2a0e966-image.png
      4a1217ba-996f-4c2e-8d09-a54080cc1cb7-image.png

      Interface VLAN configurations:
      3ec03cc8-fd22-48dc-a47d-dcfa8e313db1-image.png
      77a5cfa9-9b79-4e58-9348-8a4e6795e551-image.png

      Interface configs:
      0aba56e1-e8d2-4980-a4b3-a6dd8f2920fd-image.png

      Firewall configs:
      45bf057f-cd72-4b3c-a55a-24fc81ac7bd8-image.png

      DHCP configs:
      ddf8ae9d-a6d7-49cf-a729-ded1f757f27b-image.png

      DNS configs:
      217750b7-f573-489e-958f-5db997fb0583-image.png

      Am I missing anything?

      DerelictD 1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @smk
        last edited by

        @smk You have not added VLAN tag 2 to the SG-2100 switch. It needs to be on ports 2 and 5 tagged (2t,5t). With that set, untagged traffic will be on VLAN 4082, Wireless on pfSense, and VLAN tag 2 traffic will be on GuestWifiNetwork.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        S 1 Reply Last reply Reply Quote 1
        • S
          smk @Derelict
          last edited by

          Thanks @Derelict

          Its gotten better, clients are getting DHCP assignments after making this change:
          b2f6957f-c75b-42b8-b10e-62f7a2aa1334-image.png

          But clients are still not able to reach out to the internet. Am I missing anything else?

          DerelictD 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate @smk
            last edited by

            @smk

            Firewall rules passing traffic on GuestWifiNetwork?

            Outbound NAT for GuestWifiNetwork sources?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              smk
              last edited by smk

              Hi @Derelict

              Yes, the firewall rule is permissive:
              d7352b5b-44cc-4cb9-af8d-9247f18406ba-image.png

              And Firewall NAT settings are auto:
              ebd94812-f8d9-4606-9c9f-f7d69ea0e36a-image.png

              Is that right?

              DerelictD 2 Replies Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @smk
                last edited by

                @smk WAN net is not the internet. any is the internet.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 1
                • DerelictD
                  Derelict LAYER 8 Netgate @smk
                  last edited by Derelict

                  @smk And those are not automatic NAT rules. Those are manual NAT rules. They will reflect the configuration at the time you set manual NAT mode, not anything that has been added since.

                  10.0.1.0/24 is not listed as a source there so that is missing too.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 1
                  • S
                    smk
                    last edited by smk

                    That did it! You are awesome @Derelict . I cannot thank you enough - I spent a lot of time trying to figure this out by myself.

                    Folks like @Derelict is what makes Netgate an awesome company!

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      smk @smk
                      last edited by

                      @Derelict: Everything works with 1 exception: clients on the AP are not able to talk to one another.

                      Firewall allows traffic to the internet:
                      1c659a19-95f7-4fd1-bf21-bd17bbaa4a7b-image.png

                      NAT rules are setup:
                      eff514f6-2c1e-45a5-abe2-219ab87cfbda-image.png

                      Am I missing anything that would allow clients on the 10.0.1/24 network to talk to one another?

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Galactic Empire @smk
                        last edited by

                        @smk said in Tagged traffic on SG-2100 802.1q port:

                        clients on the AP are not able to talk to one another

                        That would normally not go through the router, but from one device to the other. Some APs have a "guest mode" or similar option to prevent wireless clients from talking to each other (only to the Internet).

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote 👍 helpful posts!

                        S 1 Reply Last reply Reply Quote 1
                        • S
                          smk @SteveITS
                          last edited by

                          Thank you @teamits

                          Guest mode was already disabled on the AP:
                          bce37f0b-5206-4bc5-8ac8-b5b034def40c-image.png
                          3c35dc0c-53d3-45f7-a9b4-a97d5392609b-image.png

                          Am I missing any configuration that would prevent members to communicate with each other?

                          DerelictD 1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate @smk
                            last edited by

                            @smk I don't know what it looks like or where it is on Ubiquiti. This is what it looks like on Ruckus Unleashed:

                            b276e792-9143-4d0c-a99f-53d37ea53a1d-image.png

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 1
                            • S
                              smk
                              last edited by

                              @Derelict & @teamits : you were both right. Sorry, my bad: it was bad Ubiquity configuration.

                              If anyone falls in the same trap, the solution is to set "Corporate" + "VLAN". Not "VLAN Only" + "VLAN":

                              98a25145-0f81-4440-85e0-ab5af871da71-image.png

                              Thank you both very much!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.