Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense, VLANs, and an HP Switch

    Scheduled Pinned Locked Moved
    General pfSense Questions
    7
    23
    24.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      painless8319
      last edited by

      Excellent, thank you both for the replies. My main confusion was just that I thought VLAN1 and untagged were synonymous after they entered the switch. Thanks for pointing me in the right direction, and I'll definately check out those links you posted, cheesyboofs.

      Thanks again!

      1 Reply Last reply Reply Quote 0
      • B
        Bok Bok
        last edited by

        VICTORY! OK, after pulling my hair out, I just want to contribute something that I hope will help. I don't know if this will be useful for painless8139 on the way forward, and this might not be the right place to post this, but here goes:

        I was having a hell of a time getting my pfsense test box to play nice with a ProCurve 1800-24G with respect to VLANs.

        To keep the explanation simple, I won't go into all the VLANs I was trying to provision, but vlan5 (or, vlan tag 5, anyway) was intended as the LAN.

        I would start with my LAN on, say, BGE0, and be plugged straight into it from the computer I was on.  When i would use the WEB-GUI to create vlan5 (parent bge0) and move the LAN interface over to it, I'd then get kicked off.  This is the expected behavior because now I should be accessing the LAN from a port on the ProCurve that has vlan5 as the PVID.

        Here was my ProCurve config

        I had ports 1-18 setup as non-"VLAN aware", with PVID 5.  So anything I plugged into those ports should automatically be on vlan5.

        Port 22 was set up as my uplink port, with VLANs 5, 10, and 15 setup as members.  Obviously port 22 was plugged into the pfsense box on physical port bge0.

        So, as I said, after moving the LAN interface from bge0 physical to vlan5, I'd get dropped from the Web-configurator.  Again, this is what should happen.

        The problem was that when I would then plug into, say, port 3 (PVID=5, non-VLAN aware (meaning it will only accept untagged packets and send them through vlan5), I'd get nothing.  No DHCP lease, no WEB-GUI.

        After restoring default config and rebuilding VLANs on the pfsense box several times (as per what drogo did) to no avail, I finally double-checked my switch config.  Everything looked right, except I still had port 22 allowing untagged packets - (with a PVID of 5 - don't remember doing that) in addition to the tagged packets for vlans 5, 10, and 15.    I thought I had disabled untagged packets on this port, but I guess not.

        Long story short, I set port 22 to allow tagged packets only, and I removed the PVID altogether, and VOILA, it worked.

        The moral of the story (which has been said on this forum before), is to never mix tagged and untagged traffic.  There was some other moral but I forgot what it was.  ::)

        painless8319, VLAN1 and untagged are synonymous in the default switch configuration, because all ports have their PVID set to vlan1 (by default).  But what this means for traffic passing through the switch (in its default configuration) is that it's not a member of any vlan.  It goes in untagged, and comes out untagged.  The "member of vlan1" part is only relevant to the switch itself (for the purpose of accessing the management console), and really only once you start configuring additional vlans.

        One thing I'd like to get ktims' opinion on is whether using vlan1 is a no-no because it's vlan1, or because it's usually the default management vlan.

        What I've done in order to not have to dedicate a port to switch management is to change the management vlan to vlan5 (my LAN vlan).  That way I can manage it normally and still avoid using vlan1 for anything.

        1 Reply Last reply Reply Quote 0
        • K
          ktims
          last edited by

          Mostly because VLAN 1 is treated differently by a lot of switches. I've seen some that won't tag VLAN 1 traffic no matter what you set in the GUI, and some other strange & incorrect behaviour. It's easier to just avoid using it altogether. Also because it's the default VLAN, it's pretty easy to inadvertently end up with untagged traffic all over the place that you weren't expecting, or ports that can get on networks they shouldn't, ARP broadcasts crossing VLAN boundaries etc.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.