Planet switch - tag LAN as vlan 1

slepax

I know this has been asked a few times before but I am a bit lost here.

I have a Planet SGSW-24040HP managed switch that I would like to enable VLANs on.

In my pfsense box I have LAN configured (re1) and then a couple more vlans (ids 3,4,5). Prior to using the Planet switch I only had vlans tagged using a Ubiquiti access point based on different SSIDs and that worked fine.

In the plant switch I have configured the other vlans and had vlan 1 shared between them all, treating it as the trunk. This does not work and my network keeps dropping.

There is something in the user manual that reads a bit strange:
PVID: Allow assign PVID for selected port. The range for the PVID is 1-4094. The PVID will be inserted into all untagged frames entering the ingress port. The PVID must as same as the VLAN ID that the port belong to VLAN group, or the untagged traffic will be dropped.

So maybe I am reading this wrong but it seems that the switch would like the traffic coming on the port from the pfsense to be tagged otherwise if it is not tagged it will be dropped?

DaddyGo

@slepax said in Planet switch - tag LAN as vlan 1:

I have a Planet SGSW-24040HP managed switch that I would like to enable VLANs on.

Hi,

The Planet stuffs, strange animals...
I struggled with this Planet IGS-12040MT.

and it helped bring me closer to understanding:

https://faq.draytek.com.au/2019/07/18/configuring-802-1q-vlans-on-vigor3200-and-planet-smart-switch/

johnpoz

@slepax the pvid sets what vlan untagged traffic is on..

All traffic that hits the interface that is not tagged will be placed into the pvid..

Vlan 1 is almost never tagged.. And is always untagged. If your lan is untagged and you want it to be in vlan 1 then the pvid on the port connected to pfsense lan would be 1.

But that could also be vlan 100 for example... The pvid on that port would then be set to 100.. As the untagged traffic leaves pfsense and hits your switch port the switch would put it in vlan 100.

The rest of that sentence just means that the vlan your going to set the pvid too also have to be set on that port... You couldn't for example only allow vlans 3, 4 and 5 and then set 1 or 100 as the pvid.. You would have to allow for say 1,3,4,5 and 100.. Then your pvid could be any of those.

Keep in mind that you can not have more than 1 untagged vlan on any port in a vlan switch. There can be only 1 untagged vlan.

slepax

@DaddyGo I came across that guide before but have found it confusing as it seems to specifically define VLAN1 (I am trying to avoid doing that) and also allow only tagged traffic on port 1

@johnpoz this is what I have but it is not working. I will explain this a bit more:

pfsense config:
LAN, no vtag, 10.1.1.0/24, dhcp range 10.1.1.100-200
VLAN3, vtag 3, 10.1.3.0/24, dhcp range 10.1.3.100-200

Ignore the other vlans for now.

The pfsense is connected to port 1 on the switch with pvid 1.
A desktop is connected to port 23 on the switch with pvid 3.

In the VLAN membership I have the following:

• vlan1: port1
• vlan3: port1, port23

When I enable the network interface on the desktop it can't get an IP assignment.

If I change the VLAN membership so port 23 is also in vlan1 then the desktop gets an IP assignment but from the LAN range (10.1.100-200).

I am not sure if the issue is in the switch configuration or the pfsense? although the pfsense is working well with the access point..

DaddyGo

@slepax said in Planet switch - tag LAN as vlan 1:

seems to specifically define VLAN1 (I am trying to avoid doing that) and also allow only tagged traffic on port 1

Ok,

In my reading , on most (MGMT type) switches VLAN1 is "native" and untagged

You must create a TRUNK port on switch port1 to handle both VLAN1 / VLAN3

1U - 3T - the rest can be "excluded"

slepax

Ok, got this to work.

I think my first mistake was that I had the vlan table configured as Port-Based. I noticed in pfsense that it expects 802.1Q so changed the configuration table to 802.1Q. I also had to change the pfsense port to "MAN Port" and 802.1Q Tag. I did the same for the Access Point port.

In the VLAN Memberships page I've assigned port 1 (pfsense) to all VLANs (this is basically creating the trunk I assume). I did the same for the AP port, which means that I have two trunks?

Not sure if this is excessive but now things are working is I'll start scaling back the configuration to get the minimum needed.

Thank you both for your help!

DaddyGo

@slepax said in Planet switch - tag LAN as vlan 1:

(this is basically creating the trunk I assume

Exactly

only the Planet puts it differently (wording, philosophy, etc.)

yes, if you want to manage multiple VLANs on the AP and the AP is VLAN capable, push the TRUNK port towards it

mlrko

All my port have to work with all the VLAN, because I use the VLAN with VOIP and the phone (configured with VLAN 792) can be everywhere, out port of the phone can be also connected to a PC.

After those settings:

• GE1 e GE2 trunk
  Accepted Frame Type ALL
  ingress filtering Enable
  uplink disable
  TPID 0x8100
• Others port "Hybrid"
  Accepted Frame Type ALL
  ingress filtering Disable
  uplink disable
  TPID 0x8100

Port to VLAN

• 1 all Untagged (all PVID checked)
• 792 all Tagged

Everything start to work after this setting on DoS Global Setting:
UDP Blat --> Disable

This was insane, I think has to do with VOIP provisioning/authentication.
Ciao