Interface range setup

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

loaded the previous config

Why.. Dude just reset the thing to factory.. Now it should come up as dumb switch everything in vlan 1, the default vlan. Plug it into your 1 network on pfsense.. Everything working all on the same LAN network.

Now set the management IP on the switch to be in your LAN network..

Get everything working this way.. Then an only then move towards adding a vlan..

Create the vlan on pfsense, assign this vlan to your lan interface on pfsense. Set this vlan up IP, dhcp, etc. firewall rules on the interface. I would start with any any until you got things working - you can then restrict your rules.

Now on your switch create your vlan with the ID you set in pfsense. Set the port that connects lan of pfsense to switch with your vlan TAGGED (often called trunk mode). So default vlan will be untagged and your new vlan will be tagged).. Now on the switch set a port to be in this vlan, untagged (normally called access mode).

I'm at this point now, but there is a problem, the switch requires 2 or more ports for truncate port, what you are asking is to truncate only the UPLINK port because it needs to have multiple VLANs, TAGGED and UNTAGGED.
The switch forces me to setup 2 minimum and max 8, but the switch has 16 ports... Not a big problem now, maybe later.

I've just setup UPLINK port and another random not in use to be truncate ports, I lost access to the switch and the network didn't work anymore...

Going to restore and I'm again at the same point.
Can you clarify better the following steps?

1. Create a VLAN in PfSense with VLAN ID 1
2. Create the same on the switch, UNTAGGED (it's already there with VLAN ID 1)
   What would you do now?
   The previous experiment didn't go well :)

I tried again, I only truncated 2 ports and I didn't lose access to the switch, good, it must have been the VLAN setup previously...

From what I understood, it remains only to include one TAGGED VLAN (as a test) to the UPLINK port in the switch, that should give me the updated IP address, because it will match with the VLAN IP range configured in PfSense.
That may require to put down and up the VLAN, as I've seen for the physical interfaces to get a new IP, the restart of DHCP didn't help, it helped only to clear the leases.
Well, it wasn't positive anyway :D .

I lost access to the switch in doing so + I don't receive any IP address, from the tagged or not tagged ports...
I can't access anymore the switch.
Going for a reset again :D .

The issue for now sits on what I do on the switch.

Now connect a device, laptop, pc to this vlan port you setup on your switch - you should get dhcp from pfsense that you setup when you setup this vlan, etc.

Baby steps!! Get that working.. Now you know how to create vlans, and how to get them working on your switch. Now you can move on to your AP and setting up SSIDs on different vlans, etc.

johnpoz

@jt40 said in Interface range setup:

In fact the VLAN 1 is used by the switch by default, UNTAGGED on each port

Duh!!

I think that it means the following, it has to have a VLAN ID but the VLAN ID has nothing to do with UNTAGGED or TAGGED, that's the way VLANs can't or can stay on the

I have no idea what that is suppose to mean. Yes it has a vlan ID 1, this is native to the switch it uses for its internal isolation of vlans. Vlan 1 is almost NEVER tagged ever..

You can not run more than one vlan UNTAGGED on a port - you can't there is no way to identify which what traffic is what.

If you had a working network - why have you not stated this, and why are you reloading configs on your switch to break shit?

So you currently have a working network (default no nothing setup on the switch) Plugged into what on your pfsense. What network did you setup.. All your devices plug into any port on the switch and get an IP from your dhcp server on pfsense LAN? What IP did you configure for your switch? So you can manage it via gui or ssh, etc.

If that is the case, as I already stated.. Move to creating a vlan - create the vlan on pfsense.. Assign it to your interface that is connected to your switch. Setup its IP, setup its dhcp server, etc. Setup the firewall rules on its interface.

Now on your switch setup this vlan with the ID you used in pfsense.. Lets say it was 10, and your network is 192.168.10.0/24 and your lan network is 192.168.1.0/24

So you create a vlan 10 on your switch. You then tag vlan 10 on the port connected to pfsense. It will also carry your lan traffic (which is untagged and vlan 1 for the switch but pfsense doesn't need to know this ID because it untagged traffic).

Now create a port on your switch and assign just vlan 10 to this port, untagged, pvid would be 10 as well. Normally the switch will auto do that for you.

Plug in a pc/laptop to this port.. Does it get an IP from pfsense dhcp server in this 192.168.10 network? There you go - you have now your first vlan up and running.

Vlan 10 traffic leaving pfsense port will be tagged, since it a vlan in pfsense. The switch will see this tag and say oh that is vlan 10.. I can only send it to ports that are in vlan 10.. Oh its for mac xyz.. That is on port X on my switch, yup its in vlan 10 -- switch will send that traffic out that port untagged. Your device will see this traffic - not knowing or caring what vlan it is - to this device its just the network its on.

Now when your device sends traffic it will enter the switch, hey traffic coming into this port is vlan 10 traffic.. I can only send it out other ports that are vlan 10.. Oh that is going the mac on the port connected to pfsense.. oh vlan 10 is tagged here - and it will send it out the port connected to pfsense tagged with 10.. Pfsense will see this and say hey that is for my vlan 10 vlan interface.. And processes it..

JT40

@johnpoz I'll follow again the steps above.
In the moment you replied, I wrote a comment above, you may find an eventual mistake there, it's definitely pointing on what I did on the switch.

Looking at the last message instead, I'd say that I should not create a VLAN with ID 1 on PfSense...

johnpoz

@jt40 said in Interface range setup:

I'd say that I should not create a VLAN with ID 1 on PfSense...

No you wouldn't do that - again vlan 1 is almost never tagged ever.. Some switches won't even let you set that.. I am even surprised that pfsense will let you create a vlan with ID 1.. Most likely for some odd use case..

edit:
I knew there were some great words of wisdom from admin and just overall guru for all things pfsense and network in general

https://forum.netgate.com/post/736714
Just run away from tagging vlan id 1. Run away.

There is more in the post, that was way back in 2017.

edit2: as stated in that post, its not actually forbidden. But never in 30 some years have the business have I ever seen it actually done.. And I know there has been threads where users tried to do it - but their switch wouldn't even let them.. Is the more sane stance on that ;)

JT40

This is what I just did:

1. Create a VLAN ID 20 on the switch (all is done on PfSense).
   It has to be TAGGED, even if I'll have one device after it, I have no other choice from the interface.

Previously we discussed the no need to have a TAGGED interface if there will be only one device after it, plus it won't work, but that's what I get on this switch UI :)

2. I followed this guide: https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_dgs_1210_configure_link_aggregation_lacp

It says that I can't add ports with different VLAN configurations to an aggregated link...
I have only:

• VLAN ID 20 TAGGED on port 2
• UPLINK on port 15, no TAGS.
• All the other ports are on VLAN with ID 1 UNTAGGED, by default...

Does not go in contract with that guide? Moreover, if not in this way, how do I properly set port truncate in general?
I think this is the step that it causes my outage every time :D

If I try to do the opposite (setting link aggregation prior the VLAN creation in the switch) , during the VLAN creation it says Members in a VLAN have to be in the same trunk.

Anyway, thanks a lot for the help so far, well beyond a simple help, not even for PfSense :)

johnpoz

@jt40 said in Interface range setup:

VLAN ID 20 TAGGED on port 2
UPLINK on port 15, no TAGS.

I have no idea what your doing... What is port 15? Is that the port connected to pfsense lan.. What is port 2, and why are you tagging it

I have no experience with that specific switch... I have not read its manual, I have no idea what other settings you have made on it..

setting link aggregation

What are you doing with link aggregation?

Lets see these pages from your switch.

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

VLAN ID 20 TAGGED on port 2
UPLINK on port 15, no TAGS.

I have no idea what your doing... What is port 15? Is that the port connected to pfsense lan.. What is port 2, and why are you tagging it

Port 15 is the uplink port.
Port 2 is where I connected the laptop for testing.

I can't create a VLAN untagged on that port, the UI doesn't allow me... It allows me only NOT MEMBER or UNTAGGED.
Same for the other ports...

It may be because by default, all the ports are UNTAGGED with VLAN ID 1...

I have no experience with that specific switch... I have not read its manual, I have no idea what other settings you have made on it..

setting link aggregation

What are you doing with link aggregation?

It's one way to set up port truncate, there is LINK AGGREGATION and STATIC, both provide the same message.
I just linked you a short guide, the UI is simple: https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_dgs_1210_configure_link_aggregation_lacp

There is no other page where I can set up port truncate, without it, the VLANs will never work.

Then, there is another page where I can create the VLANs, that's even simpler.

You just posted the screenshots, yes, they are the same as in my switch, same config.

johnpoz

@jt40 said in Interface range setup:

Port 2 is where I connected the laptop for testing.

Then why and the hell would you tag it?? How many times do I have to state you do NOT tag traffic if there is one device connected to the port.

port truncate

Where did you get the idea that you need that?? I searched in the manual, this term isn't even the manual

dgs_1210_configure_link_aggregation_lacp

Why are you trying to setup LACP??? JFC!!! dude baby freaking steps!!

they are the same as in my switch, same config.

How and the F is that - thought you said you created vlan 20, that image only shows vlan 1.. Sorry but really at the that point that your just trolling.. Just at a loss to how someone could be this dense, and just fail to follow the most basic instructions..

I want nothing more to help you, and get to the point where you can set it up how you want it.. .But if you can not even get a basic vlan working.. Just at a loss to how you think your going to get to more advanced functions.

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

Port 2 is where I connected the laptop for testing.

Then why and the hell would you tag it?? How many times do I have to state you do NOT tag traffic if there is one device connected to the port.

The UI doesn't allow me... I can only tag it, I don't know how to come out from that, I need to ask on their forum.
I understood the point :D

port truncate

Where did you get the idea that you need that?? I searched in the manual, this term isn't even the manual

Port trunk is necessary, or it doesn't allow the traffic on the UPLINK port...
I think this is the best explanation of what it does (at page 44 onwards), but I need to review the entire chapter, the manual is for another slightly different series, but the menu is exactly the same: https://www.use-ip.co.uk/datasheets/d-linkDGS-1210-52P_User_Manual.pdf

dgs_1210_configure_link_aggregation_lacp

Why are you trying to setup LACP??? JFC!!! dude baby freaking steps!!

they are the same as in my switch, same config.

How and the F is that - thought you said you created vlan 20, that image only shows vlan 1.. Sorry but really at the that point that your just trolling.. Just at a loss to how someone could be this dense, and just fail to follow the most basic instructions..

I meant that that's the correct UI, and by default the VLAN ID 1 is UNTAGGED on each port.
Then, by myself, I've created a TAGGED VLAN with ID 20 on port 5 (example), I keep reminding you that I can't select UNTAGGED :D ... I will need to check this with their support...

I want nothing more to help you, and get to the point where you can set it up how you want it.. .But if you can not even get a basic vlan working.. Just at a loss to how you think your going to get to more advanced functions.

The network was working without the default VLAN, I could check it simply with the IP range assigned to my devices.
Btw I'll remove the VLAN with ID 1 on PfSense.

I'll review your messages but I think I followed every step...

Patch

@jt40 said in Interface range setup:

I'll review your messages but I think I followed every step...

Please post screen shots of your settings. Relying on your interpretation of what is set up, limited by what you know, is making fixing your system much harder than it needs to be. In essence knowing what you don't know is the hardest problem to solve.

Btw I am not intending to discredit your ability, but simply observe if this was something in your core skill set, then there would be no need to post questions on a forum. I would also like to optimize the chance you get your system working.

So specifically please post all of these screen shots

1. Switch showing VLAN setting pages
2. pfsense -> Interfaces -> Interface assignments
3. pfsense -> Interfaces -> VLANs
4. Pfsense -> Firewall -> Rules -> Floating, WAN, all LAN, all VLAN

bingo600

@jt40 said in Interface range setup:

I meant that that's the correct UI, and by default the VLAN ID 1 is UNTAGGED on each port.
Then, by myself, I've created a TAGGED VLAN with ID 20 on port 5 (example), I keep reminding you that I can't select UNTAGGED :D ... I will need to check this with their support...

Goto the switch web menu , in 802.1Q vlan
Select Vlan 1 , and set all ports not needing Vlan1 as untagged to:
NOT Member

Voila .. No more default Vlan1 untagged on those ports.

r801248

@patch said in Interface range setup:

Relying on your interpretation of what is set up, limited by what you know, is making fixing your system much harder than it needs to be. In essence, knowing what you don't know is the hardest problem to solve.

@JT40 -

Take a deep breath and read what knowledgeable members are suggesting and/or recommending. Pick up a book or an online resource on basic networking and get familiar with the terminology, concepts, etc. You seem to be lost in a maze of pre-conceived ideas of how networking - you think - should work, only to make it more difficult to fix your problem. As a non-expert myself, I can't help but notice how you're blindly running circles around every bit of advice you have been given in your threads.

Post screenshots as @Patch is asking!

JT40

Thanks everyone.
I was able to setup all, including the AP, just before the end of the year

I think that the main problem here was the different terminology of these devices, plus some lack of knowledge :D

In the end, to resolve, it, I understood the following things:

1. I really need DHCP on the switch, that's the first step prior thinking to go ahead with any other step

2. Defined the VLANs taking care of the following principles:

• Remove the VLAN 1 UNTAGGED almost everywhere, leave at least 2 ports with VLAN 1 UNTAGGED, it will be necessary for the initial maintenance
• If I have only one device on that port, the VLAN has to be untagged
• The AP started to work when I also set the VLAN 1 UNTAGGED on the respective port, if you only add the TAGGED VLANs, the traffic won't pass, so it seems that whenever there is a devices after the switch that is able to aggregate multiple devices, it needs to have VLAN 1 UNTAGGED as minimum, then the rest of the TAGGED VLANs.
  I assume that the UNTAGGED VLAN ID on my Unifi 6 lite is also "1", I need to double check for curiosity, it doesn't appear on the menu.
• Make sure to TAG all the VLANs on the UPLINK port, that may be obvious but I just note it here, plus you need to have the UNTAGGED VLAN 1 there as well.

3. I still have the VLAN 1 defined in PfSense and assigned to the DOWNLINK port for the switch, I'm not sure if it's necessary, I'll test the removal later, ops, I mean next year :D .

4. The Private VLANs have been automatically created by my switch, but the traffic is allowed anyway, most probably for the basic firewall rules that I have now (LOCAL_NETWORK to ANY), which makes sense, I just have to prove it, again, next year :D

5. In the AP I defined the VLANs with DHCP, as well as the internal default network + the way the AP gets its IP, without it, everyone would have an hard time to set it up or restore the config, same principle of DHCP on a switch...

6. It's important to notice that the AP needed to be disconnected after I've set up the VLANs, so whatever you change to the network there, it needs a reboot, that is unplug/plug the power cable :D

Plus this will be necessary also for your interface management of the Unifi 6 lite, it may not pair after these changes unless you reboot, just give it some time to apply the change, once it blinks with the blue light it means that is waiting for pairing, at that point you can reboot.
(It seems more an issue with the interface management software rather than the AP itself, but here the solution is)

7. I'll consider a wise advised given to me by someone here to reserve the IP addresses once the devices joined the network.

Regarding firewall questions, I'll open another thread, if I didn't already.

I hope that this message may help someone in the future.

I wish you all a nice end of the year!!! Your help guys has been critical!!!!!!!!

(BACKUP ALL! )

johnpoz

@jt40 said in Interface range setup:

I really need DHCP on the switch, that's the first step prior thinking to go ahead with any other step

NO! Unless your taking about the switches IP because you don't know how to set one.

whenever there is a devices after the switch that is able to aggregate multiple devices, it needs to have VLAN 1 UNTAGGED as minimum, then the rest of the TAGGED VLANs.

Nope Again - vlan 1 only needs to be include if something downstream is going to be on that vlan. Be it say the a switch or AP that management IP is in your default vlan which is untagged. But that does not actually mean it would be vlan 1, it might be a different vlan there is no "requirement" that untagged vlan be it 1 or some other be included.

I still have the VLAN 1 defined in PfSense and assigned to the DOWNLINK port for the switch

Again NO!

The Private VLANs have been automatically created by my switch, but the traffic is allowed anyway

NO.. There is no freaking switch on the planet that would "auto create" private vlans out of the box. Traffic allowed between devices on the same network wouldn't be blocked unless you had actually setup private vlans - which would require you to define which ports can talk to each other. Devices between vlans talking to each other would be controlled by pfsense firewall rules on those interfaces.

in the AP I defined the VLANs with DHCP

No idea what your talking about makes no sense.

It's important to notice that the AP needed to be disconnected after I've set up the VLANs, so whatever you change to the network there, it needs a reboot, that is unplug/plug the power cable

More nonsense

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

I really need DHCP on the switch, that's the first step prior thinking to go ahead with any other step

NO! Unless your taking about the switches IP because you don't know how to set one.

Yes, I mean the switch IP.
I'm using DHCP from PfSense, not from the switch.
It's much easier for backup restore plus some other situation that I can't remember right now.

whenever there is a devices after the switch that is able to aggregate multiple devices, it needs to have VLAN 1 UNTAGGED as minimum, then the rest of the TAGGED VLANs.

Nope Again

That's how my AP works then, I tested it multiple times.

I still have the VLAN 1 defined in PfSense and assigned to the DOWNLINK port for the switch

Again NO!

In this case I need to test if this is necessary or not, in any case the setup is working for now, I just take it for good but I still didn't verify if it's correct.
Withotu VLAN with ID 1, I think it's gonna refuse whatever traffic comes with that ID, which in my case it doesn't make much sense, but in some other yes.
In my case I only have devices under UNTAGGED/TAGGED VLANs with ID != 1

The Private VLANs have been automatically created by my switch, but the traffic is allowed anyway

NO.. There is no freaking switch on the planet that would "auto create" private vlans out of the box.

The VLAN IDs appear in the VLAN Private ID page, I can test it when I'll have the correct firewall rules, but not today :D

in the AP I defined the VLANs with DHCP

No idea what your talking about makes no sense.

This means that the VLANs in the AP don't have a static IP, but it takes the IP range defined in PfSense, even though there is a switch in the middle, which makes sense, I only have one DHCP server that runs on PfSense.

It's important to notice that the AP needed to be disconnected after I've set up the VLANs, so whatever you change to the network there, it needs a reboot, that is unplug/plug the power cable

More nonsense

That's what I've seen :)

JT40

@johnpoz said in Interface range setup:

@jt40 said in Interface range setup:

I still have the VLAN 1 defined in PfSense and assigned to the DOWNLINK port for the switch

Again NO!

I think this is useful if you need to administer the AP management interface from one of those VLANs, specifically when the routing is entirely managed by PfSense (which is my case).
I agree that is not necessary in general.

johnpoz

@jt40 said in Interface range setup:

This means that the VLANs in the AP don't have a static IP,

Vlans don't have IPs assigned to them on devices - if your thinking about a an IP for a SVI (switch virtual interface), where a switch would be doing routing, or have an IP on that vlan you could use to connect to the switch to manage. An AP would never have this in all of its vlans, it would only ever have an IP to manage it. What vlan that is in, be it untagged or tagged would depend on the AP. But an AP wouldn't have an IP in each vlan that it might provide via SSIDs, etc.

I think this is useful if you need to administer the AP management interface from one of those VLANs

Mr isolated admin interface on pfsense, and private vlans where nothing can talk and you think its a good idea to put IPs your AP to be managed via a wireless network?

You only need 1 management IP.. You would route this through your router if you wanted to manage it from another vlan. And normally filter this traffic so you can only manage it via your management vlan and only from your admin machine(s) IPs.. And no you wouldn't normally allow management of AP from any wireless network.

Patch

@JT40 is there a reason you are unwilling to post the following information?

@patch said in Interface range setup:

So specifically please post all of these screen shots

Switch showing VLAN setting pages
pfsense -> Interfaces -> Interface assignments
pfsense -> Interfaces -> VLANs
Pfsense -> Firewall -> Rules -> Floating, WAN, all LAN, all VLAN

Perhaps if we better understood that we could better help you.