TP-LINK TL-SG108E VLAN configuration issue

Mitch Rapp

I need some help configuring an IoT VLAN network for Iot devices using Deco AX66000 (X90) mesh routers, a TL-SG108E switch, and a VLAN interface (igb2) on my Protectli Vault pfsense router.
I know the Deco's will have to be put in AP mode, but how do I configure the VLANs on the switch?

Home Network VLAN.png

mcury

@mitch-rapp What is the firmware of that tp-link switch?
TL-AX6600 will be managed through VLAN1? (As far as I'm aware, you can't change the MGMT VLAN in that switch). Same thing applies to TL-SG108E.

So, taking in consideration my comment above, you would have to use VLAN1 for management purposes.

So, the port that connects pfsense to tl-sg108e would have to:
VLAN1 untagged
VLANs carried by that trunk port tagged

The port that connects TL-SG108E to TL-AX6600 would have to:
VLAN1 untagged
VLANs carried by that trunk port tagged

Regarding PVID ports in TL-SG108E, ports connected to pfsense and to TL-AX6600 should have PVID set to 1.

Mitch Rapp

@mcury
The firmware for my TL-SG108E is TL-SG108E(UN)_V6_20201208.

I wanted the entire Deco network via VLAN, And yes, I can configure the SG108E for VLAN.

I've created, for management purposes, a VLAN interface igb2 on pfsense = VLAN28 (set as parent) (10.28.28.1).

First, before we discuss TAGS, I have an issue. Can we start here?
My PC is on LAN network (10.27.27.1) as a client. Currently I have the SG108E plugged into OPT 1 (VLAN28 "igb2") (10.28.28.1)
So, I can't "see" the switch in order to begin trying to configure the tags to figure this out.

JKnott

@mitch-rapp

Be careful with TP-Link. Some models have problems with VLANs.

Mitch Rapp

@mcury Ok, I've plugged my PC into the SG108E switch (port 2) and can see the configuration application.

For purposes of configuring the switch:
I have set 802.1Q VLAN to
VALAN (1-4094) = 28
VLAN NAME = VLAN28
VLAN28 Port 1 = untagged ( Pfsense to SG108E connection) (ALL ports set to PVID 1 on switch by default)

VLAN28 Port 2 = tagged/untagged? (PVID ?) (PC for Configuring)

There is no internet access so I've got something set wrong in the switch, or I should have set the parent interface on pfsense to WAN (igb1) instead of OPT 1(VLAN 28) ?

mcury

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

VLAN28 Port 1 = untagged ( Pfsense to SG108E connection) (ALL ports set to PVID 1 on switch by default)

Its correct.

VLAN28 Port 2 = tagged/untagged? (PVID ?) (PC for Configuring)

If its connected to a PC, leave it untagged for VLAN28, and set PVID 28

Mitch Rapp

@mcury
PVID = 28, for Port 1 (SG108 to Pfsense) ?
&
PVID = 28, for port 2 (PC for configuring) ?

mcury

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

@mcury
PVID = 28, for Port 1 (SG108 to Pfsense) ?

No. Ports connected from pfsense to the switches, and between switches, should be PVID1

PVID = 28, for port 2 (PC for configuring) ?

Yes.

Ports connected to PCs, or end devices, are called access ports.
These ports don't receive tagged packets, only untagged packets.
So, if a computer is member of VLAN28, you should configure the switch like this:
PORT2 - Untagged - PVID 28

Look at this example, in this situation, PORT 5 is connected to a * COMPUTER, and this computer is getting IP from the VLAN10:

Edit: Fixed where there is a *

Mitch Rapp

@mcury OMG!, I can't believe how patient you are are. I really appreciate your help. I'm a newbie as you can see.

Would I also need to set the WIN 10 PC adapter properties to
VLAN ID = 28?

This is what I have now see below
Port 1 = pfsense - untagged - PVID 1
Port 2 = PC - untagged - PVID 28

TL-SG108E 802.1Q.png TL-SG108E 802.1Q PVID.png
WIN 10 Ethernet Adapter properties.png

mcury

Don't change anything in the computer adapter.
VLANs are transparent to the end devices, like computers.

For management (VLAN1)
1 - Pfsense should have IP address in the Igb2 interface.
2 - TL-SG108E should have IP address in the same network as the Igb2 interface
3 - TL-AX6600 should have IP address in the same network as the Igb2 interface

Now, configuring the switch ports:

Port that connects TL-SG108E to the pfsense should be:
VLAN1 Untagged (PVID 1)
Other VLANs that will pass through this port should be Tagged.

Port that connects TL-SG108E to TL-AX6600
VLAN1 Untagged (PVID 1)
Other VLANs that will pass through this port should be Tagged.

All other ports that are connected to computers, you should put Untagged for that VLAN, and PVID for that same VLAN.

Mitch Rapp

@mcury Please forgive me.
I must have something wrong on the pfsense side of things.

I went to interface assignments, VLANs, chose igb2 as the parent
set the tag to 28, & description to IoT.

I went to Interface assignments to add the port:
Then I clicked on the OPT 1 name to change it, enable it, and set the IP address 10.28.28.1.

Then I went to Services, DHCP server to set the IP range.
10.28.28.10 - 10.28.28.254
I plugged in the switch., and checked Status DHCP leases. and there
were none there. So, I rebooted the switch. Nothing. I plugged in some other devices to the switch, nothing. I rebooted the Protectli Vault, Nothing. No leases for Vlan28.

Does it look like I followed the correct steps?

mcury

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

Does it look like I followed the correct steps?

No need to say sorry, I was newbie once too.. Still today, sometimes I find myself being a newbie, still learning every day.. :)

Well, lets do it in steps first ok? First lets do the management part, which will allow you to be able to ping the switches from pfsense.

1 - Pfsense should have IP address in the Igb2 interface.
In this step, you should add an IP address to Igb2 interface itself, this will be the gateway for the management network.
We are not creating a VLAN yet ok? Go to Interfaces tab, select Igb2 interface, tick enable, then add a static IP address in it, lets say something like: 172.16.0.1 / 24.

Then, go to your switch TL-SG108E, and put an IP address of 172.16.0.2 / 24 in it.

Then, in the switch, you configure that port that is connected to pfsense, to PVID1 and VLAN1 untagged.

Lastly, try to ping the switch from pfsense, login in pfsense and ping 172.16.0.2 and come back here to confirm if its working..

If that works, we will proceed with the next steps.

Mitch Rapp

@mcury God bless you.
Ok, it's done.
igb2 interface = 10.28.28.1 /24
SG108E = 10.28.28.2 /24
VLAN1 Port 1 untagged

SG108E port 1 PVID1 set

Ping Successful

PING 10.28.28.2 (10.28.28.2): 56 data bytes
64 bytes from 10.28.28.2: icmp_seq=0 ttl=64 time=1.651 ms
64 bytes from 10.28.28.2: icmp_seq=1 ttl=64 time=1.561 ms
64 bytes from 10.28.28.2: icmp_seq=2 ttl=64 time=1.887 ms

--- 10.28.28.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.561/1.699/1.887/0.137 ms

mcury

great, first leg of the management is working..
now, we will do the same thing, but now between TL-SG108E and the TL-AX6600.

TL-SG108E port that is connected to TL-AX6600 should have PVID1 and VLAN1 untagged.
TL-AX6600 port that is connected to TL-SG108E should have PVID1 and VLAN1 untagged.

Then, from pfsense, try to ping TL-AX6600 (I guess it should be 10.28.28.3).

Mitch Rapp

@mcury
Ok,
I've set the port (port 2) for TL-SG108E to TL-AX6600 to PVID 1 VAN1 untagged
I've connected back-haul (second port) from TL-AX6600 to TL-SG108E to port 3 VLAN untagged.

I've set the static IP address on TL-AX6000 to 10.28.28.3

Ping Results
PING 10.28.28.3 (10.28.28.3): 56 data bytes

--- 10.28.28.3 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Nada.

A couple of thoughts / questions (could one or all of these things be wrong) :

The AX600 has a VLAN option. Vlan ID and Vlan priority. Should I set these to VLAN ID 1 and Priority 0 ? As of now, I've left it unset
The TL-AX6600 is still in "router mode," Should it be changed to AP mode?
Here are the options:

mcury

Yes, put the TL-AX6600 in bridge mode, and connect the cable coming from the TL-SG108E in a LAN port, do not use the WAN port.

First problem I see is you used the VLAN28 address range for MGMT...
You need at least two networks.

Management network is the network in which you will access the TL-SG108E GUI page to configure it, so, this is only used for management, nothing else, this will be VLAN1.

The second network is going to be the users in the WIFI, which as I understood, will be VLAN28.

TL-SG108E port that connects to pfsense:
Currently settings:
PVID 1
Untagged VLAN1
Now, add VLAN28 as TAGGED for that port.

TL-SG108E port that connects to TL-AX6600, we will change things here, as I just noticed that this device is not VLAN capable.
PVID 28
Untagged VLAN28

After that, users in the WIFI will be able to browse the Internet, but only if DHCP is enabled in pfsense and Firewall rules are allowing.
NAT will be created automatically.

Edit:

In pfsense, you need to change the Igb2 address from 10.28.28.1 / 24 to 10.1.1.1 / 24 (assuming that 10.1.1.0/24 is the network you chose for management).
Then, set the IP in pfsense for VLAN28 to 10.28.28.1 / 24

In the TL-SG108E, change the IP address to 10.1.1.2 / 24.

Doing this, you will have both networks I mentioned.

Mitch Rapp

@mcury
I am a little confused. is this a different person?

You said, "We are not creating a VLAN yet ok?" *
So, I deleted VLAN28 and started fresh, see below.

let's review where I am

Pfsense current

WAN (igb0) to fiber -WORKING GREAT
LAN (igb1) to TL-SG1024DE ("10.27.27.1/ 22"wired network) -
WORKING GREAT.
OPT1 (named VLAN1) interface set to igb2 (10.28.28.1/24) (no DHCP server)
no VLAN port yet established (see your comment above*)

Iot Network I am trying to create
TL-SG108E (Port 1) connected to OP1 (igb2) (Static IP 10.28.28.2)
DHCP Disabled
VLAN1 PVID 1 untagged - ping working

TL-SG108E (port 2) connected to TL-AX6600 LAN port
VLAN 1 PIVID 1 - untagged

TL-AX6600 - Static IP 10.28.28.3 (LAN port to SG108E (port 2)
DHCP enabled, currently in router mode. When I moved the cable from WAN port to LAN port, per your instructions, it started working to broadcast but I still can't ping it at 10.28.28.3 from pfsense, but I see traffic going .

mcury

@mitch-rapp I didn't ask you to create a VLAN1, I asked you to edit interface Igb2 and add an IP address there, this is considered VLAN1, or native VLAN, its pretty hard to explain these things to a person that is starting... :(

Man, lets start over then.

Delete that VLAN1.

Do this:

TL-SG108E port that connects to pfsense:
PVID 1
Untagged VLAN1
VLAN28 as TAGGED for that port.

TL-SG108E port that connects to TL-AX6600,
PVID 28
Untagged VLAN28

pfsense: Go to interfaces, Igb2, and put a static IP of: 10.1.1.1 / 24.
Then, create VLAN28 and add the IP of 10.28.28.1 / 24, tick enable to enable the interface.
Create a firewall rule allowing all in Firewall > Rules > VLAN28
Check if DHCP is enabled in that interface, if its not, enable it.

Check if internet is working in the WIFI.

Don't forget to put the TL-AX6600 in AP mode, and connect the cable coming from the TL-SG108E in a LAN port, do not use the WAN port.

Mitch Rapp

@mcury
Brother, I am so sorry. I haven't grasped all of the concepts yet, obviously. you have the patient of Job.

This is what I've just done.

TL-SG108E port 1 to pfsense -PVID1 untagged VLAN1
ADDED VLAN28 as tagged to port 1.
TL-SG108E port 2 to AX66000 PVID 2 untagged VLAN28.
Created OPT1 (igb2), enabled, Static IP 10.1.1.1 /24
Created VLAN28 (igb2 OPT1 as parent interface) Tagged 28
under "interface assignments," VLANs" tab.

5.Created VLAN28 interface, "VLAN 28 on igb2 - opt 1 (VLAN28)"
enabled, set IP to 10.28.28.2 /24,

Created firewall rule for VLAN28 allowing protocol "any" for VLAN28.
VLAN28 - DHCP enabled, range 10.28.28.10 to 10.28.28.254.
My TL-SG108E is set to 10.28.28.2 * AX6600 is set to 10.28.28.3.
TL-AX6600 is on the LAN port to TL-SG108E (port 2)

Is any of that correct? :-)

No wifi now. It has a signal but no internet connectivity. Should I reset the AX6600 to "bridge mode" or use the VLAN feature on it?

Mitch Rapp

@mcury