VLAN on D-link
-
@fireix Let's start from scratch.
Say you have a 24 port switch but you're only using 6 ports. Now you want to add a second network so you need another switch for that network. But you have plenty of ports available on your current switch. So you use vlans.
You can set ports 13 -24 as a separate vlan, now your 1 switch is acting as 2 separate switches without having to buy another!
Ports 1 -12 cannot talk to ports 13-24 because they are different vlans.
That's the basics of a vlan.
Then came the need to connect that 1 switch (with 2 vlans) to another switch but you need both vlans on the new switch. So you would take one port from each vlan and connect them to ports on the new switch. Kinda a waste of a port, so trunking came about. We take both vlans and trunk them on one port, then connect that one port to the new switch and you have both vlans on the new switch.So, yes, you have port 43 correctly in vlan 40. But you have no other ports in vlan 40 so it can't talk to anything. It's only one port.
So now you need to either add another port to vlan 40 and run 2 ports to pfsense, or trunk a port and carry both vlans on the one trunk. The trunk will need to be tagged with vlan 40.
So in your last pic, change the 2 to 40 (VID is vlan id, not the port), select "add", "tagged" and apply. -
This makes less and less sense to me ;) I thougth it was easier.
My conceptual idea of this is:
VLAN1=Port 1, Port 2, Port 3 (one trunk).... All that have ID VLAN1 can communicate, so port 1, 2, 3...
VLAN40=Port 1 and Port 43 (one trunk).. All that have ID VLAN40 can communicate, so port 1 and 43Since Port 1 is a tagged/trunk-port (like the main gate, that don't strip the VLAN-tag), it is allowed to pass the traffic both to all of VLAN1 and all of VLAN40 (depending on the tag arrived on port 1 instructed by pfSense), it gives port 1 permission/instructions to be able to communicate with different sections, for instance port 43 on VLAN40 since it is in a trunk with it).
Is what you are saying that Port 1 can't be used for many VLANs?
"So in your last pic, change the 2 to 40 (VID is vlan id, not the port), select "add", "tagged" and apply."
This doesn't make sense to be neither ;) Because I have found out that the "tagged" and "add" box is not for the VLAN-textbox (VID 1-4094) above (that only accepts one single VLAN). It seems to be there for the "Current Hybrid tagged VLAN" and the "Current Hybrid untagged VLAN" -box, like marked red in my screenshot.
When I change the value in the text-box and choose Add or Remove, it adds this entry to Current Hybrid tagge VLAN (when I choose tagged). See my picture for illustration of this. This also makes sense in my head: This way. If I do as you say, I can't add a new VLAN50 later, since that textbox with VLAN-ID with value 40 only supports one VLAN. If I set it to 40, it will block out traffic to every port except the VLAN40. But I want to keep the switch talking 1-2, 1-3, 1-4 etc on VLAN1 and 1-43 on VLAN4.
How it looks after I submitted the box. It list Port 1 to have the default VLAN 40 for non-tagged/non-assigned traffic. Doesn't look correct to me.
-
I watched this video to try to understand VLANs:
Setting up VLAN on PfSense SUPER EASY!
My notes from it:
Under Port Administration
Trunk port is the port connected to the router/Internet (in my case Port 1, in his case the last port). Link type=Trunk.VLAN-admin
VLAN1 - Keep default (all ports untagged except port 43 and the Trunk-Port 1 - trunk port 1 would be greyed out already)VLAN-admin
Edit VLAN40
Under this list of member ports for VLAN40: Mark Trunk port tagged (hybrid) - Port 1
Under this list of member ports for VLAN40: Mark Access port=untagged - Port 43This is all I want to accomplish, I think. But the interface differs so much from the one in the video. Using this method, I should in theory be able to make almost as many VLANs against Port 1 as I wish.
-
@fireix Just do what I suggested. You're over thinking it.
Going by that picture, the "native VLAN" line goes across and you can select native vlan or unselect it. with it selected it means the native vlan is allowed on that port.
Then you have vid, enter 40.
Then you have action, select add. this will add the vlan to that port.
add mode, tagged.
then you should see the allowed vlan range show which vlans are on the port.
Try it.Why not just use the CLI if the gui is too confusing for you?
If the above doesn't work, leave vid 1 in the vid box and try 40 in the allowed box.
-
In the dropdown menu, I have "Add, Remove, Tagged, Untagged". It is under the VID-box. This is the Port 1 interface.
When I did as you said, just entered 40 in the VID-box, choose "Add" and choosed "Apply", the Current Hybrid untaggd/tagged VLAN-range list became empty (because the text-box with Allowed VLAN Range was empty and it is my understanding that the dropdown is only for the selected port values under it - so when I had no values in it, it deleted the values displayed at the bottom).
The VID DO change for Port 1, as I shown in previous listing/summary. But I assume that box is only for having a default VLAN in case no traffic is tagged arriving on that port. That makes sense, I would think it was smarter to have it to 1. Since it is port 1 that is a trunk port for many VLANs, not only one. If I enter 43, Port 1 can only communicate with port 43 on VLAN40 (If my understanding is correct).
-
@fireix Read the last line of my previous post.
try that. -
@jarhead said in VLAN on D-link:
@fireix Read the last line of my previous post.
try that.I think that "Allowed"-box is actually port numbers. The reason is that when I select "tagged" or "non-tagged" in the radio box, it changes the number below it. See the screenshot here, this is righ after I entered "40" in the Allowed VLAN Range, selected "Tagged" and choosed "Apply":
I can even add like "1-43" or "1,43". I was hoping that if I spesified enough ports here, I could "team up" the VLAN in the other list with ports so I could choose Port 1 and Port 43 as member under VLAN40.
-
Here you can see I also put the number "1" and "Untagged". It got added to that list of "Current Hybrid untagged vlan", just like 40. Having an antire VLAN-tagged or untagged doesn't make any sense I think?
-
@fireix So that worked then. Good.
-
And here you see another indication that I'm actually adjusting port numbers. After doing what I showed above, the vlan summary looks like this (notice the heading of the columns and you will find the value 1 and 40 again):
-
@jarhead I don't see I have come an inch longer than before ;) Do you agree with me that it is ports I'm actually editing here - and what should I enter for Current Hybrid untagged VLAN range and Current Hybrid tagged VLAN?
-
@fireix I don't understand what you're saying. It's done. You have vlan 40 tagged on port 1. That's what you want
-
I have no clue why it refuse to set port 1 as Tagged in this interface. In evey other GUI for other vendors, it would allow me to set port 1 as tagged member of VLAN40. It just jumps back to "Not Member" after pushing Save.
-
@fireix It is tagged. I don't know what you're saying. It's done.
-
@jarhead Is there any term called "VLAN untagged" or "VLAN tagged"? I have heard of ports that are tagged or untagged - but never VLAN itself as it can have any combination of untagged and tagged members. So it sounds wrong in my ears ;) (and the server in port 43 doesn't get any IP from pfSense, so I know it doesn't work).
All my intuition says that the "VLAN 40" to the rigth in that list is actually Port 40. Based on several things, but specially that above.
I'll continue trying tomorrow, thanks for trying to help :)
-
Or maybe I'm wrong.. to tired, time to find bed and look at it with fresh eyes tomorrow ;)
-
Trunk on a D-Link means "Port-Channel in Cisco language"
I don't recommend to fiddle with multi IF trunking, for starters.A port can have one of three "vlan membership states"
Untagged
Tagged
Not Member.Only one of them can be active.
On any port:
Untagged - can only be active on ONE vlan.
Tagged - can be active on many vlans.
Not Member - can be active on many vlans.I have never seen hybrid mode on my switches (not 15xx series) , but sounds like not for starters.
My advice is to :
1:
Decide for a management vlan (could be vlan1 .. if you insist) , make the "last port" an untagged member of that vlan. Move your PC to the newly made mgmt port.2:
Make ALL other ports NOT member of Vlan1 (Usually the default) , to start with a clean membership database.3:
Make & Name the vlans you want to use.4:
Go to the desired vlan , and set the desired port to Tagged/Untagged/Not-Member.
Repeat for all Vlans in use.Done.
Remember a port can only be untagged in ONE vlan.
/Bingo
-
@bingo600 said in VLAN on D-link:
Go to the desired vlan , and set the desired port to Tagged/Untagged/Not-Member.
Repeat for all Vlans in use.I haven't made it work, the GUI is so super confusing and considering just upgrade the switch so I can understand it..
Just a quick stupid question: Is it in easy/possible to have a "dumb" switch (I assume VLAN-tags are just passed on in most cases) and just configure the actual server/PC in a normal port to be on the same VLAN as configured in pfSense?
I see that some windows-server lets you set the network card to a spesific VLAN (under hardware-settings on the network card). So that could be a quicker way for me. The server will run free hypver-v, so I think it would be little administration on it even? Or will it be super complicated? The idea is limit the access/noise to this single server.
-
Where is your issue ??
Vlans on the pfSense ?
Se here
https://forum.netgate.com/post/944383or
Vlans on the D-Link ?
Do as i described above ...or
Both ?
Don't give up ....
We have "talked a lot of people through this"Ohh ... Please tell me you have a pysical pfSense Box , and not a Virtual one.
That's another layer of troubles .... -
@bingo600 Vlans on pfSense Supermicro-server with 4 ports (physical yes) was easy and no problems at all. Followed tutorial to the letter and it looks just fine. Connection from a LAN-port (that has 3 VLANs I set up on it) directly to D-Link port 1.
The problem is D-Link. switch and to do the thing you describe under 4. (choosing tagged, non-tagged, non-member) in the interface. I understand your instructions , but the GUI simply doesn't let me to do it easy as I can see all other GUIs let you do (even on cheaper switches). It is at least 4-5 different places and it isn't always clear what each setting will do. What I can do in the "Member" interface depens on all those 4-5 other places and even then it doesn't let me to do a tag 1 port and untagged 43 port (it refuse to let me have port 1 tagged/member, even thougth the option is active).
The easy part is to create the VLANs and their naming, that was super easy everywhere.
Not giving up yet, just taking a break.. maybe try to read up on how to do it from terminal/shell instead. But requires som learning of dlink syntax.
I will create a small lab at home just to see if I can do it on other switches.
