VLAN on D-link
-
@fireix said in VLAN on D-link:
But is there something called "untagged VLAN" and "tagged vlan"? I know untagged/tagged ports in a VLAN, but actually hole vlans?
A Port cant be tagged or untagged , only a Vlan can (tags belongs to Vlans).
A Port can be :Member of (Carry traffic for) one or more Vlans (tagged), One Port can only carry untagged traffic for ONE vlan.
If a port is member of "Untagged Vlan X" , then it can't also be member of "tagged Vlan X".
Untagged ports are usually used for "normal devices" PC's , APPLE-TV's etc , that has a "Normal networkcard setup" .
Tagged traffic is used between devices that carry traffic containing several vlans.
pfSense to switches , switches to switches , Hypervisors to switches , and is also often used to connect to accesspoints that runs several ssid's.You would 95% of time make a standard PC switchport , an untagged member of VlanX
When a port is "Untagged member of VlanX" , it just refers to the frames sent between the "device ie. PC" and the port , here untagged means the port communicates with the end device , with normal ethernet frames, plain network card setup.
The traffic received on that untagged (Vlan X) port , will be tagged (with Vlan X id) and sent to all other ports that are tagged members of VlanX , that's how ie. pfSense sees the data from an untagged port , via the tagged connection from the switch to the pfSense.The traffic received on that untagged (Vlan X) port , will also be replicated to all Ports that are "Untagged members of VlanX" , here it will be sent put as "untagged" aka. normal ethernet frames.
Edit:
You should really read the post i made here , about tagging (envelopes)
https://forum.netgate.com/post/944383/Bingo
-
So you are also saying this looks correct?
My goal is to just get one server over to a VLAN and I think all the other GUIs I have seen from other vendors handles this very easy: You just choose edit VLAN 40 for instance, then choose all ports you want to join (tagged port 1 (pfsense) and untag the access port (the PC) in their visual list of ports. It should be that simple. Since a tagged port 1 inside a vlan can be a member on vlan 10 or other vlans (not sure if it technical is a member, but all other GUIs let you choose port 1 and port 43 for example - and you can repeat that for port 1 and port 3.. and port 1 and 5.. As long as port 1 is tagged inside each VLAN and all the other ports in the VLAN is untagged (PC/servers), it can help provide internet/pfsense to all vlans).
I have a pfSense box at home and a PC.. by changing the PC's adapter to VLAN40 (using the broadcom diagnose network utility) and connecting to the pfSenses LAN-port, I was able to get the DHCP-leases on that private VLAN
So much fun! I see the fw rules under that VLAN is respected also and blocked everything until I opened up. So everything work as expected in LAB. Next is to introduce a switch to see if I can do the VLAN on the switch without changing the network cards vlan id... Unfortunately, I don't have Dlink, but can at least test my skills on a different brand..Could I in theory do the same with the server, just change the card there also and avoid the D-link issues? As long as the switch isn't removing the VLAN-tags between the server and the pfSense, the server has a bit less noise from the network at least I would assume.
-
That picture shows that the switch Eth1/0/1 is setup to do "untagged traffic" in Vlan1 , and at the same time pass tagged traffic for Vlan40.
This would mean that if you connect that port to pfSense:
Untagged traffic (between pfSense & Switch) would end up the Switch's Vlan1 ,
And that link would also pass traffic tagged with Vlan40.So far so good .....
But your PC (Server) that i think should transport Data in Vlan40.
Needs to be connected to a port that is Untagged Member of Vlan40.If you ie. connect the server to Eth1/0/2 , you have to do 2 things.
1:
Make Eth1/0/2 "Not a Member" of "untagged" Vlan1 , else you can't switch to "untagged" Vlan402:
Make Eth1/0/2 Untagged member of Vlan40 - I would set it to Access Port , not Hybrid.Now the traffic generated from the server in Eth1/0/2 would belong to Vlan40 , and also be forwarded (tagged) on Eth1/0/1 , as you specified that (tagged Vlan 40).
Traffic "Tagged Vlan40" traffic received from pfSense on Eth1/0/1 , would also be copied to Eth1/0/2 , as that port is member of Vlan40. Since the port is an Untagged member , the Vlan40 tagging (not data) is removed before copied to Eth1/0/2 .. As "Normal ethernet data".
Edit:
Why do you have all ports a Untagged member of Vlan1 ??
The default i think ....
That's going to "Bite you" when you want to make any of those ports Untagged member of ANY other vlan. As you have to remove it from Untagged Vlan1 first./Bingo
-
@bingo600 Port 43 is the access port=VLAN40. As indicated here. Once a port is defined as access-port, it locks the port from beeing anything else than Untagged as far as I can tell (I can't even override it and make it anything else). I have my PC connected on port 43.
The caption where it says "40" is Untagged VLAN.
-
@bingo600 said in VLAN on D-link:
Why do you have all ports a Untagged member of Vlan1 ??
The default i think ....
That's going to "Bite you" when you want to make any of those ports Untagged member of ANY other vlan. As you have to remove it from Untagged Vlan1 first.All ports except port 43 is in VLAN1 I would assume. I have some customers on this switch and always been running it without VLAN, so I don't want to take them offline during my trial and error. So it just felt safer to have them there until I know what I'm doing. If I manage to get port 43 locked on VLAN40, I'm pretty confident i can release other ports out of VLAN1 and into a different VLAN one by one :) Just seems like a big way to go just now before I find the smoking gun...
But.. if it is correct above.. then why isn't it working :( I have DHCP active on pfSense VLAN40 and it doesn't give out anything to the PC in port 43. I have the same setup of pfSense as in my lab (where it is working), so I know it is correct setup on pfSense.
-
On the "Snip where you" show Port43 belonging to "Untagged" Vlan40 , what does it aay about Native Vlan , it should show nothing or 40
I would do 2 things ...
1:
Give the PC in P43 a static ip in the pfSense Vlan40 range.
Can you ping from the PC in P43 to the pfSense Vlan40 interface ip addr.
I doubt , but worth a try.2:
Make another port (44 ?) untagged member of Vlan40.
Connect a PC to both port 43 , and port 44 , give them a temporary static ip in the same net ... 192.168.x.10/24 and 192.168.x.11/24.
See if you can ping from one pc to another , if success then both must be in same vlan.Once a port is defined as access-port, it locks the port from beeing anything else than Untagged as far as I can tell (I can't even override it and make it anything else). I have my PC connected on port 43.
That is correct , an access port would be an Untagged member of just one Vlan.
To override make it a member of another Vlan , or make it NON Access first i suppose ... I have never used or seen a D-Link 15xx series.
/Bingo
-
@bingo600 said in VLAN on D-link:
On the "Snip where you" show Port43 belonging to "Untagged" Vlan40 , what does it aay about Native Vlan , it should show nothing or 40
I would do 2 things ...
1:
Give the PC in P43 a static ip in the pfSense Vlan40 range.
Can you ping from the PC in P43 to the pfSense Vlan40 interface ip addr.
I doubt , but worth a try.Under Native, it just shows - instead of any value. Indicating nothing.
Correct, no reply. Tried the other way also, from pfSense to this IP. Will try method #2 now.
-
Once I brougth the two servers into the VLAN40 (both untagged), they could communicate/ping eachother from member ports. When I removed one of them as member from VLAN40, communication between them stopped at once. So we have VLAN isolation from port to port.
I also tried to put an IP in the pfSense-range that I had before (in no-vlan-mode or non-configured) and I couldn't ping pfSense when I was member of VLAN40. As soon as I escaped from VLAN40, I could communicate with internet and the pfSense - including the IP of the interface for VLAN40.
-
@bingo600 One strange observeration though:
Each time I enable "Untagged member" on the 2nd port I tried (port 43), it removed the VLAN "40" under Tagged VLAN on port 1. So now it looks like this:
I have put "40" back there on port 1, but it seems like I'm figthing the system and it tries to tell me something!
Here you see the "member port definition" for VLAN40 (if I try to choose Tagged member on port 1, it will not stick, I tried):
And here you see how it just just now, after I corrected so that 40 appear under Tagged VLAN again:
But only communication between ports on VLAN40, I can't communicate with Port 1. In my head, it should have been tagged port, but this interface almost looks the oposite of what I find logic... But you are two people saying it looks normal, so I will go with that for now ;)
-
@fireix said in VLAN on D-link:
Each time I enable "Untagged member" on the 2nd port I tried (port 43), it removed the VLAN "40" under Tagged VLAN on port 1. So now it looks like this:
Correct because you are now setting this port as that VLAN without a VLAN tag in the ETH packet. This would be expected.
-
@rcoleman-netgate Not sure exactly why that is expected, but do I fix it by adjusting it on the interface afterwards - so that the last screen there looks correct setup?
I have a PC in Port 34 and Port 43, supposed to be in VLAN40 untagged.
pfSense is on Port 1.
No communication with Port 1 at all when member of VLAN40 (I want communication with pfSense...)
-
@fireix On the PF your interface is assigned to the VLAN interface? Mine for comparison:
-
@rcoleman-netgate Indeed. Also marked the checkbox to enabled the interface and put firewall-rule in place.
One thing.. I haven't actually defined any VLAN1 on pfSense, as the main mode is non-vlan setup and I don't want to disrupt non-tagged traffic. Could that be the issue? I don't think it should, as I should anyway be able to ping the interfaces IP-address in VLAN40.
-
@fireix Doubtful. VLAN1 = unnumbered, likely your LAN.
Is this a whitebox or one of our devices? What do you see when you run a PCAP on the interface?
-
@rcoleman-netgate said in VLAN on D-link:
PCAP
It is a Supermicro-server with pfSense installed and 4 ports. Haven't really ran an PCAP on it. Do you mean on the entire LAN, is it easy to identify VLAN-id tags in it? I'm only really basic on wireshark-skills, no idea how those packages will look like. I have a ton of non-vlan traffic, so will be a lot of noise.
-
@fireix You can run the PCAP on just the VLAN interface in question.
https://docs.netgate.com/pfsense/en/latest/diagnostics/packetcapture/index.html
-
@fireix said in VLAN on D-link:
I'd do as @rcoleman-netgate says
Try to capture some packets on pfSense , while pinging the pfSense IF.
Both the way where it failed , and the way where you had succeed (Vlan1 ??)Tip: Capture detailed/all , save the file. Then it can be opened in Wireshark.
RE:
But only communication between ports on VLAN40, I can't communicate with Port 1. In my head, it should have been tagged port, but this interface almost looks the oposite of what I find logic... But you are two people saying it looks normal, so I will go with that for now ;)
You could make P1 (or try w P2) a Tagged port.
The only difference as i see it (30 sec glimpse at the Dlink 15xx config example) , is that you can't run Native/untagged data on it.
So you have to TAG Vlan1 data also on the pfSense, aka Tag Vlan1 & Vlan40.This would be my preference anyways (tagged only), i'll always avoid those Hybrid ports when not needed.
UniFI AP's springs to mind , as needs Hybrid ... Well at least in older fw.And i tend to avoid Vlan1 use anywhere in my infrastructure .. Old working habbit.
Btw:
I saw a "View Allowed Vlans Button" on the pict with the Voan40 definition.
Does that give any clue .... Ie. Vlan40 not allowedEdit:
You could also setup a "Monitoring port" on the switch , and connect a PC w. Wireshark to that one.Here's how it's done on a D-Link 1210 , couldn't find anything for a 1510
https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/es_dgs_1210_como_monitorear_trafico_de_un_puerto_port_mirroring/Bingo
If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
@bingo600 said in VLAN on D-link:
I saw a "View Allowed Vlans Button" on the pict with the Voan40 definition.
That's the button I click to get to this screen posten above - to verify the setup:
"You could make P1 (or try w P2) a Tagged port."
That I have tried for days to do - based on everything I have read, that is the way it is done usually :) Port 1 is the main port to pfSense/Internet and is clearly a "tagged" candidate. But when I edit the VLAN40 and select Port 1 Tagged port in the screen below, it doesn't stick when I click Apply. I tried for port 2 now as you suggested and there it actually sticks/works like I want Port 1 to do. Now, if I just managed to do that with Port 1, I think it would work rigth away :)
I can't see any clear difference on port 1 vs port 2.. they are both Hybrid and both part of VLAN1 (or by default at least). But maybe this gives an important clue... Btw, after I added the Port 2, it automatically did this under Allowed VLAN-page, so config looks similar to Port 1:
Btw: I tried to remove the checkbox for "Native VLAN" on the port 1 (and 2, 3, 4) on the ports inside VLAN1, but it wouldn't stick either. Neither from the port-membership-overview page or the interface for each port. On the port-mebership-overview for VLAN40, I could remove the checkbox for all ports and that is how it is now.
Tagged VLAN40 disappeared from the Allowed VLAN on port 1 when I play around a bit. I have to re-add it manually on the VLAN interface port 1 every timeI do a small edit. I think forcing it doesn't work, it does however sticks on Port 2 as it should no matter what. So that tells me that D-Link doesn't allow it, it will be removed by the system. So even if it looks good on that last picture above, it is probably not respecting the VLAN40-tagged on Port 1.
-
@rcoleman-netgate said in VLAN on D-link:
@fireix You can run the PCAP on just the VLAN interface in question.
https://docs.netgate.com/pfsense/en/latest/diagnostics/packetcapture/index.html
Ah, it is built-into the GUI, nice :)
I ran it both in "Enable promiscuous mode" and without. Tried to ping both from the machine I have setup on VLAN40 (with static IP in DHCP-range) and from pfSense. The data below is from pfSense (I pinged machine 192.168.50.15 with no reply)
12:05:26.303035 ARP, Request who-has 192.168.50.15 tell 192.168.50.1, length 28
12:05:27.303720 ARP, Request who-has 192.168.50.15 tell 192.168.50.1, length 28I think it is is purly a config error in D-Link, port 1 is simply not "connected" on VLAN40 internally.
-
@bingo600 said in VLAN on D-link:
You could make P1 (or try w P2) a Tagged port.
The only difference as i see it (30 sec glimpse at the Dlink 15xx config example) , is that you can't run Native/untagged data on it.T
So you have to TAG Vlan1 data also on the pfSense, aka Tag Vlan1 & Vlan40.Sorry i meant Trunk port above , where i wrote Tagged.
Try to set P2 as Trunk , allowing VL40Something is is spookey with that switch or FW ....
Try to capture on interface , not Vlan40 , that way you should be able to see if it is tagging packets with VL40.
I agree with that D-Link port , not tagging VL40 packets.
We miss a "little important thing" ..... I have no idea what ....
But you might be right in , when the "D-Link gui removes the VL40 tagging" , it might be a hint ....Strange ... It's so easy on a D-Link 1210
I just had another glance at this
https://eu.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/es_dgs_1510_escenario_config_vlan_por_gui_y_cliStrange ... It seems to use a totally different way to GUI configure the ports.
You did say you had success in adding the VL40 tag to P2 , did you try to connect the pfS to that port ??
/Bingo
