Can't get IP on VLAN
-
@laplacian Is your target device on an untagged port for 199? and is the PVID set to 199?
-
@rcoleman-netgate said in Can't get IP on VLAN:
@laplacian Is your target device on an untagged port for 199? and is the PVID set to 199?
My device is connecting via WiFi so I didn't set up any PVID. What should I do if I have devices that are coming in through my WiFi access points?
-
@laplacian The SSID should be VLAN tagged on that port, or if it is not a VLAN-capable AP then the port should be untagged.
Whatever the path of a VLAN is on your network should have that VLAN associated.
-
@laplacian
Did you assign the switch port which is connected to pfSense to the VLAN 199 and tag outgoing packets? -
@rcoleman-netgate said in Can't get IP on VLAN:
The SSID should be VLAN tagged on that port, or if it is not a VLAN-capable AP then the port should be untagged.
Okay, I set all physical ports to be untagged and reconnected my device. My device now gets an IP address, but not in the VLAN pool (just from my old LAN).
So I set the pfsense physical port to tagged, but the rest to untagged. After doing that, my device now gets an IP address in the VLAN pool!
Is this the correct thing to do? I would assume so, since I don't want any other device interpretting my tags except for my pfsense box.
@viragomann , is this what you were suggesting to do?
-
@laplacian Just because you set a port to be untagged that doesn't mean the other VLANs are gone - those firmware versions of Netgear hardware (all of them with interfaces like this) fail to give you a good quality overview of what is set to what VLANs so you will need to go in and remove the default VLAN tags from those interfaces, too. But tread carefully as you might brick yourself out of the system in the process.
I would remove the untagged 199 from all the ports you aren't wanting it on natively. And you still have to set the PVID for whatever ports are communicating on it untagged.
-
@rcoleman-netgate , thanks for the explanation. I am new to configuring this stuff.
I only have a need for my pfsense to interpret VLAN tags set by my switch. Nothing else on my network needs to see any VLAN tags or know anything about them. (Incidentally, I have plans for about 8 VLANs, once I'm able to test my rules on this first one.)
When I set the tagging to this (as you suggested, I think?)
...I get the same problem again--no IP address assigned to the device.(Again, bear with me...) why would I want/need to set the PVID for a MAC-based VLAN assignment? My AP is on one of those ports and I would like to assign each of its clients to a different VLAN.
My current PVID assignments look like this:
-
@laplacian Ok so your PF is on Port 1, where's the WiFi connected? Is it natively on 199 or is the SSID tagged? You need that port tagged, too, if the SSID is on a VLAN. Untagged if not. If untagged I Would also change the PVID for that port to 199 as well. But you haven't asked about it.
I have no experience with MAC-based VLANs and have avoided it completely -- so whatever needs to be set for that. Not my area of knowledge. But you still need the VLAN tagged on each of the interfaces it uses as a trunk.
-
@rcoleman-netgate said in Can't get IP on VLAN:
where's the WiFi connected? Is it natively on 199 or is the SSID tagged?
pfsense is on physical switch port 1, AP on physical switch port 9. SSID is not tagged (no way to do that--I am reusing my old Orbi system until I get motivated to move to Ubiquiti APs).
@rcoleman-netgate said in Can't get IP on VLAN:
If untagged I Would also change the PVID for that port to 199 as well.
Sorry to ask the same thing again (perhaps I'm not being clear or not understanding something), but why would want to change the PVID for my AP to the VLAN tag (199)? I have plans for about 8 more VLANs and I want clients from that AP to be tagged differently. What do I do when I have several VLANs?
@rcoleman-netgate said in Can't get IP on VLAN:
I have no experience with MAC-based VLANs and have avoided it completely
I can understand that--they don't provide real 802.1x or PVID security, but I need to use them for many of the dumber IoT devices and cheaper cameras in my network.
-
@laplacian said in Can't get IP on VLAN:
pfsense is on physical switch port 1, AP on physical switch port 9.
You cannot pass VLAN traffic on port 9 without the VLAN being at least tagged.
-
@rcoleman-netgate said in Can't get IP on VLAN:
You cannot pass VLAN traffic on port 9 without the VLAN being at least tagged.
When I set port 1 (pfsense) to T (tagged) and the rest, including the AP port 9, to U (untagged), then I got the behavior I wanted. Is this not expected? (This screenshot shows the config that seems to work.)
Tagging port 1 (pfsense) and leaving the rest of the ports blank does not give me the behavior that I want. (This screenshot shows the config that does not seem to work.)
I am not sure what the difference between "U" and blank is in my switch...
-
@laplacian Blank = not assigned. U = Untagged. T = Tagged
Tagging = the VLAN appears in the ETH packet.
If you don't want 199 traffic on a port do not assign the VLAN to the port (make it blank). If you want ALL the traffic on the port to be untagged (basically what you would do in a WAP that does not have VLAN capability but should be limited to a VLAN upstream) or a single device that gets on that VLAN (like a security camera, desktop, etc.) you would have it untagged. If you are passing many VLANs over a port you will want them tagged -- you could send all untagged traffic but that's how you get the wrong DHCP address to appear on your device.
You cannot have MAC-based VLANs without tagged VLANs - you can have MAC-based access on a WAP (typically) but without 802.1Q support on a device you can't do VLAN assignments on the device and it has to be controlled on the port itself.
-
@rcoleman-netgate said in Can't get IP on VLAN:
If you are passing many VLANs over a port you will want them tagged
I think this is the case that I'm in. I'll want many VLANs on a single switch port via my AP. (I'll have other use cases where I'll have a a dumb switch in another room connected back to my main switch, connected via single managed switch port, so same thing there.)
However, when I try this (see screenshot here)
...I get the same problem: my device can't get an IP address.I certainly don't want to have DHCP errors later when I set up my other VLANs, but setting all ports to U and pfsense port to T is the only thing that seems to work.
I'll read through 802.1q a bit more also to see if I can understand a bit better.
-
@laplacian Run a PCAP on the pf on that VLAN and look for the MAC address of the device you're expecting.
Also run it on the other VLANs/interfaces, too.
But if you're not getting 802.1Q-tagged packets... you will continue to have issues getting things to talk correctly.
-
I was able to dig up a bit more info about MAC-based VLANs. According to my switch manufacturer (Netgear), all ports are supposed to be untagged.
https://kb.netgear.com/21597/How-do-I-assign-a-MAC-based-VLAN-using-the-web-interface-on-my-managed-switchThis other article seems to suggest that also.
https://www.solutiontales.com/how-do-vlans-work/
It says that the packets are untagged, then tagged according to MAC assignments.However, I absolutely must make the pfsense switch port tagged or else nothing gets routed (I have to factory reset the switch and start over).
-
I'm actually getting some weird routing when leaving my AP port as Untagged. I can't route to my switch from the test 199 VLAN. I can route to everything else, and everything else on my AP seems to route normally. I think I need to read up a bit more on MAC-based VLANs...
-
@laplacian said in Can't get IP on VLAN:
So I set the pfsense physical port to tagged, but the rest to untagged. After doing that, my device now gets an IP address in the VLAN pool!
Is this the correct thing to do? I would assume so, since I don't want any other device interpretting my tags except for my pfsense box.
@viragomann , is this what you were suggesting to do?Yes, the port connected to pfSense has to be tagged for each VLAN you have configured, no matter if other ports of the VLAN on the switch is MAC- based or conventional. It's the "trunk" port.
The port for the AP must be assigned as untagged to the VLAN. MAC- based cannot be used here, since the switch sees all MACs from the connected WiFi devices.
-
@laplacian Here's the 24-port switch on my desk... VLAN1 is my core -- you probably shouldnt use 1 but I did and it doesn't matter to me.
5 is my functional network for Netgate. I have a PC and an uplink.
My AP is located at ... which port do you think? Yep, 12.
All of those are tagged interfaces unless they are the ONLY device on it. VLAN106 ports 3 and 5? Untagged, but tagged on port 1 so they go through the 10G core switching to the firewall. No, and I repeat NO, interfaces have more than one untagged VLAN on it - that will cause traffic to cross networks.
-
Okay, thanks for the info. I think I need to read up on what Netgear considers MAC-based VLANs and how to use their switches to implement them.
One last question: Say I am able to put a majority of my devices into VLANs correctly. If another device comes along and plugs into one of my dumb switches or connects to my guest WiFi, how can automatically put that device into a Guest VLAN, subject to the pfsense firewall rules designed for Guest VLAN?
-
@laplacian said in Can't get IP on VLAN:
If another device comes along and plugs into one of my dumb switches or connects to my guest WiFi, how can automatically put that device into a Guest VLAN, subject to the pfsense firewall rules designed for Guest VLAN?
By having all VLANs as tagged and leaving the guest VLAN untagged on all the ports that might be exposed, additionally putting a lock on the door where the data cabinet is located.
If you want something like AAAA or Cisco ISE you need different hardware. pfSense doesn't do AAAA on its own and most systems like that (x501) need a third system to do management anyway and those are done on the switch level. I did a little of that with Aruba in the last gig but not too much - we would find it easier to spin up an SSID in a part of a building for a single user most of the time.