Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN not working in simple test.

    Scheduled Pinned Locked Moved
    L2/Switching/VLANs
    5
    10
    831
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      akke023
      last edited by

      Hi everyone, I've been trying to setup VLANs on the Pfsense, but without any luck.
      I'm not per se a newbie to this, so I'm really puzzled, hopefully someone can help me out.

      Here's the situation:
      I'm trying to perform a simple test.
      Plug in my pc on port 1, and be able to reach the devices VLAN 10 IP.
      For this I have done the following:

      • Created VLAN10 under "Interfaces/VLANs"
      • Added the new interface under "Interfaces/Interface Assignments"
      • Created a DHCP scope for the new VLAN
      • Copied LAN firewall ruleset to the new VLAN10.
      • Added VLAN10 to the switch ports under "Interfaces/Switch/VLANs"
      • Added port 1 to VLAN10
      • NOTE: I tried checking and unchecking the "Tagged" checkbox, neither worked, currently unchecked, as I assume this to be "untagged".
      • Removed port 1 from VLAN1. To avoid mixing things up.
        -> At this point, no result.
      • Added PVID 10 to the corresponding port 1 under "Interfaces/Switch/Ports"
        -> Still no result.

      I wish I could post screenshots but I get a parsing error doing so.

      I would expect it to go like this:
      -> PC connects to the Pfsense port 1
      -> Pfsense tags this as VLAN10, since the PVID is set to 10. And the vlan not checked as "tagged" meaning it is set as "untagged".
      -> Pfsense recognizes that the client is in VLAN10, and assignes it a VLAN10 DHCP adress.
      -> Client can access VLAN10.

      However, even when setting my IP as static, I can not connect to the pfsense in any way.
      The pfsense packet capture does not recognize any traffic on the VLAN10 interface.
      The client's wireshark does not get response to the DHCP Discovery.

      I am at a loss right now, as I have never stumbled on a VLAN issue like this, even with our netgear switches I do not have any issue setting them as untagged, pvid 10, and tagged on the trunk line.

      Any help would be appreciated! Thanks in advance!

      V johnpozJ 2 Replies Last reply Reply Quote 0
      • V
        viragomann @akke023
        last edited by

        @akke023 said in VLAN not working in simple test.:

        Copied LAN firewall ruleset to the new VLAN10.

        And changed the source to VLAN10 net?

        Added VLAN10 to the switch ports under "Interfaces/Switch/VLANs"

        Obviously you're talking about a specific Netgate hardware. Do you tell us which?

        A 1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @akke023
          last edited by

          @akke023 said in VLAN not working in simple test.:

          Copied LAN firewall ruleset to the new VLAN10.

          There is also some issue with copied rules and not creating an updated ID for them, etc.. Have to dig up specifics - but do recall seeing some issues with "copy" of rules.. Pretty sure resolved in say 23.01 and believe latest 2.7 snaps.. But yeah that is something to look at..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 1
          • A
            akke023 @viragomann
            last edited by

            Thanks for the fast response guys!

            @viragomann said in VLAN not working in simple test.:

            And changed the source to VLAN10 net?

            Yes, here is the ruleset:
            52004255-3f9b-46f8-b57b-182fec2523b7-image.png

            @viragomann said in VLAN not working in simple test.:

            Obviously you're talking about a specific Netgate hardware. Do you tell us which?

            I should've included this, my bad. The device I'm using is the Netgate 2100.

            @johnpoz said in VLAN not working in simple test.:

            There is also some issue with copied rules and not creating an updated ID for them, etc.. Have to dig up specifics - but do recall seeing some issues with "copy" of rules.. Pretty sure resolved in say 23.01 and believe latest 2.7 snaps.. But yeah that is something to look at..

            1. I tried making them from scratch but no result.
            2. I can't seem to update to 23.01. Currently running 22.05.
            Enter an option: 13

>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pkg-static: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.txz: Service Unavailable
repository pfSense-core has no meta file, using default settings
pkg-static: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.pkg: Service Unavailable
pkg-static: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.txz: Service Unavailable
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.txz: Service Unavailable
repository pfSense has no meta file, using default settings
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.pkg: Service Unavailable
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.txz: Service Unavailable
Unable to update repository pfSense
Error updating repositories!
>>> Locking package pkg... done.
ERROR: Unable to compare version of pfSense-repo

            Update from WebUI gives me the following:
            a5ff1a86-caf4-4e82-bfd3-dde8b9a91d09-image.png

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @akke023
              last edited by

              @akke023 if you’re trying to make them independent ports that is here:
              https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html

              Upgrades to 1100/2100 have been paused due to a bug apparently affecting older models with a small EFI partition, resulting in not booting and a firmware reinstall.

              You can change the update branch to Previous (or whatever shows 22.05 now) if you need to install packages.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 1
              • A
                akke023
                last edited by akke023

                @steveits said in VLAN not working in simple test.:

                if you’re trying to make them independent ports that is here:
                https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html

                Tried that, and my config looks exactly like that, let me show you, now that screenshots work:
                57bbdf26-251e-41e3-8863-7c9fad268741-image.png
                63c4ed0a-7e82-46a1-8ece-90fa232f1163-image.png
                08066992-18ac-4e0d-96ce-ef27ed067ee8-image.png
                (Last image wouldn't paste, but i've got PVID of port 1 set to 10, all other are still at default 1.)

                I would assume that in this case, all traffic on port 1 should be tagged as vlan 10, but for port 2 vlan 10 is allowed, but not tagged onto untagged packages.
                This was so I could test both senarios, but I don't get anything...

                @steveits said in VLAN not working in simple test.:

                Upgrades to 1100/2100 have been paused...

                Thanks for that.

                A V 2 Replies Last reply Reply Quote 0
                • A
                  akke023 @akke023
                  last edited by

                  @akke023 said in VLAN not working in simple test.:

                  (Last image wouldn't paste, but i've got PVID of port 1 set to 10, all other are still at default 1.)

                  ef3b4a98-4f8c-4444-a18b-418f8229f890-image.png

                  NightlySharkN 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @akke023
                    last edited by

                    @akke023 said in VLAN not working in simple test.:

                    I would assume that in this case, all traffic on port 1 should be tagged as vlan 10, but for port 2 vlan 10 is allowed, but not tagged onto untagged packages.

                    Not clear, why you've added port 2 to the VLAN, but you will have to add port 5 as tagged, since this is the uplink to the kernel.

                    A 1 Reply Last reply Reply Quote 1
                    • NightlySharkN
                      NightlyShark @akke023
                      last edited by

                      @akke023 Sorry to bump in, but:
                      If you want to push all VLANs through another port (to another switch or whatever), what is called a 'trunk', you need to have VLAN 10 in port LAN untagged, and set the PVID (port ID, which is the VLAN ID tag the switch slaps on packets from PC to switch) to 10

                      If you want your PC to use 802.11q VLAN frames (for test cases), you need to set port LAN VLAN ID 10 as tagged and PVID as 1 or none (I don't own a netgate device, so I haven't configured a switch on pfsense, so I don't know)

                      So, to sum up:
                      Port VID -> what the switch slaps on incoming packets
                      VLAN Tag -> what must be slapped on outgoing packets in order to leave through the LAN port, in esense, what VLANs the port sees
                      Tagged/Untagged->If the VLAN ID in question is seen on the packets by the devices connected on the port in question (LAN), that is tagged (the tag is untouched) or if the tag for that VLAN is invisible to the device on the port in question (LAN), that is untagged (the device on the port has no idea the VLAN exists, as all tags for that VLAN are removed and the device connected on the port sees only a normal LAN, or a normal LAN and some VLANs, if you have other VLANs tagged on that port)

                      Also, I think @viragomann has a point and I think you need to consult the documentation for:

                      1. PfSense Switch configuration
                      2. PfSense VLAN configuration
                      3. PfSense Layer3 switching - kernel handling of VLANs
                      1 Reply Last reply Reply Quote 1
                      • A
                        akke023 @viragomann
                        last edited by akke023

                        @viragomann said in VLAN not working in simple test.:

                        Not clear, why you've added port 2 to the VLAN

                        So that I could see if maybe I could let the tagging of the vlan happen on another device.
                        eg. on my client/switch I could set a vlan 10 for my device, the pfsense should see this, and since port 2 tagged in vlan 10, I should be able to access vlan 10 also.
                        Either way, neither way work, lol.

                        @viragomann said in VLAN not working in simple test.:

                        but you will have to add port 5 as tagged, since this is the uplink to the kernel.

                        This is the way!

                        I realize now it was right in my face all along...
                        But I guess after staring yourself blind on a problem you start missing things...

                        So I'd like to thank you all for the help!
                        Consider this one solved guys!

                        Just need to add port 5! For some reason my mind did not register the fact this was not a physical port...
                        e71075db-b524-4e71-85f5-bad077c99253-image.png

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post