Strange MicroSemi PDS-208 behavior
-
I have a situation where some microsemi poe switches don't work on anything other than layer 2 and vlan1 as an option. I might be able to change that but it means having to order custom cables that will take a while to get here.
I know it's a bad idea to use vlan1 but right now, I don't have a choice and might not in the long run.
Therefore, the first microsemi is set to 192.168.0.50 and vlan1.
I have its port 9 connected to port 16 of the main LAN switch.
That is the main switch that pfsense is connected to for it's LAN side.I have a terminal connected to port 10 of the microsemi and am able to communicate with it.
I've never used vlans before so here is what I did on pfsense.
I can't recall at this point if vlan1 was already on pfsense but there is one now.
I have OPT3 assigned to VLAN1 on bce2 (LAN).
For rules, I only have the following right now.
I thought this would allow anything to anything on OPT3 and vise versa but I'm obviously missing something.
I'm trying to reach the microsemi from clients on the LAN (192.168.1.1/24) but cannot.
What am I missing to make this work?
-
@lewis said in Forced to use vlan1:
I have a situation where some microsemi poe switches don't work on anything other than layer 2 and vlan1 as an option. I might be able to change that but it means having to order custom cables that will take a while to get here.
What does a custom cable have to do with a vlan?
I know it's a bad idea to use vlan1 but right now, I don't have a choice and might not in the long run.
I've never seen a vlan capable switch that will only use vlan 1, are you sure the switch has vlan capabilities?
Therefore, the first microsemi is set to 192.168.0.50 and vlan1.
I have its port 9 connected to port 16 of the main LAN switch.
That is the main switch that pfsense is connected to for it's LAN side.I have a terminal connected to port 10 of the microsemi and am able to communicate with it.
I've never used vlans before so here is what I did on pfsense.
I can't recall at this point if vlan1 was already on pfsense but there is one now.
I have OPT3 assigned to VLAN1 on bce2 (LAN).
For rules, I only have the following right now.
I thought this would allow anything to anything on OPT3 and vise versa but I'm obviously missing something.
I'm trying to reach the microsemi from clients on the LAN (192.168.1.1/24) but cannot.
What am I missing to make this work?
Do you have a software firewall running on the box you're pinging? That would block it. -
What does a custom cable have to do with a vlan?
Because it seems there are some additional commands that can only be run from the console to change the vlan. I don't know for sure.
I've never seen a vlan capable switch that will only use vlan 1, are you sure >the switch has vlan capabilities?
Microsemi PDS-208
-
@lewis said in Forced to use vlan1:
PDS-208
Not sure what your trying to do exactly - but vlan 1 is almost never tagged. All managed/switches I have ever seen vlan 1 is the default native vlan, ie not tagged.
But that switch shows it supports 802.1Q, so you should be able to use any vlan tag you want really like up to 4096, etc. But vlan 1 is not something you tag..
Use say vlan ID 192.168.X whatever that number your using.. Not using 0 or 1 for example, my network like 192.168.4/24 and 192.168.6/24 use IDs 4 and 6.
Actually my actual lan network, which is not tagged at pfsense is vlan 9 on my switch.. I don't like to use vlan 1 on my switches - habit from corp networking world.
If you want to use say a 1 or 0 192.168.X network then make the tag like 100 or 101 or something.. But tagging 1 is not something that is done..
-
@lewis said in Forced to use vlan1:
What does a custom cable have to do with a vlan?
Because it seems there are some additional commands that can only be run from the console to change the vlan. I don't know for sure.
I've never seen a vlan capable switch that will only use vlan 1, are you sure >the switch has vlan capabilities?
Microsemi PDS-208
You can probably ssh in instead of the console
-
What I'm trying to do is to allow the LAN network to see those switches.
Unless I overlooked something, I've not set anything to tagged. In fact, on the main LAN switch port, I set that to untagged.
I've not been able to add a new vlan on the microsemi, every time I do, even if it's a new one along with the existing one, it boots me out. I then change the terminal to match the switch but nothing, cannot see it again. My only option is to use vlan1 after factory resetting it.
-
@lewis said in Forced to use vlan1:
on the main LAN switch port, I set that to untagged.
Which is not done on vlan 1... It is the default native vlan on a switch, not tagged.. If your lan is not a vlan in pfsense, then its fine for that to be just the default vlan 1 on the switch
Reset the switch connect to it.. Then add a vlan with the ID you want to use
Prob behoove you to read up on tag and untagged vlans. And prob go over the manual of that switch.. It looks pretty straight forward to me to be honest.
Now if you want another network to be a vlan, use some other ID other than one, after you have created it on your switch and tag that vlan on your switch on the port that is connected to pfsense lan port.
Tagging vlan 1 is NOT something that is done.. In 30 years in the biz - never ever seen it.. Vlan 1 is the native UNTAGGED vlan on switches. You do not need to use that to access a switch if you don't want to - but its fine to do so..
-
I'm not following or something. I said I tried that.
The main LAN switch is set this way;
The LAN is not a vlan.
I can't set another vlan on the microsemi, it simply doesn't work. I've tried repeatedly but each time get locked out and have to factory reset it as explained above. If I've missed a step, I don't know what it is because I have the manual and yes, it's pretty straight forward.
Now if you want another network to be a vlan, use some other ID other than one, after you have created it on your switch and tag that vlan on your switch on the port that is connected to pfsense lan port.
Tagging vlan 1 is NOT something that is done.. In 30 years in the biz - never ever seen it.. Vlan 1 is the native UNTAGGED vlan on switches. You do not need to use that to access a switch if you don't want to - but its fine to do so..
I'm simply trying everything I can to see if I can get somewhere. If I can't reach the microsemi after adding a vlan id higher than 3 with a directly attached terminal, then nothing on the network will for sure.
That's partly where I'm stumped. If I could add a new vlan id on the micrsemi, I think the rest would be simple but I can't. That's why I wondered if there are some additional steps from the CLI since some documentation seems to imply there might be.
-
@lewis said in Forced to use vlan1:
The LAN is not a vlan.
Yeah it is. On the switch, it is vlan 1.. its just not tagged.
Once you start using a smart/managed switch all networks are vlans to the switch... All your ports can be in the default vlan 1 and untagged. And then you can start virtualization the switch and creating new "vlans"..
But to the switch the native network, that is untagged is vlan 1 to the switch.. Pfsense doesn't think its a vlan, because its not tagged.. But to the switch yes it is a vlan..
-
@johnpoz LOL, ok so now I'm really lost :).
On pfsense, I added vlan1 on the lan interface as you saw in the images above. So I guess that's something I should remove then.
Either way, since I'm not able to change the microsemi to any other id, then I guess I'm SOL?
-
@lewis How are you adding the vlan in the switch? If it's kicking you out, my guess would be you're trying to change the management vlan.
Simply adding a vlan won't kick you out. -
@jarhead exactly... he is doing something wrong..
I posted a picture from the manual where to add a vlan.
Yes delete that vlan 1 you created on pfsense.. That is wrong!
Now reset your setup.. Its going to be vlan 1 untagged on all ports. Connect it to your pfsense lan port. Give it management IP on whatever you lan network is.
Now on the switch add say vlan 100.. Now on pfsense create your other network with a vlan ID of 100.. Attach this vlan on pfsense lan interface, use some network say 192.168.100.0/24, setup dhcp, setup some firewall rules on your new vlan network on pfsense interface.
On the port that is connected to lan on pfsense, set vlan ID 100 to tagged. Put some other port untagged on your switch in vlan 100.. There you go your doing vlans - and bobs your uncle, it really is that simple.
-
@jarhead said in Forced to use vlan1:
@lewis How are you adding the vlan in the switch? If it's kicking you out, my guess would be you're trying to change the management vlan.
Simply adding a vlan won't kick you out.On the microsemi, I can add a new vlan/id so I add vlan2 for example. I enable that for port 9 only, which I have connected to the main LAN switch, port 16 I think I mentioned. There is no option to add any IP at this point.
If I enable port 10 which I have the terminal connected to, then I'll lose access. That seems odd since I've not changed the IP nor added one to the new vlan yet but then, I've never done vlans before.
-
So here is an example.
On the microsemi, I added vlan100.
I enabled that on port 9 only, the one connected to the main LAN switch.
I then set the IP for that to 192.168.100.50.
There's no option to use one or the other and when I save it, I get booted from the microsemi. Fine, I change the network on the terminal to match, 192.168.100.75 but nope, cannot ping the microsemi anymore on either the 192.168.0.x or 192.168.100.x networks from the terminal.It seems to only want to work when it's using vlan1. I think I have to solve this before moving on to anything else.
-
@lewis said in Forced to use vlan1:
I then set the IP for that to 192.168.100.50.
Huh? why are you trying to set the switch ip to some other IP that is not your lan?
You stated this is a layer 2 switch, it is unlikely it would let you set a SVI (Switch Virtual Interface) on any of the other vlans.. You use the vlan 1 IP, the management vlan to manage the switch.
Your other vlans 100, 2 or 1012, etc.. would not have any IPs set on the switch
Pfsense would have an IP on vlan 100 for example - since it is the router to get on and off that network.. Your other devices you put on this vlan 100 would have IPs.. The switch doesn't need an IP on this vlan, its just layer 2.. Is not routing anything..
-
I then set the IP for that to 192.168.100.50.
Huh? why are you trying to set the switch ip to some other IP that is not your lan?
I'm not 'trying' to do anything, I don't know what I'm doing when it comes to vlans as I've said all along. I though I was being asked to set up a new vlanx on the microsemi using the above IP.
You stated this is a layer 2 switch, it is unlikely it would let you set a SVI (Switch Virtual Interface) on any of the other vlans.. You use the vlan 1 IP, the management vlan to manage the switch.
I only see it or can access it from a terminal connected directly to one of the microsemi ports. A terminal that is secluded from the main lan so I can change it's IP as needed.
Your other vlans 100, 2 or 1012, etc.. would not have any IPs set on the switch
I don't have any other vlans. Only the microsemi has vlan1 and of course, devices on the LAN like switches.
Pfsense would have an IP on vlan 100 for example - since it is the router to get on and off that network.. Your other devices you put on this vlan 100 would have IPs.. The switch doesn't need an IP on this vlan, its just layer 2.. Is not routing anything..
My limited knowledge of vlans is that they are simply a virtual network instead of a physical one. You could have one LAN/network and have a bunch of virtual networks on that. So long as the switches know to handle those vlans, all devices on the same networks can talk with devices on the same networks.
In my case, while I have three different networks physically connected to the pfsense, I only need the microsemi devices to communicate on the LAN network.
Unfortunately, forums aren't like talking face to face so things can get more complicated then they actually should be. Saying 'why are you doing this and that' doesn't help because I'm not really trying to do this and that, just trying to get a basic setup working so that once it is, I can finally learn how to put vlans to work :).
Since you understand what I'm trying to do, could you just walk me through what I need to do, one thing at a time and I'll follow those directions and post what I've done and where I'm at. At some point, we should be in sync of where it's at. I'm nervous that this post will only get more and more convoluted if we don't do it this way. I don't want to waste anyone's time so happy to follow directions one step at a time.
-
@lewis said in Forced to use vlan1:
I'm not 'trying' to do anything, I don't know what I'm doing when it comes to vlans as I've said all along. I though I was being asked to set up a new vlanx on the microsemi using the above IP.
If you want that to be your management IP of the switch. Then put the switch on that network, no vlan on pfsense.
I only need the microsemi devices to communicate on the LAN network.
Well then do that - that is how it would work out of the box.. With everything in vlan 1..
Since you understand what I'm trying to do, could you just walk me through what I need to do,
I already did... Set the IP on the switch for an IP on your LAN... Your done - if you have no other need for any vlans.. If you do, I already went through how to do that as well.
I was being asked to set up a new vlanx on the microsemi using the above IP.
Who asked you to do that? A layer 2 management IP, ie the IP you use to access its gui or via ssh/telnet if supports that would be on the switches vlan 1.. The default untagged network... if you want it to be 192.168.100.50 then connect it to a network on pfsense that is using 192.168.100/24 and is not a vlan.. Be that your lan or some other network, or set your lan to be 192.168.100/24
-
Before I change anything, let me try to make sure we've in sync.
I believe I understand what you're saying, that vlan1 is default on all switches, maybe not pfsense.
I tried putting the microsemi at 192.168.1.22, a free IP in the 192.168.1.1/24 network that is the LAN on pfsense. Doing that did not make the switch accessible from any device on the LAN. There is no vlan configured on pfsense at the moment.
Changing the vlan1 on the microsemi to 192.168.1.22 allows the terminal to reach it because it's connected directly to the switch.
However, a device trying to ping it from the 192.168.1.1 network gets 3-4 pings and no more. I've tested this countless times.
And to confirm, there is nothing set to tagged, never was.
-
Just for kicks, I tried again. I changed the vlan1 on the microsemi to 192.168.1.22.
I wasn't able to reach it from any device on the lan while the terminal connected directly can. Then I restarted the microsemi and it did what it has done since the start.
From a device on the lan, I can ping it for a few moments then it's gone. Yet the terminal can still communicate with it.
Does it mean something is blocking it at the firewall level? Why does it ping for a few moments then gone?
Also, there is something weird about these microsemi. Twice now, after changing the IP as mentioned above, maybe 5 minutes into it, it reboots and goes back to it's factory 192.168.0.50 IP. Maybe that's because there is something else I should be running to keep the configuration permanently so I'll look at the manual again.
UPDATE: Actually, it rebooted but this time it kept it's new IP. The pinging device on the lan saw it for a few pings then no more.
And I found a 'save to flash' option.
This is the current setup;
-
Lewis,
I'm really new to vlan but I think you are taking some steps out of order and causing some issues due to it.My newb recommendation:
Reset the microsemi switch, connect to it with a lan cable and set the IP to an address in the subnet of your pfsense box.After reboot, you should be able to connect the microsemi back to the main switch and log into it from your network using the new IP.
Create your vlan in pfsense and the desired switches.
Configure trunk ports on the respective ports of each switch.
Untag the appropriate ports and set your firewall rules.
The any to any rule is ok for testing but I discovered allowing the (http); (https) and (DNS) rules helped my vlans to begin seeing traffic when I first started my vlans.
Good luck, I spent three days trying to get my vlan to work only to discover I had port 8 and 9 cables reversed. The trunk port I thought I was connecting to, I wasn't. SMH.......
