Strange MicroSemi PDS-208 behavior
-
@lewis Stop changing the switch IP. That is for management of the switch.
You add the IP of the vlan to the vlan interface in pfSense.
Do this, configure the switch so you can access it from the LAN.
Configure the new vlan in pfSense with the LAN as parent and whatever vlan id you want to use. The switchport that your LAN is connected to needs to be a trunk port. You will then leave vlan 1 untagged on that port and tag the new vlan id on it.
Then pick another switchport and untag the new vlan id on it. You may have to set the pvid on that port to the new vlan id also, some switches will do that automatically, some won't. Vlan 1 should not be on this port at all.
Plug a pc into that port, it will be on the new vlan and, if you enabled dhcp on that vlan in pfSense it will get an IP in that subnet, if no dhcp set a static IP in that subnet.
Don't change the IP in the switch at all. -
@Jarhead
OK, Didn't know a managed switch would connect on a different subnet. I always reserve a range of ip addresses for my switches and access points in the DHCP server. Call it my inner control freak. -
Stop changing the switch IP. That is for management of the switch.
I think this cannot be done using forums. The posts get too long and everyone gets out of sync and worse, frustrated because of that which is not helpful at all. It's not easy to follow all these suggestions. When some of you post, you post as if the person should know this or that then get frustrated with them when they cannot follow your suggestions.
I appreciate this post, it's well broken down but there are things which aren't clear because you know what you're talking about but I don't :).
To reiterate, the microsemi comes with vlan1 and an ip assigned to that of 192.168.0.50.
The local lan/network is 192.168.1.1/24. Not realizing this is a layer 2 switch, I simply changed the vlan1 IP to 192.168.1.122 to be on the main lan.
microsemi. Since it's using a vlan1, it could not be seen on the network as it was initially.You add the IP of the vlan to the vlan interface in pfSense.
There is no vlan interface on the pfsense. Someone said to trash that several comments ago. I tried playing with a vlan interface but was told not to.
The microsemi is using vlan1 and I wanted to use something other than vlan1. I connected port 10 of the microsemi to port 16 of the main LAN switch to have a way of testing connectivity to it. Pfsense is connected to the main LAN switch.
A terminal is connected to port 9 of the microsemi and is able to communicate with it without any vlan configuration.
Do this, configure the switch so you can access it from the LAN.
That's been the problem all along. I explained that if I change the vlan1 from its default 192.168.0.50 to 192.168.1.22 which would put the microsemi on the main network, then it pings 3-4 times each time I pull the cable but that's it. Pull the cable, put it back in, it pings 3-4 times no more.
You said above, 'stop changing the management IP of the microsemi' so you see how the post is getting confusing.
Configure the new vlan in pfSense with the LAN as parent and whatever vlan id you want to use.
I tried using vlan3 initially and I shared how making any new vlan active results in loss of access to the microsemi. I tried vlan3 on port 9 only, leaving the management vlan1/192.168.0.50 default as well.
However, as soon as I enable a port to use that vlan on the microsemi, I lose access to it completely.I need someone to take a step back, stop being frustrated, just take a little time to go over what we've talked about or better yet, let me reiterate how things are set up by going back to the starting point.
These switches come with vlan1, IP 192.168.0.50 as their default.
The main LAN is 192.168.1.1/24 on pfsense which is connected to the main LAN switch. The main LAN switch has vlan1 by default, all ports untagged.Pfsense does not have any vlans configured.
On the microsemi, the only change I can make is to vlan1 and that's the IP.
By default, it has no gateway set BTW.
If I add a new vlanx, it boots me out if I select any ports to modify with the new vlan.
I've tried selecting only port 9 since that's connected to the main switch and leaving the others so I could still communicate with it using the terminal connected to port 10. That works.
If I try to add an IP to the new vlan, it boots me out as soon as I save it. Changing the terminal to that network does not remain access. No idea what happens but the only option becomes a reset.So, how about some baby steps. How do you want me to configure the microsemi first. Again, port 9 is connected to the main lan switch. Port 10 is connected to the terminal.
-
Check out this post, it may help you to understand how ports need to be configured, and what tagging and untagging mean. Trust me I feel your pain as I just taught myself this process as well.
https://forum.netgate.com/topic/178253/vlan-on-cisco-sg-200-pfsense
Right now it doesn't seem like you're at the point where your switches can communicate. Several things have to be right and then vlans will just work.
Once you see the workflow it will all make sense.
-
@lewis said in Forced to use vlan1:
These switches come with vlan1, IP 192.168.0.50 as their default.
The main LAN is 192.168.1.1/24 on pfsense which is connected to the main LAN switch. The main LAN switch has vlan1 by default, all ports untagged.If your pfsense is 192.168.1.1, then change the switch to say 192.168.1.2/24 with its gateway of 192.168.1.1
As long as nothing else on your lan is using 192.168.1.2
-
@lewis I think I know what you're trying to do now.
You don't want to add another vlan to pfSense, you just want to stop using vlan 1 on the switch, is this correct?If so, the router doesn't care what vlan you use on the switch. You're using a physical port on the router, so whatever pvid is on the port of the switch that you plug into the router will be used.
Do this. Log into the switch. Add a vlan id that you want to use as the default vlan. Set that vlan id as pvid on any 2 ports for now. Set that vlan as management vlan.
Set the management vlan to dhcp.Plug one of the ports you used into the lan port on pfSense.Check your dhcp status and find the IP given to the switch.Plug the pc into the other switchport with the new vlan. Log into the IPyou found in the dhcp status. Set all the other switchports to the pvid of the vlan you want to use.Just looked at the picture you posted, looks like dhcp might not be an option so set a static IP like Johns post above.
-
@jarhead said in Forced to use vlan1:
you just want to stop using vlan 1
what does it matter - the default vlan 1 is untagged... Who cares what the ID is - pfsense doesn't know or care that is 1, or 100, or 223 it doesn't matter..
he should just change the ip to the ip he wants to use for the switch on is lan network and be done with it..
This isn't some enterprise setup that has some policy about the default vlan.. In this context there is zero reason to change the default vlan on the switch.. It has no meaning for this use case.. Pfsense will never see the tag, nor need to tag to it..
-
@lewis said in Forced to use vlan1:
Therefore, the first microsemi is set to 192.168.0.50 and vlan1.
I have its port 9 connected to port 16 of the main LAN switch.
That is the main switch that pfsense is connected to for it's LAN side.Have you tried getting vlan working on your main switch ?
It may be helpful to do that to get a better understanding of the workflow. I think dding a second switch would be less confusing then. -
@johnpoz said in Forced to use vlan1:
@jarhead said in Forced to use vlan1:
you just want to stop using vlan 1
what does it matter - the default vlan 1 is untagged... Who cares what the ID is - pfsense doesn't know or care that is 1, or 100, or 223 it doesn't matter..
he should just change the ip to the ip he wants to use for the switch on is lan network and be done with it..
He doesn't want to use vlan 1 as the default vlan.
This is my guess anyway. Not really sure what he actually is trying to do.
-
@jarhead said in Forced to use vlan1:
@lewis I think I know what you're trying to do now.
therein may lie the problem, I have no clue what he's attempting to do....
-
@jarhead said in Forced to use vlan1:
He doesn't want to use vlan 1 as the default vlan.
For what reason - he doesn't understand even the basics of how vlans work... There is no point for him to changing the default vlan on his switch.. Even if he changed it. It would still be untagged to his pfsense lan interface. So the ID is meaningless..
-
@johnpoz said in Forced to use vlan1:
@lewis said in Forced to use vlan1:
These switches come with vlan1, IP 192.168.0.50 as their default.
The main LAN is 192.168.1.1/24 on pfsense which is connected to the main LAN switch. The main LAN switch has vlan1 by default, all ports untagged.If your pfsense is 192.168.1.1, then change the switch to say 192.168.1.2/24 with its gateway of 192.168.1.1
As long as nothing else on your lan is using 192.168.1.2
If only it would have been that simple :).
As explained, when I put the microsemi on the same network, then it only pings a few times and never again.
This happens when I restart the microsemi or pull and reconnect the cable. Pings and stops. -
@lewis said in Forced to use vlan1:
Pings and stops.
And what does that have to do with anything? You understand the ping command in windows by default only sends 4 right ;)
Can you access the gui?
What IP did you set it to, you sure you didn't use an IP that is already in use?
Here is the thing... the default vlan 1 has zero do with if the box answers pings. Like have said its UNTAGGED.. It is just a native network..
You plug it into pfsense, you plug some box into any other port on the switch.. There is nothing to do with vlans or tags.. Doesn't matter if you made the default vlan 666 or 999, or whatever.. It has no meaning when all the ports are in the this vlan, be it the default 1 or not.. And you plug some device into one of its ports and ping its ip..
Pfsense has zero to do with some box you have plugged into port 5 or whatever pinging the IP..
Why don't you just leave pfsense out of the equation completely - plug your pc into the switch, nothing else plugged into any other ports... you say it defaults to 192.168.0.50 right. Ok set your PC IP to 192.168.0.51 /24 (mask of 255.255.255.0)
Can you ping the IP, does it ping more than a few times using the -t on the end of your ping...Ok.. Now change the management IP to say 192.168.1.2.. Now change your PC to say 192.168.1.3 -- do your pings work, can you access the switch gui??
Ok now plug any of the other ports on the switch into pfsense lan.. Now you only have have pfsense lan interface, and your pc connected to the switch... Can you ping pfsense IP, 192.168.1.1, can you ping the switch 192.168.1.2 IP.. can you access the switch gui? Can you access pfsense web gui?
-
You don't want to add another vlan to pfSense, you just want to stop using vlan 1 on the switch, is this correct?
I have no preference. If I have to use a vlan, it's fine, just never have used vlans. I wanted to avoid vlan1 since that's used on most switches but since it's a switch itself, then that's fine if it makes sense to use vlan1.
However, changing the microsemi vlan1 IP to an IP on the 192.168.1.1 network doesn't work. I can ping it a few times then no more.
Just looked at the picture you posted, looks like dhcp might not be an option so set a static IP like Johns post above.
Correct. The microsemi devices do not have a dhcp client though the manual says it does. I've not been able to find any firmware updates and even the distributor didn't know about any.
If so, the router doesn't care what vlan you use on the switch. You're using a physical port on the router, so whatever pvid is on the port of the switch that you plug into the router will be used.
Do this. Log into the switch. Add a vlan id that you want to use as the default vlan. Set that vlan id as pvid on any 2 ports for now. Set that vlan as management vlan.
Set the management vlan to dhcp.Plug one of the ports you used into the lan port on pfSense.Check your dhcp status and find the IP given to the switch.Plug the pc into the other switchport with the new vlan. Log into the IPyou found in the dhcp status. Set all the other switchports to the pvid of the vlan you want to use.I think I've tried this so let me explain what I've done again and see if it's what you are explaining.
I connected a terminal directly to port 10.
The microsemi comes default with vlan1 and 192.168.0.50.
My network is 192.168.1.1.
I changed vlan1 to 192.168.1.22, a free IP on the 192.168.1.1 network.
I changed the IP of the terminal to match so kept having access.
On the 192.168.1.1 network, I used a server to ping the 192.168.1.22 IP continuously and noticed that it can ping it 3-4 times only when the microsemi is restarted or the cable is pulled from the port and plugged back in.I preferred not to use vlan1 so wanted to add a new vlan for this since I have a bunch of these microsemi switches and want them on their own network.
I also don't have a free interface on pfsense so vlan would be perfect.I adding a new vlan on the microsemi, vlan3 so I would use a new network of 192.168.3.0/24. Something I'd remember, vlan matching the network.
I connected the microsemi port 9 directly to the main LAN switch, port 16. That's the same switch that pfsense is connected to.
I added vlan3 to the main switch for port 16, untagged. Not sure where I mentioned I used tagged but never have so if I did, it was a typo.Then I figured ok, now I have to add a vlan to pfsense.
I added vlan3 (192.168.3.1/24) to the LAN interface.
I then added a rule that should have allowed all traffic to the vlan.Even if I made an error above so far, the problem remains at the microsemi first I think.
When I created the vlan3 and selected all ports, I got locked out of the device. Changing the network on the terminal did nothing so I reset the switch.
Then I re-added a new vlan3 and this time, selected only ports 9 and 10.
Got locked out again.
Then I re-added a new vlan3 and this time, selected only port 9 for it so I would not get booted and that worked. I hoped that maybe that would at least get some communications going between pfsense and the microsemi so I could move forward from there.So, that combination ended up being, microsemi connected to main lan switch port 16. untagged. Port 9 of the microsemi using vlan3.
Got nowhere, decided to post here.
Based on the fact that you are all telling me how easy this should be, it means to me that the microsemi is doing something unusual or I'm missing a very small step. Of course, at this point, it's a long thread which also adds additional confusion but still appreciating the help otherwise, I think these damn things would be in the garbage bin at this point! Or I should be on a badly needed vacation.
-
@lewis You do realize that every switch is it's own broadcast domain, right?
You can have 10 switches, all using vlan 1 and each switch will be a separate network if you connect them to different interfaces on the router.
If what you're thinking is because they all use vlan 1 they are all gonna be connected, that's not how it works. Think about it, every switch I've ever seen comes with vlan 1 as default. So if you were right, every network in the world would be connected.
If you don't connect the switches together, they are separate regardless if they all use vlan 1 or not.Why don't you draw a diagram of what you want to do so it would be clearer because what you're saying isn't coming over very well.
-
I don't know why what I'm asking about is sounding so complicated.
I'm not wanting to do anything interesting. I simply want to reach these switches from the main lan.
Later, I thought this might be a good opportunity to learn about vlans, by keeping these switches in their own isolated network but reachable from the main lan.
A diagram would be as simple as;
A separate network would be nice to have so I could isolate that traffic from the main LAN and the other networks on the pfsense.
For now, I just want some of the devices on 192.168.1.1/24 to be able to reach the microsemi devices connected to ports 1-8 when that's done.
-
@lewis said in Forced to use vlan1:
A diagram would be as simple as;
And how many times do I have to tell you how to set this up? This works out of the box on both pfsense and this switch.. Forget vlans for 1 minute..
As I stated above how to change the IP of the switch to 192.168.1.2
Do that! And your diagram works.. It is that simple, there is nothing to do - no small steps... Your changing the IP of the switch.. nothing to do with vlans nothing to do on pfsense.. the only thing you have to worry about is the IP you set the switch to is not already being used on your 192.168.1/24 network..
Once you have the switch working with some 192.168.1.x IP on its default vlan 1, we can start talking about adding vlans.. Keep in mind with your drawing, that main switch if its dumb is not how you would do it.. Because while a dumb switch might not strip vlan tags (it could but shouldn't) It doesn't understand vlans, and any broadcast traffic sent across that switch no matter what vlan tag you have on it is going to go out all the ports, and there is no isolation of any vlan traffic.. That sort of setup is not a valid setup..
if you have some dumb switch it should be behind your vlan capable switch..
If you have plan on doing vlans sometime in the future.. You should put this vlan capable switch between pfsense and your dumb switch..
But for now.. I would get the vlan switch working on something.. Either change its management IP to be on your lan network.. Or just connect it to one of your other pfsense interfaces and either use 192.168.0/24 network on that, or change that network to be some network you want to use..
But for now forget about changing any vlans on the switch, forget about setting up any vlans on pfsense. And just get the switch talking on its IP you set on it..
If your other interfaces are not actively being used.. The plug your new vlan switch into one of those. Set pfsense to use 192.168.0.1/24 on this interface.
Setup a any any rule on pfsense optX interface. make sure the gateway on the switch is 192.168.0.1 and there you go - the switch is on your local network, it can talk to the internet or your other networks. And as long as your networks are not policy routing traffic out some gateway or vpn. And your rules allow it to talk to your other networks on pfsense - your working..
-
Please don't say things like 'how many times do I have to tell you'. I'm a grown man, I don't treat people that way and I don't want to be treated this way.
I'm not being rude and I'm not purposely not understanding. It's new to me and many others have said that playing with vlans was quite a challenge for them.
Yes, I understand that we're not talking vlans at this point but I've shared many times that I've done exactly what you're showing.
I shared above that it is set to 192.168.1.22, a free IP in the main LAN.
It responds to pings only 3-4 times then no more unless restarted or I pull the cable and plug it back in.There are no switches in between right now, port 9 of the microsemi is connected to port 16 of the main LAN switch and it's on the same network but is not accessible.
Here is an image of the microsemi;
And here is an image trying to ping it from a LAN client;
-
That is your client 192.168.1.50 saying that IP that is suppose to be on my network does not have a mac address.. via arp..
Here I do not have anything on my network at 9.44 - so yeah might client says it can not talk to that host..
Where is this 192.168.1.50 client.. is it plugged into the vlan switch, on a port that is still on vlan 1 or its connected to your main switch?
None of this has anything to do with vlans, this has to do with your switch.. If your connected to a port on that vlan switch that is untagged in vlan 1 and it can not ping the management IP of the switch... Then either you didn't actually change the IP. Or the switch is borked..
-
@lewis said in Forced to use vlan1:
There are no switches in between right now, port 9 of the microsemi is connected to port 16 of the main LAN switch and it's on the same network but is not accessible.
So where's the router in this?
Why not get rid of the main lan switch for a second.
Plug the microsemi into the lan port from pfSense and a pc into another switchport.
Does everything work that way?
This sounds like the main lan switch is in between.
