[Solved] Issues switching the 2100-switch to 802.1q mode
-
Hi,
I have been trying to switch my setup to 802.1q (vlan tagging) mode, and have failed way too many times now. I need some help or pointers where I go wrong. I have followed an excellent video from a Netgate Hangout, where they talked about setting this up for a 3100. I have a 2100, and for all I think matters, it looks very similar (correct me if I'm wrong)
If I fiddle with it I lose this connectivity, so please excuse the lack of actual screenshots. I will make sure to be thorough though.
I have prior to this some vlans, rules and what-not, running in "port mode". And recently discovered that tagging can be very useful.
So before I go into all the details of everything and potentially waste time; Two control questions;
-
Am I correct to assume port 5 is indeed the uplink of the 2100? I wonder since in the video it was mentioned how important the uplink is, without it no connectivity (which is where I ended up)- so just need to know if I used the one I should've.
-
As I in fact did get assigned IP's from the switch-ports DHCP, but no longer reach the pfSense, I almost suspect I was missing a rule or two? But shouldn't I have been able to get to pfSense at least?
Thanks
-
-
Yes, port 5 is the uplink port in the 2100.
If you created a new interface for the VLAN then you would only get dhcp by default unless you add rules. Only the LAN interface has any default rules to pass traffic. Including to pfSense itself.
Steve
-
-
@stephenw10 said in Issues switching the 2100-switch to 802.1q mode:
Yes, port 5 is the uplink port in the 2100.
If you created a new interface for the VLAN then you would only get dhcp by default unless you add rules. Only the LAN interface has any default rules to pass traffic. Including to pfSense itself.
Steve
Ah, but it then sounds like I wasn't so far off as I first thought! Question then would be what minimum rules I would need to add, I would hate to have to redo it all again - I haven't found a way to do this and keep it up at the same time...
My goal with this is to setup two ports on the 2100, one that has my mgnt lan untagged (to connect my Unifi switches), and then on these map/untag vlans to ports as needed. The other one to connect directly to storage (NAS). Does that sound like a sound way of doing it, or would there be better ways (working even, if this won't) :)
-
@furom Re: rules, it depends on what you want to allow. Maybe:
Allow DNS to This Firewall
Block 22/80/443 to This Firewall (if untrusted)
Block to LAN
Allow to any (to internet)I’m not caffeinated so not sure I understand your second question. If you’re just looking to create a new interface the steps are https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html.
-
@steveits said in Issues switching the 2100-switch to 802.1q mode:
@furom Re: rules, it depends on what you want to allow. Maybe:
Allow DNS to This Firewall
Block 22/80/443 to This Firewall (if untrusted)
Block to LAN
Allow to any (to internet)I’m not caffeinated so not sure I understand your second question. If you’re just looking to create a new interface the steps are https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html.
Thanks,
well, what I tried to say is I basically want to create a trunk with the management lan untagged if possible. I would guess that having the "infra" as in switches etc not having use tags would be easiest?Yeah, all those rules I think I have under control. But as Stephen wrote above, DHCP will need it's rules apparently, and that I don't need on my other networks, so thought it best to ask before going at it once more, hopefully the final time :)
-
@furom No, I think you misread. DHCP is allowed by default if enabled.
https://www.reddit.com/r/PFSENSE/comments/3qkufc/comment/cwgzy0m/ -
@steveits said in Issues switching the 2100-switch to 802.1q mode:
@furom No, I think you misread. DHCP is allowed by default if enabled.
https://www.reddit.com/r/PFSENSE/comments/3qkufc/comment/cwgzy0m/That makes sense. I thought it might be because of the switch or something. But I could not reach pfSense, without any added rules that is. Would I need to allow that specifically?
Would the "trunk" work out the way I imagine?
-
@furom said in Issues switching the 2100-switch to 802.1q mode:
That makes sense. I thought it might be because of the switch or something. But I could not reach pfSense, without any added rules that is. Would I need to allow that specifically?
Would the "trunk" work out the way I imagine?If you are plugged directly into the switch on the 2100 and not getting DHCP it's a pfSense issue. If you are connecting through another switch and it's not working it's likely a switch config issue.
-
@rcoleman-netgate said in Issues switching the 2100-switch to 802.1q mode:
@furom said in Issues switching the 2100-switch to 802.1q mode:
That makes sense. I thought it might be because of the switch or something. But I could not reach pfSense, without any added rules that is. Would I need to allow that specifically?
Would the "trunk" work out the way I imagine?If you are plugged directly into the switch on the 2100 and not getting DHCP it's a pfSense issue. If you are connecting through another switch and it's not working it's likely a switch config issue.
Thanks, I did get dhcp, I misunderstood earlier and thought the built-in switch needed rules for it to work.
-
@furom VLANs will need rules, but not for DHCP.
Default the LAN interface passes all traffic - but you need to define traffic rules for each new interface.
-
-
-
-
-
-
-
-
The solution and what made this work in the end was me finding a misconfiguration in the SG-2100 switch. I had sadly missed to add the vlan I needed to use to the port I was connected to, therefore not seeing the tags. //