New Zealand for management and physical Netgear switch
-
Hi Team,
I am running pfsens 2.7.2 i’ve created new VLAN with ID 20. Parent interface is sent to my LAN. I’m using an ethernet cable directly out of my firewalls LAN into a Netgear XS712T 10GB switch port. I enable VLAN and Tag that port on the switch and the one I am plugging in the laptop to is also Tagged. I have set the PID in the switch as well for both ports. I do have DHCP enabled VLAN in pfSense. I don’t get an ip via dhcp. If I manually set an IP address in the OS I still can’t ping the VA gateway IP and I do have an ICP allow role set. I can successfully ping the VLAN interface directly from the LAN interface on Firewall to the laptop with no switch in the middle but that kind of defeats the purpose. What are I missing passing the VLAN onto my switch from pfSense or any hints on what I may be doing wrong in my switch. Any help at all would be greatly appreciated. I’ve been stuck on this for hours.
Thank you,
-
@VMlabman said in New Zealand for management and physical Netgear switch:
the one I am plugging in the laptop to is also Tagged
Normally when you connect a device to a port like a laptop and you want it on vlan 20, this port on your switch would be vlan 20 not tagged, cisco would call this an access port.. And the pvid on this port would be 20..
If your going to tag the traffic, then you need to setup your laptop to know the traffic is tagged, and to put its traffic on the wire with a tag.
-
Thank you for your responce. So out my LAN of pfSense into the switch port 12 Tagged and no PVID on port 12 set With Laptop plunged into port 8 Untaged and PVID is set to 20 the VLAN ID?
Do I have that correct?
Thx
-
@VMlabman out of your lan, which I take it not not tagged, ie not a vlan.. This would go to your switch port and would be whatever your vlan on your "switch" you want your lan to be in.. This would be normally the default vlan 1 for any switch.. So the pvid on that port would be 1.
In my case for example this is vlan 9, I changed the switches default vlan to 9 (on the switch) and the pvid is 9, because that is the vlan (on the switch) that I want this untagged traffic to be on.
So for you - most likely unless you have messed with your switch default vlan, or you want your "lan" to be on some other vlan (on your switch) this would be vlan 1 and pvid 1.. Where you have added vlan 20 to be tagged.
Then to your laptop, this port be untagged vlan 20, with pvid 20..
The pvid on a switch tells the switch what vlan (for the switch) to put untagged traffic.
Let see if this helps you understand.. So I have multiple vlans on pfsense igb2.. there is also a native network on this interface of 192.168.2.0/24
If I look on the port that igb2 plugs into on my switch Ge5 in my case
You notice vlan 2 on the switch is marked as UP, ie untagged and that is what the pvid is, I can also see what the pvid on that port is on another tab.. Which means any untagged traffic that port sees coming into it would be on the switches vlan 2.
Notice ge2 that goes to my work laptop which is on my vlan 6, this is my guest network and is tagged to pfsense over that same igb2 interface on pfsense and ge5 on the switch.. Notice that its tagged on port 5 on the switch - the 6T
Now my work laptop on ge2, that you will see 6UP as listed as ge2.. This is access port where its on vlan 6 and pvid is also 6, any untagged traffic coming into port 2 from the laptop the switch would know this is on vlan 6. And if it sends that traffic onto pfsense the switch would tag it as it leaves ge5 headed towards pfsense. Pfsense would see the TAG and know hey this is traffic for vlan 6 interface on pfsense.
The only time you normally tag is when your connecting devices that will carry more than one network over the same physical wire. Ie like pfsense to your switch.. Or say from switch to another switch, or maybe an AP that has multiple vlans on it for different SSIDs
When there is only a single device connected to a port. this is normally never tagged. I could be - but you would need to make sure the device connected to this port understands its looking for tagged traffic, and anything it puts on the wire needs to have a tag, etc..
Assuming you want your lan on your default vlan on your switch, which is almost always vlan 1 on the switch.. you would have this
pfsense (lan) -- 1UP,20T -- (switch) -- 20UP -- laptop
Where 20 is untagged leaving that port to your laptop, and any untagged traffic that switch sees coming into that port the switch would know hey this is vlan 20 traffic.
-
First of all let me thank you for such an outstanding and clear explanation and example. It has answered several questions and cleared up some misunderstandings I had. Now let’s see if I was able to interpret the information and execute it very well. Tested and No, I am still not getting an Ip address.
What I did it pfSense is verify that my VLAN is set to ID 20.
What I did in the switch is assign U to port ig8 and left port 12 along as it is on the default VLAN witch is VLAN 1. ( later I do what to trunk this all to a 2nd switch but that is for later )
I have included screenshots.
Thank you,
-
@VMlabman well you need vlan 20 tagged on port pfsense is connected to. Port xg1 on your switch
Also what switch is that... You want to be using 802.1q, that seems like maybe your in port mode, not sure what vlan type static means. What is the make and model of that switch?
Maybe that switch is calling it protocol mode? But pfsense is tagging vlan 20, this is 802.1q protocol
Your port connected to your pfsense lan should be vlan 1 untagged, and port 20 tagged. Port your laptop is on is vlan 20 untagged, pvid 20
your port 8 looks fine, but only seeing vlan 1 on port 1 that you have arrow showing connected to pfsense Lan
-
Okay I added xg1 onto vlan 20. Also I found where I can list the vlans per port. It's under vlan status. Screenshot below
My switch is a Netgear XS712T 10GB it's older but is layer2. just Googled it and Yes, supports 802.1q
Somthing did NOT work. I am guessing it has to do with the xg12 port and PVID
New screenshot as of now: With up to date setting when i set the PVID on xg1 my switch / network dropped out. Had to do a hard reset. Yet it was easy. Only thing I have set u it the Vlan setting other then that it’s default with the latest firmware on it.
-
@VMlabman why would you set the pvid on port 1? This was fine with default 1, just need to add tagged 20 vlan ID
What do you have on port xg12? And what are doing with lag1 - lag 8?
pfsense (lan) --- 1UP,20T -- xg1 switch xg8 -- 20UP -- laptop
xg1 has to have 20 tagged on it, if you want anything to talk to pfsense that is vlan 20 on your lan interface..
Your last picture only shows xg8 in vlan 20
And default vlan 1 should not be on port xg8
Here is a little switch I have behind my tv.. cheap little tplink thing.
Notice vlan 3 is on port 7 and 8, its tagged on port 8, and vlan 1 is on all other than 7.. So traffic from my other switch comes in on port 8 the untagged vlan 1 (for this switch its really my other switches vlan 9 but its untagged so what this switch calls it means nothing to anything other than this switch). And vlan 3 comes in tagged on port 8.
Then I have a pi connected to port 7 which is untagged on vlan 3, and pvid of 3
Pretend this is your switch were pfsense is plugged into my port 8, and your laptop is on port 7.. Only difference is I am using vlan ID 3 vs 20.
-
That really helped showing me you TP-link setup. I was able to relate to it. We have a working VLAN 20 on the laptop with a IP address from the right DHCP server.
So only xg8 needs a PVID set and that make it ONLY a VLAN 20. Thus is does not pass any VLAN 1 traffic at all.
With no rules at all set in this VLAN 20’s interface ( in Firewall Rules ) why can I ping it from a PC on my pfSense LAN network? I do not what to share any traffic between LAN and VLAN 20
What do I do on a port if I what to Pass along VLAN 20 ( or any ) to another Netgear Switch. This is VLAN Trunking I believe.
Thank you so much for all you time and help with this effort working through this.
Screenshots of the VLAN working
I appreciate it.
-
@VMlabman said in New Zealand for management and physical Netgear switch:
What do I do on a port if I what to Pass along VLAN 20 ( or any ) to another Netgear Switch.
You would tag it.. Unless that is the only vlan you want other devices on a dumb switch to be on..
I never get why users have such a hard time understanding when to tag or not to tag... If your going to have more than one vlan go over the same physical wire.. Only 1 network can be untagged, any other networks have to be tagged. If not how would the other switch or device know what network different traffic is in..
-
Another great piece of information thank you so I can make even a dumb switch 100% on a VLAN by tagging the port it uplinked to in.
Enjoy your afternoon
-
@VMlabman said in New Zealand for management and physical Netgear switch:
00% on a VLAN by tagging the port it uplinked to in.
No!! if you want all devices on some dumb switch to be in vlan X.. Then the port the dumb switch uplinks to would be UNTAGGED in that vlan.
How would a dumb switch have any clue to what tags are?
-
That is what I intended to say I am just dyslexic when it comes to VLANs.
