Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with trunk ports using individual vlans

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    7 Posts 3 Posters 498 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hardingd
      last edited by hardingd

      Preamble:

      Firstly, apologies that I'm a little weak in networking, but I've got an issue with my home network and I'm hoping the kind folks here can help out.

      I have a netgate 2100 (arm based) firewall, connected to a Cisco 2960x downstream. When I have ports on the 2960x set to access mode, the VLANing works as intended. But if I have the port set to trunk mode and setup the device to use that VLAN, then there is no communication.

      Setup:

      FW > Switch > Intel NUC (single port) running proxmox.

      Configs:
      pFSense FW

      <interfaces>
<wan>
<enable/>
<if>mvneta0</if>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<gateway/>
<blockpriv>on</blockpriv>
<blockbogons>on</blockbogons>
<media/>
<mediaopt/>
<dhcp6-duid/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
<descr>
<![CDATA[ WAN ]]>
</descr>
</wan>
<lan>
<enable/>
<if>mvneta1</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media/>
<mediaopt/>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
<descr>
<![CDATA[ LAN ]]>
</descr>
</lan>
<opt1>
<descr>
<![CDATA[ LAB ]]>
</descr>
<if>mvneta1.10</if>
<enable/>
<spoofmac/>
<ipaddr>10.10.10.1</ipaddr>
<subnet>24</subnet>
</opt1>
<opt2>
<descr>
<![CDATA[ ALTLAB ]]>
</descr>
<if>mvneta1.11</if>
<enable/>
<spoofmac/>
<ipaddr>10.10.11.1</ipaddr>
<subnet>24</subnet>
</opt2>
</interfaces>

<switches>
<switch>
<device>/dev/etherswitch0</device>
<vlanmode>DOT1Q</vlanmode>
<vlangroups>
<vlangroup>
<vgroup>0</vgroup>
<vlanid>1</vlanid>
<descr>
<![CDATA[ Default System VLAN ]]>
</descr>
<members>1 3 4 5 2</members>
</vlangroup>
<vlangroup>
<vgroup>1</vgroup>
<vlanid>10</vlanid>
<descr>
<![CDATA[ LAB ]]>
</descr>
<members>1t 5t</members>
</vlangroup>
<vlangroup>
<vgroup>2</vgroup>
<vlanid>11</vlanid>
<descr>
<![CDATA[ ALT LAB ]]>
</descr>
<members>1t 5t</members>
</vlangroup>
</vlangroups>
<swports>
<swport>
<port>1</port>
<pvid>1</pvid>
<state>
<![CDATA[ forwarding ]]>
</state>
</swport>
<swport>
<port>2</port>
<pvid>1</pvid>
<state>
<![CDATA[ forwarding ]]>
</state>
</swport>
<swport>
<port>3</port>
<pvid>1</pvid>
<state>
<![CDATA[ forwarding ]]>
</state>
</swport>
<swport>
<port>4</port>
<pvid>1</pvid>
<state>
<![CDATA[ forwarding ]]>
</state>
</swport>
<swport>
<port>5</port>
<pvid>1</pvid>
<state>
<![CDATA[ forwarding ]]>
</state>
</swport>
</swports>
<laggroups> </laggroups>
</switch>
</switches>
<vlans>
<vlan>
<if>mvneta1</if>
<tag>10</tag>
<pcp/>
<descr>
<![CDATA[ Lab machines ]]>
</descr>
<vlanif>mvneta1.10</vlanif>
</vlan>
<vlan>
<if>mvneta1</if>
<tag>11</tag>
<pcp/>
<descr>
<![CDATA[ LAB2 ]]>
</descr>
<vlanif>mvneta1.11</vlanif>
</vlan>
</vlans>

      Cisco 2960x

      interface Vlan1
 ip address 192.168.1.8 255.255.255.0
!
interface Vlan10
 description LAB VLAN for hardinglab.local AD domain
 ip address 10.10.10.8 255.255.255.0
!
interface Vlan11
 description LAB VLAN for alternative lab
 ip address 10.10.11.8 255.255.255.0
!


interface GigabitEthernet1/0/5
 description Lab 10 Connection
 switchport access vlan 10
 switchport mode access
!

interface GigabitEthernet1/0/14
 description Proxmox trunk port
 switchport mode trunk
!

      When a VM running on the NUC uses vmbr0 with no VLAN set and plugged into port 5 of the switch, I can ping the 10.10.10.8 address.

      When that VM has its NIC set to a bridge with VLAN aware and VLAN tag of 10 set and plugged into port 14 of the switch, there is no communication from the VM to the switch.

      I've even taken a Windows 11 machine, set the IP to 10.10.10.100 with VLAN 10 in the device manager properties and I was still unable to ping 10.10.10.8.

      What am I doing wrong here? Any help would be appreciated.

      G johnpozJ H 3 Replies Last reply Reply Quote 0
      • G
        GeorgePatches @hardingd
        last edited by

        @hardingd said in Issue with trunk ports using individual vlans:

        What am I doing wrong here? Any help would be appreciated.

        If you can't ping 10.10.10.8 from your windows machine, what you have is a Cisco problem. I think you either haven't actually created the VLANs on the switch (despite creating vlan interfaces...I know, Cisco is weird) or you need to allow the vlan on the trunk port. I wish I could help more, but my Cisco is quite rusty.

        https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5653-configure-port-to-vlan-interface-settings-on-a-switch-throug.html

        Plug your windows machine into the pfsense directly into the netgate and I bet you'll be able to ping 10.10.10.1.

        H 1 Reply Last reply Reply Quote 0
        • H
          hardingd @GeorgePatches
          last edited by

          @GeorgePatches No, I know what you mean. Just because the vlan interface is there, doesn't mean that the VLAN is in the VLAN database.
          On the switch, when I run show vlan, I see the VLANs there.

          G 1 Reply Last reply Reply Quote 0
          • G
            GeorgePatches @hardingd
            last edited by

            @hardingd Then I'd try explicitly allowing the vlan on the trunk and see if that helps.

            H 1 Reply Last reply Reply Quote 0
            • H
              hardingd @GeorgePatches
              last edited by

              @GeorgePatches I've tried all vlans and explicitly each one on the trunk port and it's the same.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @hardingd
                last edited by johnpoz

                @hardingd said in Issue with trunk ports using individual vlans:

                VLAN 10 in the device manager properties

                It would be so much either to read your switch config on pfsense if you just posted screenshot from gui.. But looks like vlan 10 is native vlan on your port 1 on you 2100.. If so tagging vlan 10 on the device connected to this port isn't going to work.

                You would need to do some vlan that is tagged..

                The untagged or native network would end up being vlan 1 on your switch.. Unless you set the native vlan on the trunk to be 10.

                Normally your native or untagged network would be vlan 1 on the switch.

                Doesn't this say that vlan 10 is tagged on port 1 of pfsense?

                <vgroup>1</vgroup>
<vlanid>10</vlanid>
<descr>
<![CDATA[ LAB ]]>
</descr>
<members>1t 5t</members>

                Shot of gui would be easier to read..

                Now I am confusing myself I think - can you post a screen shot of your pfsense switch config.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • H
                  hardingd @hardingd
                  last edited by

                  @hardingd
                  FIXED:
                  It turned out to be the <pvid>1</pvid> on the <swports>. Removed that and VMs started getting DHCP from the VLAN 10 interfaces.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.