• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help with VLAN configuration

Scheduled Pinned Locked Moved L2/Switching/VLANs
8 Posts 2 Posters 394 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    codechurn
    last edited by Oct 27, 2024, 7:24 PM

    I currently have my 192.168.0.0/24 network working without issue.

    I would like to add a VAP (172.16.0.0/24 VLAN 4) on the TP-Link Access Point and introduce the DIR-880L Access Point (192.168.1.0/24 VLAN3). I don't currently have any VLANs configured and only a single network cable running from the T1500G to the Archer C9 that is bridged via MOCA. I'm starting by attemptepting to get VLAN3 working first.

    6f038ee7-63eb-452c-a06d-17f1088d685e-Network diagram.jpg

    I have the Archer C9 configured as follows:
    4c81f10f-9523-411f-b0dd-d6dc434dac92-image.png

    My assumption is that all traffic over Port 4 on the Archer to the SG1005SP will be tagged as VLAN3.

    The DIR-880L is configured as follows:
    304a143d-1e6e-4d71-83f7-4b18fcaaa96c-image.png

    The T1500G-10MPS is configured as follows:
    d795ef44-bd1b-4b61-9f7c-54d094df485c-TP-Link T1500G-10MPS VLAN Configuration.jpg

    The Netgate 6100 setup as follows:
    4dd62816-1a86-4e8b-b5de-a829069c4114-Netgate 6100 Interface Assignments.png

    286f4450-d17e-4f4f-a616-77294902d75d-Netgate 6100 VLAN3 configuration.png

    0799afd7-2bdc-4fe1-a8af-79109c69f821-image.png

    My problem is that When I connect to the DIR-880L wireless I am never assigned an IP address. I suspect I have something misconfigured in my VLAN configuration. I would appreciate some guidance.

    V 1 Reply Last reply Oct 27, 2024, 7:51 PM Reply Quote 0
    • V
      viragomann @codechurn
      last edited by Oct 27, 2024, 7:51 PM

      @codechurn
      The screenshot of the DIR-880L shows the VLAN 3 enabled on port 1, but the network diagram shows port 2 is connected to the switch.
      However, this might be a typo.

      You have a config failure on the T1500, however. You have set the ports 8 and 10 as untagged. These must be tagged.

      C 1 Reply Last reply Oct 27, 2024, 8:41 PM Reply Quote 0
      • C
        codechurn @viragomann
        last edited by Oct 27, 2024, 8:41 PM

        @viragomann
        The original network diagram was wrong. The cable from the SG1005P is plugged into Port #1 on the DIR-880L

        e67e5a8a-22e9-41ac-998a-8738ba0e2172-Network diagram.jpg

        Additionally. on the T1500G-10MPS switch I configured I configured:
        VLAN3 to be tagged on port 8 and 10
        VLAN1 to be tagged on port 8, untagged on port 10.
        3efc1b90-3583-4186-bb9a-51655684bcd3-image.png

        b8f9d692-a564-4bc5-a799-641987c19363-image.png

        The Archer C9 is configured to tag Port 1
        db9485a7-188a-47e7-b797-fb2b27f7e0f4-image.png

        I have network connectivity on VLAN 1 via the Archer C9 to the Netgate 6100. I think I am missing something for VLAN3.

        C 1 Reply Last reply Oct 27, 2024, 8:57 PM Reply Quote 0
        • C
          codechurn @codechurn
          last edited by codechurn Oct 27, 2024, 9:07 PM Oct 27, 2024, 8:57 PM

          @viragomann

          Port #1 on the 880L was configured to be tagged, whereas on the Archer C9 Port #1 was untagged. Once I changed Port #1 to be untagged on the DIR-880L I got a DHCP address served up to me by the Netgate 6100!

          Next question: How do I route all non-local 192.168.1.0/24 traffic out through the ExpressVPN Interface on the Netgate?

          V 1 Reply Last reply Oct 27, 2024, 9:24 PM Reply Quote 0
          • V
            viragomann @codechurn
            last edited by Oct 27, 2024, 9:24 PM

            @codechurn
            Policy Routing Configuration

            Note that policy routing forces all matching traffic to the stated gateway.
            To get access from the concerned sources to local hosts, e.g. DNS on pfSense, you have to add additions rules and put them above of the policy routing rule.

            C 1 Reply Last reply Oct 29, 2024, 8:45 PM Reply Quote 0
            • C
              codechurn @viragomann
              last edited by codechurn Oct 29, 2024, 8:48 PM Oct 29, 2024, 8:45 PM

              @viragomann
              I actually have been struggling setting up a Policy Based Rule to route the internet traffic from VLAN3 out the EXPRESSVPN interface.

              Here is what I have configured for rules:
              f2a2b043-a0cf-4d71-9841-69a012e57c15-image.png

              However, the internet is not accessible via EXPRESSVPN on this VLAN. I have a similar policy routing routing rule on LAN1and it works fine. What am I missing?

              Looking at the state of the second rule, it seems like all connections are being blocked.

              54b478d1-f512-46df-94a1-054ab41fa856-image.png

              C 1 Reply Last reply Oct 29, 2024, 8:59 PM Reply Quote 0
              • C
                codechurn @codechurn
                last edited by codechurn Oct 29, 2024, 9:13 PM Oct 29, 2024, 8:59 PM

                @viragomann

                I think I figured this out, but perhaps youc an confirm. I believe I was missing the 192.158.1.0/24 source in the outbound NAT mappings for the ExpressVPN interface

                94d7620b-0ad5-48b4-82dc-b693214000fe-image.png

                I've since added the range to the IP Group. Amaizing how quickly you forget things when you aren ot in there every day.

                Also, If I want to prevent VLAN3 from being able to reach LAN1 do I need to add an explicit block rule? Seems like prior to me adding this rule I was able to access resources on LAN1, such as the pfSense web interface and some sites frontended by HAProxy on Pfsense.

                V 1 Reply Last reply Oct 29, 2024, 9:41 PM Reply Quote 0
                • V
                  viragomann @codechurn
                  last edited by viragomann Oct 29, 2024, 9:42 PM Oct 29, 2024, 9:41 PM

                  @codechurn
                  Yes, you need an outbound NAT rule for the respective subnet on the VPN interface.

                  To limit access to outside destinations only, best practice is to create an RFC 1918 alias, which includes all private IP ranges and use this one in the filter rule.
                  86600fa1-0b28-4483-813c-42d9d6d521b9-grafik.png

                  You can use this as destination with "invert match" checked in the policy routing (pass) rule. Or just insert a block rule above of it.

                  Used in a pass rule, it looks like this:
                  d1fd0a53-d658-4d4d-b99a-431dc1d40461-grafik.png

                  Also you should limit access in your first rule to services, which are needed like DNS.

                  If you also want to block access to HAproxy, which is listening on the WAN IP, you need an additional block rule for this.

                  1 Reply Last reply Reply Quote 1
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received