Creating vlan and testing via direct Windows PC connection

kscrib · Mar 11, 2025, 4:29 PM

I have a netgate SG-5100 with 6 physical ports.

I am trying to setup vlans (I am new to this).

To test, I created a vlan on port IX0, added the DHCP server, and pass all firewall rule. I then plug a Windows PC directly into that port. If I force the PC to an IP address in the range of the subnet, it will not connect. If I use DHCP, the PC does get an IP address from the DHCP server.

Is my test of connecting a PC directly to the SG-5100 a valid test? I was trying to remove the complexity of the managed switch. I have an older CISCO_2960s, which is not as user friendly. So, since I did not trust how I configured the switch, I wanted to make sure that pfsense was working first.

My long-term strategy is one VLAN for IP security cameras, one VLAN for IOT and default vlan for all other traffic. I was thinking about using open physical port on the SG-5100 per VLAN since I have ample ports on the Cisco switch.

johnpoz · Mar 11, 2025, 4:53 PM

@kscrib if you connect a device directly to the port and you want it on a vlan that is riding on that port then you need to tell the device about the tag it should use.

In windows you should be able to set that via nic driver.. Example

So if you wanted your PC to be on the camera vlan 102, you would set the id to be 102

If you do not it will just ignore any traffic with a vlan id 102 set, and any traffic the pc sends out would not have a tag, and pfsense wouldn't know its suppose to be on the vlan.

Normally the switch handles the tags, and your device doesn't need to know anything about them because the port on the switch knows any traffic from this port goes on vlan X, and then when it sends the traffic to pfsense interface the switch adds the vlan tag so pfsense knows that traffic is on vlan X.

But if you don't have a switch in between - then the device itself has to know about the tag to use.

kscrib · Mar 11, 2025, 5:19 PM

@johnpoz

I take this to mean that my network adapter does not support manually setting the vlan since it is not a configuration option.

kscrib · Mar 11, 2025, 5:50 PM

Upon further research - windows 11 and my intel driver don't support manually setting the vlan. I have a different switch at another location I can get that I will use to test my pfsense configuration.

johnpoz · Mar 11, 2025, 6:51 PM

@kscrib you could look for a better driver.. Is that just the default driver windows installed? You could look for a driver from intel.

There was a thread not that long ago where someone had a very limited options on the nic, they updated the driver and then much more settings available.

Jarhead · Mar 11, 2025, 7:20 PM

@kscrib Looks like you assigned the vlan to a port that isn't even assigned. Not even sure how you could do that??
It shows VLAN 102 on ix0 but then ix0 shows as available network port.

Also, look for the Intel PROset driver, it does VLAN's.

kscrib · Mar 11, 2025, 9:37 PM

@Jarhead - Intel Proset is not supported/available for Windows 11. I assign the interface to the vlan assignment tab

Then I use that VLAN to assign to an interface. If I am doing that wrong, it could be the root of my problem. Is there a different approach?

I have a Netgear GS108PE that does support VLAN.

I have a cable from the SG-5100 going to port 1 on the Netgear. Port 1 is configured as Trunk allow. The PC is connected to port 7 which is configured as Access VLAN 102

So, I now can get the correct IP address and default gateway from the DHCP server. But what is really odd, is that once I get that IP address, I can't ping the default gateway....

I have not changed the pfsense configuration that is listed in the original post.

patient0 · Mar 12, 2025, 8:10 AM

@kscrib In your firewall rule for the CAMERAS network you have set the source to 'CAMERAS address'. That will only allow the CAMERAS interface address to go out. What you want is source set to 'CAMERAS subnets'

kscrib · Mar 12, 2025, 2:39 PM

@patient0 That has to be the answer! Thank you!!!

I am away from the system for a few days, but will implement this when I get back on-site. I will up vote once I validate. But I bet you have it nailed.

patient0 · Mar 12, 2025, 6:26 PM

@kscrib said in Creating vlan and testing via direct Windows PC connection:

but will implement this when I get back on-site. I will up vote once I validate.

That sounds like a plan

kscrib · Mar 23, 2025, 3:04 PM

@patient0 - I have larger problems (which I can handle). The SSD in the 5100 has crapped out. It started with lots of odd errors, which this appears to be one of. But config files started having errors. And then the 5100 would not boot. I have ordered a new SSD and will recover from there.

Thanks for the help! You had me in the right direction!!