Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Having trouble getting VLANs working on SG-2100

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    7 Posts 4 Posters 214 Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bigups43
      last edited by

      Hello and thanks in advance for any help!

      I have read:
      https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html
      https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html

      Im trying to configure a very basic setup of two VLANs: 10 and 20.

      I have the VLANs created and the 'switch' on the SG-2100 in 802.1q and configured.
      The VLANs have been created in the interfaces and assigned.
      Both of the interfaces are enabled and addressed
      VLAN 10: 10.110.10.254
      VLAN 20: 10.110.20.254

      DHCP has been enabled for both VLANs and a single fully permissive firewall rule has been created for both VLANs as well.

      I have VLAN 10 and 20 as tagged on ports 5 (the uplink port) and 1, the LAN port going to the Aruba.

      The SG-2100 LAN port 1 --> Aruba on port 33 which has VLAN 10 and 20 as tagged.

      I have port 1 on the Aruba untagged on VLAN 10
      I have port 2 on the Aruba untagged on VLAN 20

      When I patch a laptop into port 1 on the Aruba I get an address from DHCP.
      I do not when I patch into port 2.

      Ive read dozens of forum posts at this point and documentation and Im out of ideas!

      switch_ports.jpg
      vlans1.jpg
      vlans2.jpg
      assignments.jpg
      switch_config.jpg

      patient0P keyserK B 3 Replies Last reply Reply Quote 0
      • patient0P Offline
        patient0 @bigups43
        last edited by

        @bigups43 said in Having trouble getting VLANs working on SG-2100:

        When I patch a laptop into port 1 on the Aruba I get an address from DHCP.
        I do not when I patch into port 2.

        The 2100 VLAN setup looks fine to me. I don't know Aruba but after a bit of internet search, it looks ok, VLAN 1 access ports on ports 3 to 52 and port 1 and 2 are not part of that VLAN 1.
        And VLAN 10 access port on port 1 and tagged on 33 and 35. Is there no 'no untagged' necessary for the rest of the port range (I really have no clue)?

        Can you show the full permission firewall rules and the DHCP config for the two VLANs?

        Do you get an IP from the correct VLAN10 subnet when connected to port 1?

        B 1 Reply Last reply Reply Quote 0
        • keyserK Offline
          keyser Rebel Alliance @bigups43
          last edited by keyser

          @bigups43 Since you are uplinking to a proper switch and intend to carry all VLANs on that uplink, I would very much advice not to use 802.1q mode on the 2100 and simply pass packets from mvneta1 (the builtin uplink) to the builtin 4 switchports untouched. The builtin Marvell switch is “dumb” anyways and passes everything if it’s not in 802.1q mode - as if it’s not there.
          So your life becomes infinitely easier by only have to worry about MVneta1 and the Aruba switch uplink ports needs to configured identically.

          In your case thats: VLAN 1 (LAN) untagged, vlan 10 (DATA) and 20 (GUEST) tagged as they already are. Simply disable 802.1q mode and reboot (The reboot is needed even though its not stated), and it will work as intended.

          Love the no fuss of using the official appliances :-)

          B 1 Reply Last reply Reply Quote 0
          • B Offline
            bigups43 @keyser
            last edited by

            @keyser Thanks for the reply! I did in fact get it working previously with the method you suggested. I have two of these devices which I would like to put in an HA pair so I switched to the 802.1q method because I think thats the only way to get the ports to act as 'discrete' ports which is what I would need to set up a SYNC port for HA. Is that not correct? Can I handle VLANs in the manner you suggest and still configure a SYNC port for HA?

            1 Reply Last reply Reply Quote 0
            • B Offline
              bigups43 @patient0
              last edited by

              @patient0 Thanks for the reply! Yes, 'no untagged' is just Arubas way of saying that a different VLAN is set as untagged on those ports so the native VLAN of 1 is not configured there.

              I do get an IP from the correct VLAN 10 subnet as configured in DHCP.

              Firewall rules and DHCP config pics below:
              dhcp1.png dhcp2.png fw1.jpeg fw2.jpeg fw3.jpeg

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @bigups43
                last edited by

                @bigups43

                Some general observations :

                Rules on the GUEST are fine (all IPv4 traffic) but look at the counters :

                f2f27f44-4c7b-42cf-ad7b-d6d9d122c510-image.png

                0/0 means : not one single bit ever entered this interface.
                Is it connected ?
                Do you have DHCP server activated on the QUEST interface (a guest interface should have a DHCP server, as guests don't know 'sh*t about setting up static IP configuration' ^^)).

                You use VLANs, and these need settings on two sides : pfSense : you've showed them.
                But there is also the other side : a VLAN capable devices like a 'smart switch' or something else that handles VLAN wrapping/unwrapping.
                We can only presume these are correct ....

                And then there is this :
                ( Disclaimer : I never used VLAN as it's to PITA )

                I see this :

                b7c40d4c-0425-4d59-8c72-8ebdc31b50ed-image.png

                And you've said :
                @bigups43 said in Having trouble getting VLANs working on SG-2100:

                VLAN 10: 10.110.10.254
                VLAN 20: 10.110.20.254

                instead of asking snmp, can you fact check with with the big chief ?
                Type :

                ifconfig

                ?

                and I see this (the DATA interface - DHCP server settings ) :

                e8c0445f-ca45-4f62-8766-66127fa85c2c-image.png

                the DHCP server indicates that the available IP pool range is ....1 to 254, that's the entire /24.
                So .254 is available in the pool. Should be '.253' as .254 is used by the pfSense) interface itself.

                No "help me" PM's please. Use the forum, the community will thank you.

                1 Reply Last reply Reply Quote 0
                • B Offline
                  bigups43 @bigups43
                  last edited by bigups43

                  UPDATE: I restarted the switch and my config works now of course. I added a third VLAN to verify and it worked. Thanks for the help everyone!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.