VLANs with Netgear Prosafe switch…
So, I am trying to create a separate VLAN for the retail portion of our business (keep that traffic away from the corporate LAN). I can't seem to get the pfSense router to "see" the Netgear VLANs. Here's my configuration:
Interfaces: WAN, LAN, VLAN2
Port 2 (which is for the router) is tagged for VLAN1 and VLAN2
port 9 and 10 are untagged for VLAN2 and receive no traffic for VLAN1.
All other ports are "untagged" for VLAN1 (this is the default for all ports)
I assign an IP address to the interface on VLAN2, add DHCP services to it, but I can not seem to see if from the VLAN2 ports. Not only does the client not receive any DHCP, but even when I set a static address, I can't ping the router's interface on that VLAN. I have also tried getting rid of the LAN interface and using only VLAN1 and VLAN2 interfaces, but I can't get to the router at all when I do this. I am not at all sure what I am missing. Could anyone help point me in the right direction on this? Any help would be appreciated.
Tagging VLAN 1 is a bad practice, and at times won't work (even if the switch lets you do so). If you want to strictly use tagged VLANs on your trunk ports and leave the untagged native VLAN unused, as is best practice, use VLANs 2 and 3 or anything other than 1.
You have your VLAN interfaces setup on the firewall accordingly?
Some NICs don't like working w/.1Q tags unless you reboot after enabling tagging, that's worth trying. Generally not an issue with more recent versions/drivers.
I'm not particular as to whether I should use ONLY VLANs or not. I just want to be able to separate the retail network from the corporate one. What is the easiest way to accomplish this? Leave VLAN1 as untagged and only use VLANs for VLAN2? Will that work? You're also suggesting I reboot after each change?
As a general best practice, if you're using VLANs, don't use the default VLAN 1 for anything. If you just need two separate networks, create and use two VLANs other than 1. Say 2 and 3, or pick any number you want, I prefer using the third octet of the IPv4 subnet on that VLAN, eg 172.20.40.0/24 is VLAN 40.
Rebooting after the first time you enable a VLAN is the only time I'd consider doing so. Never necessary after you've booted with at least one VLAN configured, and I don't think I've ever seen that happen since the 1.x days so it's almost certainly not the case.
I initially had difficultly setuping up VLANs on Netgear Prosafe switches. Never an issue on others like 3COM, HP, Cisco, etc. My issue had to do with PVIDs. Could be yours as well.