• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Introducing a managed switch to my network - VLAN setup questions

Scheduled Pinned Locked Moved General pfSense Questions
25 Posts 7 Posters 13.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    Legion
    last edited by May 3, 2013, 4:49 AM

    I had a little setup that was working well. It looked a bit like this:

    Now I want to move wired devices onto a switch, so it'll look like this:

    The switch is a Cisco SG200-08 managed switch. I did a bit of playing around last night and got it to work out of the box pretty well.

    But I've got some questions:

    • I initially plugged the switch into port 1 (VLAN2) from pfSense em2 (was my LAN interface port). I'm thinking that's a bad idea and I should dedicate another spare port/interface on pfSense (em1 is free) and leave em2 in case I ever need direct LAN access.

    • I'm also thinking of unbridging my LAN and WLAN and having dedicated interfaces. Initially that was an easy setup for me, when I really only plugged one computer into LAN and everything else wireless but now I want to wire up fixed devices over the switch.

    • do I need to give each VLAN a static IP? And devices on that VLAN get their IP dynamically?

    The bit that had me confused was as the first image says, all my devices have static IPs to make it easier to read logs. And when I plugged stuff in, the one test computer continued to get its IP from the dhcp server on the LAN interface (em2) despite it being plugged into VLAN2 (pfSense to switch) /VLAN3 (switch to computer). I wonder if that's because I'm using the LAN interface as the VLAN parent interface? I'd prefer devices to get their IP statically but I'm not sure if that's correct.

    I don't really care about routing between VLANs. It's basically just a means of expanding my network port capacity. But in the interests of learning I'm willing to do it. I copied most of my LAN rules across to the VLAN interfaces I was testing on so they just behaved similar to the LAN anyway.

    Gui dashboard traffic graphs showed no traffic on the VLAN interfaces, all of it on LAN/em2 (didn't really surprise me since all the actual traffic was flowing through that physical port).

    So I guess my question is - do I need static IPs on each VLAN interface and if I move a device between VLAN ports (e.g. plug a laptop into different ports) I need to be aware the device IP will change?

    And secondly, probably a good idea to change the parent VLAN interface to not be the LAN interface? Otherwise I might get strange things happening with firewall rules/IPs handed out/etc?

    1 Reply Last reply Reply Quote 0
    • M
      markuhde
      last edited by May 3, 2013, 6:10 AM

      No offense, but why on earth are you using VLANs? It doesn't sound like you actually WANT your wireless and wired to be seperate logical networks (the reason you'd use VLANs)

      1 Reply Last reply Reply Quote 0
      • L
        Legion
        last edited by May 3, 2013, 6:23 AM

        Because I'm a networking noob and didn't know what I was doing. I searched for "switch" topics and it almost always came up that you needed a managed switch so I bought one. And VLANs and managed switch went hand in hand.

        In the meantime I came across an unmanaged Cisco switch being thrown out from work, so I could've just used that.

        To justify it, I could have a dedicated VLAN for a VoIP phone (don't own one yet, but have thought about it) and dedicated lines for e.g. PS3, TV, Wii, etc and use the different VLANs to shape traffic between them.

        Also because I'm a tech nerd and like the idea of messing around with things.

        But I'm quite happy to have one big logical network (does that mean no VLANs and just use the switch as an unmanaged switch and let pfSense manage the network?)

        No offence taken, complete novice but with software background.

        Really, I just wanted a replacement for my home router with per-user scheduling and firewall rules, wifi capability, lots of network ports. I've gone a bit beyond that now though, with DG, Squid, pfBlocker, Snort, FreeRADIUS2, CP, etc, etc. I needed to "help" my kids concentrate on homework while still having net access, basically.

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by May 3, 2013, 1:49 PM

          @Legion:

          Also because I'm a tech nerd and like the idea of messing around with things.

          The greatest and only required reason in my opinion.  ;D

          I am struggling to understand your diagram though. 'LAN(bridge0 on em2)' does not make any sense. A physical interface, like em2, can be a member of a bridge but a bridge cannot be on a NIC in the same way a VLAN or PPPoE can. LAN could be either bridge0 or em2.  :-\

          Also I assume you have an em1 interface that is not shown.

          Steve

          1 Reply Last reply Reply Quote 0
          • L
            Legion
            last edited by May 3, 2013, 3:45 PM

            I pretty much did this with the initial LAN on em2, which became a bridge for the actual LAN (optx) and WLAN (optx+1). This is the part I'm thinking makes sense to split up as my network becomes more complex.

            Yes, there's a spare unused em1. Also a spare unused re0 and re1.

            I'll have time to play with this in about 15 hours, morning time for me.

            1 Reply Last reply Reply Quote 0
            • N
              NOYB
              last edited by May 4, 2013, 1:08 AM

              If I understand you second diagram it may look something like this.

              Internet –-- WAN (em0) pfSense LAN (em2) ---- Switch g1
              WLAN AP ---- Switch g2
              Wired Devices ---- Switch g3 - g8

              pfSense Config
              LAN em2, VLAN2 em2_vlan2
              pfSense will have to route between LAN and VLAN2 for respective devices to see each other.

              Switch Config
              g1 PVID = 1, Untagged Member VLAN 1, Tagged Member VLANs 2 - 9, General Mode
              g2 PVID = 1, Untagged Member VLAN 1, Access Mode
              g3 - g8 PVID = 2, Untagged Member VLAN 2, Access Mode

              1 Reply Last reply Reply Quote 0
              • M
                markuhde
                last edited by May 4, 2013, 5:26 AM

                Just use untagged traffic. The managed switch is fun to monitor your network still :) You have no need for VLAN's and it's only create issues (no broadcast traffic between the VLAN's…)

                1 Reply Last reply Reply Quote 0
                • M
                  mikeisfly
                  last edited by May 4, 2013, 8:57 AM

                  From what you have stated, it looks like you created the vlans and vlan interface(s) in Pfsense which is good other wise you would not be able to route between vlans. Looks like your problem is that you did not create the vlans on your switch. Once you do that assign the port going to the Pfsense box as a tagged port (Cisco calls this a trunk port). Then connect Cisco switch to Pfsense. Then assign your ports to what ever vlan you want and your all set. Make sure your switch is using IEEE 802.1q tagging ISL is Cisco proprietary technology and won't work with Pfsense.  Not familiar with your model number, if it doesn't have a option to change tagging method then it is probably 802.1q only(which is good).

                  The reason all your traffic looked like it was coming from the lan instead of your vlans is because it was untagged.

                  1 Reply Last reply Reply Quote 0
                  • S
                    stephenw10 Netgate Administrator
                    last edited by May 4, 2013, 11:52 AM

                    Hmm, re-reading through this I think there may be some holes in your understanding. Of course playing around with stuff is a good way to fill those holes.  :)
                    As mikeisfly said you don't mention setting up the VLAN ports on your switch. That's a pretty fundamental for most VLAN setups. Not all but that's another topic.

                    Could you give us the output of ifconfig or screenshots of your Interfaces: (assign) and bridge setup?

                    Also I agree you should use em1 for your VLAN interfaces. You should not have tagged and untagged traffic on the same NIC, it can sometimes cause problems.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • L
                      Legion
                      last edited by May 4, 2013, 1:03 PM

                      No, I did set up the corresponding VLANs on the switch. I didn't do anything special to create a trunk port though.

                      I will try to recreate the VLAN setup shortly. I deleted all my interfaces today and a few things held me back while I was recreating:

                      • I thought I had to recreate a PPPoE interface through Interfaces -> (assign) -> PPPs -> + and then assign it to WAN. It kept hanging and hanging and hanging and I'd reboot and try again and again. Spent at least an hour while watching sport. Eventually I worked out I just need to set the WAN configuration type to PPPoE and it automatically creates the PPPoE entry, which you then edit through the PPPs tab. A message would be nice rather than indefinite hanging.

                      • Also had trouble recreating all my Squid3/DG/other packages settings and fixing all my rules for the new interface assignments.

                      I changed my IP subnet ranges, so that made things a little more involved.

                      I created WAN (em0), LAN (em2) and WLAN/OPT1 (ath0 a.k.a. ath0_wlan0), no bridge, individual rules per interface, new non-overlapping subnet ranges for LAN and WLAN. Will now try and recreate the VLANs on em1, also with individual ranges. My idea (and implemented for the LAN and WLAN) is to have the final digits of the static IPs the same across the different interfaces and just recreate static DHCP server entries per interface for the appropriate devices. Then I can read logs based on those final digits.

                      1 Reply Last reply Reply Quote 0
                      • L
                        Legion
                        last edited by May 4, 2013, 4:25 PM

                        Didn't get anywhere (much).

                        I knew I need to reserve VLAN 1 for the management tag of the switch. So I created 2-9 thinking 1 was a magic virtual tag and I could plug cables into ports so that VLAN 2-9 == ports 1-8. Then I worked out I needed to reserve port 1 and let it correspond to VLAN 1, so that leaves it my responsibility to create VLAN 2-8 and those tags correspond to ports 2-8, and VLAN 1/port 1 can be the pfSense connection to em1.

                        I also created OPTx+lots == VLAN_PARENT on em1, with associated rules and dhcp server config. That allowed me access to the switch's management gui. But then later on I read that I should just leave the physical parent (em1) free from any interface assignment, so I deleted it. Problem then is I have no more access to the switch's gui. I've rebooted several times (pfSense and switch), unplugged and reconnected cables, opened pfSense's LAN and VLAN 2-8 firewall rules wide open.

                        I don't understand how, if on pfSense I don't have VLAN 1 or em1 assigned to anything, how can I (a) serve an IP address to the switch so I know what to connect to and (b) assign firewall rules on non-existent interfaces?

                        I need to open up the rules on em1, but there is no em1 interface.

                        I need to assign IP from the dhcp server on em1, but there is no em1 interface.

                        Or am I missing something?

                        Everything I read and watched, they just create a VLAN or two, the parent port (corresponding to my em1) isn't assigned to an interface. They just connect to their switch (not sure via what address - mine doesn't come from LAN or VLAN2-8, it comes from non-existent em1 interface or possibly VLAN 1, the special tag I'm not allowed to assign).

                        1 Reply Last reply Reply Quote 0
                        • L
                          Legion
                          last edited by May 4, 2013, 4:33 PM

                          Just a thought - what if I temporarily create an em1 interface, set up the dhcp server on the interface, use it to serve an IP address so I can connect to the switch, set a static IP in the switch in my LAN subnet, then delete the em1 interface?

                          My main computer only has one ethernet port and when I plug the switch into it directly ipconfig /renew complains about no internet access and I can't connect to the switch on its default factory IP address.

                          1 Reply Last reply Reply Quote 0
                          • N
                            NOYB
                            last edited by May 4, 2013, 5:38 PM May 4, 2013, 5:36 PM

                            "tagged port (Cisco calls this a trunk port)"
                            Not quite.  At least not in the Cisco SG200-08.

                            Here are the available VLAN Interface Settings for the Cisco SG200-08.

                            Interface VLAN Mode — Select an option to configure the port type with respect to VLAN membership and tagging.
                            General — The port can be a member of one or more tagged or untagged VLANs. This mode allows the full capabilities specified in the IEEE 802.1Q specification, “VLAN Tagging.”
                            Access — The port can accept only untagged frames. An access port can be a member of only one VLAN and it uses the VLAN ID as its port VLAN ID (PVID). Access ports are typically used to connect hosts, which become members of the VLAN by virtue of being physically connected to the port.
                            Trunk — The port can be assigned to only one untagged VLAN, the native VLAN, and can be assigned to any number of tagged VLANs (or none). Trunk ports carry traffic for multiple VLANs from the switch to other network devices, such as an upstream router or an edge switch.

                            Port to VLAN Configuration — For each interface, configure the following parameters:
                            Member — Check this box if a port is to be member of the VLAN. Uncheck this box if a port is not to be member of the VLAN. A port is not member of the VLAN by default.
                            Tagged — Select Tagged if all the packets of the VLAN egress to the port are to be tagged. Otherwise, select Untagged. A trunk port is tagged by default. This option is only relevant if the port is a member of the VLAN.
                            Untagged — Select Untagged if the packets from the VLAN egress to the port are to be untagged. Otherwise, select Tagged. An access port is always untagged. A general port is untagged by default. This option is relevant only if the port is a member of the VLAN.
                            PVID — Check this box if a port is to use the selected VLAN ID as its port VLAN ID (PVID). Otherwise, uncheck this box. If PVID is selected for an access or trunk port, the port must be an untagged member of the VLAN. Untagged packets received from the port will be assigned to the corresponding VLAN.

                            Note that a trunk port is tagged by default.  But a tagged port is not necessarily a trunk port.

                            Some images of the VLAN configuration interface can be seen in this Cisco support forum discussion
                            https://supportforums.cisco.com/thread/2214870?tstart=0

                            1 Reply Last reply Reply Quote 0
                            • W
                              wallabybob
                              last edited by May 4, 2013, 9:26 PM

                              @Legion:

                              But then later on I read that I should just leave the physical parent (em1) free from any interface assignment, so I deleted it.

                              If you delete an interface from the pfSense pool of available interfaces that will (I presume) effectively disable all child VLAN interfaces.

                              It is generally recommended not to mix tagged (VLAN) and untagged traffic on an interface, therefore the VLAN parent interface should be left with a default OPTx name and no IP address.

                              1 Reply Last reply Reply Quote 0
                              • L
                                Legion
                                last edited by May 5, 2013, 2:25 PM

                                The few tutorials I read suggested a configured parent interface was unnecessary. But I can't think how else to control traffic across management VLAN 1.

                                I had it working today, for a few fleeting minutes. Then I did something and broke it again.

                                At the moment the setup I've gone for is as simple as can be.

                                On Cisco:
                                VLAN1 (magic management VLAN): default id 1, trunk, 1 untagged, 2 tagged.
                                VLAN2, id 2, trunk, 2 untagged.

                                No matter what configuration combination I try, nothing comes through on my client computer on vlan2. However, tcpdump -i em1_vlan2 is going crazy on a monitor attached to pfSense directly with those settings if I try to load up a bunch of websites. Too fast for me to understand what's going on. If I make VLAN2 be trunk and tagged with 2, tcpdump is silent.

                                Does the noise from tcpdump mean it's my firewall rules blocking? Because at one stage I tried to allow any from any on WAN, LAN, VLAN2 and VLAN_PARENT (a.k.a. VLAN1 on em1) and it still didn't work. I felt bad even after 1 min with those rules, and coincidentally got a bluescreen while switching it back to warn me not to be so stupid.

                                I wish I remembered what settings worked. Vaguely recall it was also with wide open rules. But I also want traffic to feed through VLAN2 -> VLAN_PARENT -> pfSense -> Dansguardian -> Squid3 -> Internet so maybe my package configuration is interfering? I guide normal LAN traffic through DG and Squid and was trying to do the same with VLAN2 traffic - directing it to the LAN subnet. Maybe I need to do some tricky subnet rdr remapping to enable that kind of functionality.

                                At the moment it's like:

                                LAN               x.x.0.1/24
                                WLAN            x.x.1.1/24
                                VLAN2           x.x.2.1/24
                                .
                                .
                                .
                                VLAN_PARENT x.x.10.1/24

                                Anyway, a couple of hours more of stabbing in the dark for no results.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  stephenw10 Netgate Administrator
                                  last edited by May 5, 2013, 7:35 PM

                                  This should not be so difficult.  ;)
                                  Cisco's VLAN config scheme is confusing IMHO.

                                  You should not have the VLAN parent interface, em1, assigned with an IP address. Leave as type 'none'.

                                  I think the problem is probably the switch config but I can't really be sure about that.

                                  You definitely don't need any rules on WAN.

                                  Look at the firewall logs to see if any VLAN2 traffic is being blocked.

                                  Is the client attached via the VLAN2 interface ever receiving an IP via DHCP?

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • W
                                    wallabybob
                                    last edited by May 5, 2013, 9:19 PM

                                    The few tutorials I read suggested a configured parent interface was unnecessary. But I can't think how else to control traffic across management VLAN 1.

                                    I have not ever configured a Cisco switch so I might have misread the configuration information you posted. It seems to me you have misconfigured the switch. You need the port connected to the pfSense box to be a trunk port with it sending VLAN tags for every VLAN you are using. In pfSense you need VLAN interfaces for every distinct VLAN ID you are using. You then control traffic from VLAN 1 by using firewall rules on the pfSense interface with VLAN id 1. It looks to me that you have configured the switch to NOT send VLAN tags on VLAN 1 and VLAN 2 seems to be both tagged and untagged. However you need to configure it, the result is that you want the port connected to the pfSense box putting VLAN tags in transmitted frames for all VLANs. Maybe the VLAN 1 is special and you really should use another VLAN id to accomplish this.

                                    @Legion:

                                    I had it working today, for a few fleeting minutes. Then I did something and broke it again.

                                    Time to stop random tinkering. Decide on a simple objective, make a simple change, document the change and then test that change brings things closer to your objective. Repeat as necessary.

                                    It is very hard to help when someone reports "I made a few changes that I can't remember and now it is broken".

                                    @Legion:

                                    Does the noise from tcpdump mean it's my firewall rules blocking?

                                    Impossible to tell without a reasonable sample. However it is unlikely because I think tcpdump shows incoming frames BEFORE firewall rule processing has occurred.

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      NOYB
                                      last edited by May 5, 2013, 10:17 PM May 5, 2013, 9:55 PM

                                      From OP'ers previous posts it seems they are mostly interested in tinkering to learn VLANs.

                                      To that end here are some fundamentals that may help.

                                      PVID is the VLAN tag that will be given to untagged packets received by the switch port.

                                      Untagged Member means VLAN traffic will be transmitted out the port with VLAN tag stripped so that it is placed on the wire as untagged.  Target device does not need to be VLAN configured.

                                      Tagged Member means VLAN traffic will be transmitted out the port with VLAN tag in place.  Target device needs to be VLAN configured.

                                      On the Cisco SG200-08, probably the easiest way to get things working is to place the interfaces in "General" mode.  "Access" and "Trunk" modes will override some settings.  For example "Trunk" can only have 1 untagged member and "Access" is always untagged member of corresponding PVID and only accepts untagged traffic.

                                      Don't try to config it all at once.  Set up one simple piece first.  Then expand.

                                      Oh and by the way.  If you use any port mirror/probes for checking results.  Be aware that some NICs strip VLAN tags by default and yet some other NICs don't pass VLAN tagged packets up the stack.  These NICs requires a special config settings to see VLAN tags with sniffer such as Wireshark.  This is mostly only relevant to Windows machines.
                                      See the Wireshark Wiki for Details: http://wiki.wireshark.org/CaptureSetup/VLAN

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        NOYB
                                        last edited by May 5, 2013, 11:05 PM May 5, 2013, 11:00 PM

                                        Here is a working example for you.  I know this is not specifically what you are trying to set up.  But it may help with understanding VLAN config.

                                        This is a home config that connects a single NIC pfSense to both the LAN and WAN.
                                        The LAN is the native physical device (bfe0) and the WAN is a VLAN device (bfe0_vlan99).

                                        pfSense is connected to switch interface g6 and ISP is connected to switch interface g8.

                                        Interface g6:
                                        Mode: General
                                        PVID 1
                                        Untagged member VLAN 1
                                        Tagged Member VLAN 99

                                        Interface g8:
                                        Mode: General
                                        PVID 99
                                        Untagged Member VLAN 99

                                        Cisco SG200-08 VLAN Configuration Images:

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          superbob
                                          last edited by May 6, 2013, 10:51 AM

                                          Although I didn't have much difficulty setting up vlans, I had a bit of a problem making them work on pfsense. Hopefully that was just a hardware problem specific to my setup… Which shouldn't be an issue unless you're using equipment old enough to be put in a museum. I also had an issue on the linux side of things, eventually identified as a weird glitch that magically went away after restarting the box. As in, the exact same steps taken to bring up the network sometimes resulted in nothing being sent on the vlan ports on the linux PC.

                                          So what I'm trying to say is, I've run into some random weirdness when dealing with vlans, in case you somehow get stuck while your setup seems to be 100% correct (and you've double-checked) and yet it simply doesn't work, consider restarting things or otherwise not trusting the hardware/software as much and testing things one step at a time.

                                          Good luck learning this stuff :)

                                          1 Reply Last reply Reply Quote 0
                                          2 out of 25
                                          • First post
                                            2/25
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received