Introducing a managed switch to my network - VLAN setup questions
-
Yeah! Got it, thanks to your help. I copied NOYB's configuration and got a basic setup working with a single VLAN2 for now. Then I set about fixing up pfSense.
On my LAN, I've got wpad pointing to Dansguardian, on the LAN subnet. I made sure DG was also listening on VLAN2 and modified wpad to point to DG on VLAN2's subnet.
I also have NAT rules to redirect http and https traffic on the LAN to DG's port. Not sure if these or wpad take priority, I'll have to investigate one day. I did the same for VLAN2 traffic but rdr it to VLAN2:DG's port.
I've got some wide-open rules allowing all VLAN2 traffic within VLAN2. Not sure how necessary this is. I'll have to lock it down a bit later.
I had to set up a VLAN_PARENT interface on em1 temporarily to gain access to the switch. I plugged it in to the LAN port several times and for whatever reason couldn't get an IP address for it from the LAN's dhcp server. But I'm impatient and don't wait around long after plugging and changing. It might have gained one on LAN eventually. Setting up VLAN_PARENT seemed to gain me access to a dynamic IP pretty quickly. Now I've deleted the em1 interface and it is still working with NOYB's setup, just VLAN2 on em1_vlan2.
I will configure openvpn access to pfSense on this computer, because it's annoying not being able to access the webgui and having to replug my computer back into LAN each time.
And wireshark's awesome. I don't really know how to use it properly but it's already given me a few hints and is much easier to use than walking backwards and forwards to the other end of the house where the pfSense monitor running tcpdump is.
-
You can allow access to the switch web interface without using untagged traffic by setting up a further VLAN interface on VLAN1 and then adding VLAN1 to the 'trunk' connection.
However unless you need to access the switch on a regular basis perhaps 'if it aint broke don't fix it'. ;)Steve
-
I would like access to the switch gui as well. But I don't have any 'trunk' ports any more - that was one key difference to any of the setups I tried. I always had a trunk port but when emulating NOYB's example his are all general and now, so are mine.
I thought exposing VLAN1 was a bad idea. But I like the idea of reliable access. One issue is that on each of the occasions I've gained access to the switch, I've had to reset it first to factory settings to get a dhcp assigned address. Although I was trying to get static addresses right up until yesterday. Maybe now that I'm not bothering and letting it get a dynamic address it'll gain one easier.
We'll see. At least now I have a baseline to fall back to. And I've saved that switch config for future too.
-
It shouldn't have any trouble getting a DHCP address.
But if so, then there is misconfiguration either in the pfSense router or switch vlans.
If need be a static can be assigned in Administration - Management Interface -
The reason you should not use VLAN1 is that the switch uses it internally even if you have no VLANs defined and are using it as an unmanaged switch. You can get odd behaviour if you're not aware of what you're doing. The webgui is on VLAN1 internally in the switch. Usually all traffic with VLAN1 is untagged at every port such that you never see it outside the switch but you can allow it to exit as tagged and that way you can connect to the webgui over tagged traffic. ;)
You are only doing this because it's not recommended to have tagged and untagged traffic on the same pfSense interface. The reason for that is that some combinations of hardware and driver cannot handle that and end up discarding one of the other. However most people never see this problem so you are probably fine just adding the em1 as an interface to access the switch gui. Just be aware that it may cause a problem.
Alternatively there is often an option to add the webgui to other VLANs so you could just add it to your existing VLAN.
Steve