Assistance with vlans on a dell switch and pfsense
-
Can anyone who's set up vlans on a dell switch before assist me with both the dell and pfsense ends?
The switch is a powerconnect 2724 (web managed).
I'm not sure what settings to use there, but what I would like to do is
One port on the switch is a vlan b, everything else is vlan a, and the port to the firewall (pfsense) is both.
I'm not sure what to do on either end as I'm not at all familiar with vlans. -
what you probably want todo:
on the switch:
-
set 1 port with all your vlans (T)agged | connect this to pfsense
-
set 1 port to vlan "a" on (U)ntagged | also change the PVID for that port to "a" (i think you can find it in "port settings" on a dell switch
-
set all remain ports vlan "b" on (U)ntagged | also change the PVID for all them ports to "b" (i think you can find it in "port settings" on a dell switch
Do note that VLANS are allways addressed as numbers, so for example "a"=10 ; "b"=20
on pfSense:
-
goto interfaces–>assign-->VLANS | add vlan "a" & "b" to your LAN parent-interface (em0,dc0,...?)
-
goto interfaces–>assign-->interface assignments | add a new interface and select the VLAN from the drop-down box
After that you can setup the interface the same way you allways would / you also have to add some firewall rules to it, to allow some traffic to flow
done
If you have more questions, let us know
-
-
Does this dell switch have a CLI? I have a 3524 & can give you CLI commands to type to set vlans.
Rob
-
No, the 35xx are real switches. 27xx are web managed only- no serial port, no cli. They are also only manageable from vlan 1.
-
what you probably want todo:
on the switch:
-
set 1 port with all your vlans (T)agged | connect this to pfsense
-
set 1 port to vlan "a" on (U)ntagged | also change the PVID for that port to "a" (i think you can find it in "port settings" on a dell switch
-
set all remain ports vlan "b" on (U)ntagged | also change the PVID for all them ports to "b" (i think you can find it in "port settings" on a dell switch
Do note that VLANS are allways addressed as numbers, so for example "a"=10 ; "b"=20
on pfSense:
-
goto interfaces–>assign-->VLANS | add vlan "a" & "b" to your LAN parent-interface (em0,dc0,...?)
-
goto interfaces–>assign-->interface assignments | add a new interface and select the VLAN from the drop-down box
After that you can setup the interface the same way you allways would / you also have to add some firewall rules to it, to allow some traffic to flow
done
If you have more questions, let us know
Wow, I'm sorry, I forgot I posted this.
I think I'm misunderstanding the terminology or I was not clear on what I'm trying to do.
For this example I have a 24 port switch, pfsense is in port 1.
What I want to do is
Port 1: vlan 1 and 5
Port 2-23: vlan 1
Port 24: vlan 5I'm not really understanding the terminology on the switch which seem to be tagged/untagged egress, not a member, filter ingress, admit tagged, admit all.
(I'm extremely new to anything with vlans on a switch. I've only worked with it from the firewall end with an existing setup where I was told that vlan 1 is this, vlan 5 is this, etc)
-
-
Wow, I'm sorry, I forgot I posted this.
I think I'm misunderstanding the terminology or I was not clear on what I'm trying to do.
For this example I have a 24 port switch, pfsense is in port 1.
What I want to do is
Port 1: vlan 1 and 5
Port 2-23: vlan 1
Port 24: vlan 5I'm not really understanding the terminology on the switch which seem to be tagged/untagged egress, not a member, filter ingress, admit tagged, admit all.
(I'm extremely new to anything with vlans on a switch. I've only worked with it from the firewall end with an existing setup where I was told that vlan 1 is this, vlan 5 is this, etc)
I'm working off memory, so the switch instruction might not be 100%, but you'd do something like-
Log into the switch. Switching, vlans. create vlan 5. Click on vlan membership (or somesuch). open vlan 5, set port 1 as tagged, port 24 untagged.
Expand vlan 1, set port 1 as tagged. (You may get an error- I never use vlan 1, it's the default vlan)
Go into the advanced vlan options, the third choice and set the pvid for port 24 to vlan 5. -
I'm working off memory, so the switch instruction might not be 100%, but you'd do something like-
Log into the switch. Switching, vlans. create vlan 5. Click on vlan membership (or somesuch). open vlan 5, set port 1 as tagged, port 24 untagged.
Expand vlan 1, set port 1 as tagged. (You may get an error- I never use vlan 1, it's the default vlan)
Go into the advanced vlan options, the third choice and set the pvid for port 24 to vlan 5.It looks like I can't use my switch for vlans with this setup. It doesn't not allow me to modify vlan1 in any way.
I need to see about upgrading my switch. Apparently this is a limitation of the Dell web managed switches.
-
Lots of switches don't let you modify vlan 1. Doesn't matter as long as vlan 1 isn't assigned to any ports.
Some switches don't let you set a management IP address on anything but vlan1. That can be worked into your design, even though it totally sucks.
-
Lots of switches don't let you modify vlan 1. Doesn't matter as long as vlan 1 isn't assigned to any ports.
Some switches don't let you set a management IP address on anything but vlan1. That can be worked into your design, even through it totally sucks.
It not only doesn't let me modify vlan1, but it also won't let me include vlan1 in a trunk. That's what's killing my proposed setup.
-
Lots of switches don't let you modify vlan 1. Doesn't matter as long as vlan 1 isn't assigned to any ports.
Some switches don't let you set a management IP address on anything but vlan1. That can be worked into your design, even through it totally sucks.
It not only doesn't let me modify vlan1, but it also won't let me include vlan1 in a trunk. That's what's killing my proposed setup.
You can't trunk VLAN1. It is, by design, untagged.
-
Lots of switches don't let you modify vlan 1. Doesn't matter as long as vlan 1 isn't assigned to any ports.
Some switches don't let you set a management IP address on anything but vlan1. That can be worked into your design, even through it totally sucks.
It not only doesn't let me modify vlan1, but it also won't let me include vlan1 in a trunk. That's what's killing my proposed setup.
You can't trunk VLAN1. It is, by design, untagged.
I know. The problem is this switch ONLY allows administration via the web interface and ONLY on vlan1. Which means to set up the network, I need to cut off my access to the switch, unless I could have included vlan1 in the trunk.
-
Lots of switches don't let you modify vlan 1. Doesn't matter as long as vlan 1 isn't assigned to any ports.
Some switches don't let you set a management IP address on anything but vlan1. That can be worked into your design, even through it totally sucks.
It not only doesn't let me modify vlan1, but it also won't let me include vlan1 in a trunk. That's what's killing my proposed setup.
You can't trunk VLAN1. It is, by design, untagged.
I know. The problem is this switch ONLY allows administration via the web interface and ONLY on vlan1. Which means to set up the network, I need to cut off my access to the switch, unless I could have included vlan1 in the trunk.
Set all user ports to Access mode with the appropriate PVID (do NOT use 1).
Set the uplink port for your pfSense box to General (not Trunk) with a PVID of 1 and allow tagged packets from the VLANs you created above.
Create however many tagged VLAN interfaces are needed in your pfSense box, including one untagged for the native VLAN, and then use firewall rules to determine which of your computers are allowed to access each network.
-
It's a bit of a hack, but I think you can get it to work if you leave LAN assigned to the interface and add an OPT for VLAN 5.
Your other option is to change LAN to VLAN 10 or something instead of 1 and accept that you won't be able to get into the switch unless you plug into a trunk port. I've done test setups like this before- if you're not going to need to modify the switch config very often, it works fine. -
Set all user ports to Access mode with the appropriate PVID (do NOT use 1).
Set the uplink port for your pfSense box to General (not Trunk) with a PVID of 1 and allow tagged packets from the VLANs you created above.
Create however many tagged VLAN interfaces are needed in your pfSense box, including one untagged for the native VLAN, and then use firewall rules to determine which of your computers are allowed to access each network.
I'll see if that works when I get home tonight, thanks.