Basic First VLAN
Have gotten pfSense up and running, and been through the webConfigurator, no problems. I need some help understanding how to get my first VLAN working.
em0 = WAN: Configured for DHCP but not plugged in yet.
em1 = LAN: 192.168.1.1/24 –> Switch
VLAN ID 400 (on em1)
Switch = NetGear GS108T
LAN: 192.168.1.231/24 (can access switch's web admin on this address)
Port 1 --> pfSense Box
Port 8 --> Netbook
Default Management VLAN = 1 (untagged on all ports)
VLAN ID 400
Port 1 = Untagged
Port 8 = Tagged
Netbook = Ubuntu 14.04
So far, I can access the webconfigurator on 192.168.1.1 just fine. When I change the netbook LAN to 192.168.2.101/24 with gateway 192.168.2.1, I try to access pfSense on 192.168.2.1, but get no response (timeout).
I have added a Pass all rule onto the VLAN adapter on pfSense to prevent the firewall blocking traffic on the VLAN (source * to destination * any protocol).
I know the switch is functional, but I don't know if I've configured the port memberships right. If I understand correctly, Port 1 has to be marked as a member for traffic to be allowed at all, but since it handles traffic for both the LAN and the VLAN, it has to be untagged to prevent traffic from being marked as belonging to the VLAN when it may be LAN traffic. By setting Port 8 as tagged, traffic from my netbook should always be for VLAN 400? Yet I could use 192.168.1.1 through this port.
I'm also concerned that I haven't specified any overrides for the MAC addresses, so I assume the adapter defaults are still in use. I read somewhere this can cause confusion, but I don't know if this applies to VLAN routing. Should I be specifying unique MAC addresses for each listener? Is there any recommended pattern to generating MACs?
Any help is appreciated,
VLAN ID 400 Memberships: Port 1 = Untagged Port 8 = Tagged
I think you need to swap this to:
VLAN ID 400 Memberships: Port 1 = Tagged Port 8 = Untagged
The client on port 8 has no built-in VLAN functionality. When it sends an ethernet frame the VLAN switch needs to read the ordinary frame (untagged) and then know that port 8 is part of VLAN 400 and spit the packet out any other ports in VLAN 400. On port 1 it needs to put a VLAN 400 tag and pfSense can recognise that and deal with the packet in the VLAN 400 interface.
The first scenario works now because it is just using VLAN 1 and that is still broadcasting untagged between all ports, thus acting like a dumb switch. In the end you are also better to use some other VLAN Id for the first subnet, and tag it into pfSense. Using the default management VLAN 1 for real traffic is usually a hassle.
I now realise that I was applying my understanding of tagged and untagged to inbound packets rather than outbound packets.
Once I reversed the setup, everything worked as expected.
(The VLAN 1 is the default Netgear management setup to allow all traffic to work on all ports, it's why I'm trying to switch to a different VLAN).
Thanks for your help, saved me a lot of head scratching.
Eventually you will discover that you cannot tag vlan 1.
If you ever want to "trunk" vlan1 across a trunk port with other vlans you will have to change it. Some gear might allow it, some might not. The stuff that won't is usually the higher end gear that is actually trying to meet the specifications.
Once you decide to start tagging any traffic at all in your network, you are better off forgetting vlan1 exists. In the dot1q environment, it doesn't.
Using the default management VLAN 1 for real traffic is usually a hassle.
Using it as a management VLAN is usually a hassle too. Yes, it's easier out-of-the-box-for-the-typical-frys-customer but it's just, well, suboptimal. If you have gear that HAS to have it's management VLAN on VLAN 1, you are way better off setting up an untagged port on your real management vlan on a real switch and plugging such gear into it. Any gear that doesn't let you change the management VLAN from VLAN1 should be discarded.