Vlans
-
Hi I am relatively new with vlans but I understand how to set them up and how they work but I dont understand one thing, firstly I want to segregate my network using vlans so that nothing on either networks can communicate with each other but I want both to have internet access.
I have setup a vlan and put my laptop on the client side of the vlan I cannot ping the hosts on my lan network but I can still access port 80 of my switch gui through a web browser and nmap. My firewall rules are correct as I have tested this with a different physical nic on my pfsense box and that stopped access to anything on my lan. Do I need to use port isolation or something else? By the way I am using 801.1q vlans.Thanks for any help, Ben
-
My firewall rules are correct
If you wanted to block access to the web gui then no, they're not. What to change? Anyone's guess since you haven't posted them.
-
Hi sorry i presumed they were correct as they worked fine when on a different physical nic but here they are, i want to stop all access from the vlan2 to my lan.
 -
Is the IP of your switch on LAN net?
How did you configure the VLANs?
-
Hi yes the ip of my switch is on the lan, i have the port connected to my pfsense box set as trunk and the port connected to my test laptop as access (see screenshot)
 -
What did you do in Interfaces > (assign)
Does the TPlink understand the concept of a Management VLAN? How is that set?
-
I have 2 physical cables between the pfsense box and the tplink switch, one of them is connected to port 1 what is in access (no eggress) and is just for lan and the other is connected to port 4 (trunk) for vlans i have attached screenshots showing the (assign) menu and how the switch is set up.
 -
First, calling your descriptions vlan2 and tagging with VLAN 6 is nothing if not confusing.
Get all your VLAN 6 ports off VLAN 1 (Like port 4 in particular. Edit VLAN 1 and deselect any ports you want on VLAN 6)
Edit VLAN 6. Make sure port 4 is trunk/tagged and your test workstation port is an access, untagged port.
Connect your workstation to the access port and pfSense em1 to port 4.
Do you get the right DHCP on the right interface?
-
On the switch (tplink) you cannot edit the Default vlan as you can see on the screenshot it is greyed out it just removes any ports when you add them to a different vlan apart from the trunked ports what stay on the default vlan, i will try to use a different vlan than the default vlan so that i can specify the ports and get back to you when i have done that.
-
I have moved the lan to vlan 2 on the switch (screenshot) but i still cannot remove port 4 from the default vlan, the only solution that i can think of is to setup the lan as a vlan and tag from pfsense removing any untagged traffic from the switch anyway i will wait for you to let me know what you think before i do this.
 -
If you have the interface assigned to VLAN 6 on em1 enabled, configured, and have a DHCP server on it, you should get an IP on that network on something plugged into port 24.
Your switch probably will not let you do a tagged port without having a PVID. As long as you moved LAN to VLAN 2, it shouldn't hurt to just leave the PVID as VLAN 1 (If you can even change it.
-
Yes this is the part that confuses me I now have my laptop on port 24 (access) and it gets an ip from dhcp that I assigned, like it should, but I can still access the web gui of my switch and pfsense what is on the lan.
-
Perhaps the reason port 4 cannot be removed is that the switch requires at least one port be assigned to the default vlan for switch management.
Add some other unused port to the default vlan and then see if port 4 can be removed. Another thing to perhaps try would be to enable switch management on one of the other vlans, then disable management on the default vlan.
-
You need to do some basic troubleshooting. Pings, etc to see what is going on.
My initial thoughts are the TP-Link is not quality kit. It might very well be intercepting traffic to its IP address regardless of VLAN. No bueno.
-
My initial thoughts are the TP-Link is not quality kit. It might very well be intercepting traffic to its IP address regardless of VLAN.
I cannot confirm that!
They are cheaper as compared to well-known brands but definitely don't lack quality. I use a TL-SG5424 (bigger brother to TL-SG3424) at home with quite some VLANs and a TL-SG5412F as fiber concentrator in an IP-TV install. Both absolutely flawlessly! -
Found the issue, I had squid proxy server set to both interfaces and it allowed port 80 access through it. I had the two networks on the proxy interface.
Thanks for your time and sorry for any time wasted especially to Derelict.
-
******* squid. Most people don't need it.
-
