VLAN Confusion between pfSense and Nortel Baystack 5520

kars85

Hopefully someone can chime in, as it's one of the last pieces of the puzzle before I do the flip to to the Nortel.

I currently have 2 VLANs setup in pfSense & a Netgear GS724v3 switch. So, in the Netgear web interface, I have the uplink port of my pfSense router as a tagged port on each of those VLANs, with the respective ports I want on the VLAN untagged. All fine and dandy and rock solid for over a year since I first set it up.

My problem is finding the similar options within Nortel's web interface. Specifically, do I tag the pfSense uplink port on each VLAN and untag the actual ports I want to assign within a specific VLAN like I did in Netgear. I don't want to do any Layer 3 functions in the Nortel, just basic layer 2 with pfSense handling my routing.

I've tried the following screenshot, but no luck.  VLAN member on port 25 can't get DHCP, can't ping the VLAN gateway in pfSense…nada. The nortel was reset to defaults, so I'm setting it up from scratch.  I've got an interface IP set on the VLAN, enable DHCP relay from that interface IP to the pfSense gateway IP, but still no luck.

Hopefully someone can chime in, since I think the Baystack's are pretty popular albeit a little dated.
Thanks!

asterix

VLAN member needs to be untagged with VLAN PVID on that port. You tag to route the right VLAN packets between different network environments. If port 25 is used for a VLAN (lets say 20) member, you untag it and mark it with the VLAN PVID 20. So VLAN 20 from pfSense will communicate and hand out DHCP IP to the untagged client with PVID 20.

In the switch's VLAN configuration

Go in VLAN1 configuration page
pfSense VLAN1 connected to Switch port 1 (Tagged) (PVID.. default 1.. don't change)
VLAN1 member on Switch Port 2 (Untagged) (PVID1)  –-> this client will receive VLAN1 IP

Go into VLAN2 configuration
pfSense VLAN2 connected to Switch Port 3 (Tagged) (PVID.. default 1.. don't change)
VLAN2 member on Switch Port 4 (Untagged) (PVID2) ---> this client will receive VLAN2 IP

kars85

@Asterix:

VLAN member needs to be untagged with VLAN PVID on that port. You tag to route the right VLAN packets between different network environments. If port 25 is used for a VLAN (lets say 20) member, you untag it and mark it with the VLAN PVID 20. So VLAN 20 from pfSense will communicate and hand out DHCP IP to the untagged client with PVID 20.

In the switch's VLAN configuration

Go in VLAN1 configuration page
pfSense VLAN1 connected to Switch port 1 (Tagged) (PVID.. default 1.. don't change)
VLAN1 member on Switch Port 2 (Untagged) (PVID1)  –-> this client will receive VLAN1 IP

Go into VLAN2 configuration
pfSense VLAN2 connected to Switch Port 3 (Tagged) (PVID.. default 1.. don't change)
VLAN2 member on Switch Port 4 (Untagged) (PVID2) ---> this client will receive VLAN2 IP

Thanks for the tips.  There's no granular option in the Nortel to configure the PVID explicitly (to my knowledge).  It uses the VlanId as the PVID.

That being said, I've tried tagAll(trunk) and tagPvidOnly on port 1, along with both untagAll(access) and untagPvidOnly on port 25, all to no avail.  Wireshark captures from the client give no indication it is getting to pfSense.  I thought by setting up an interface IP within the VLAN and enabling DCHP relay from that IP to the pfSense router would help it along, too, but that doesn't seem to help

kars85

Here is what I am trying to replicate (working setup):

VLAN in pfSense configuration:

How the Netgear Smartswitch is setup (and working):
VLAN1

VLAN20 (disregard VLAN10 in the pic, it's been changed to 20 long ago)

This is what I THOUGHT I had working earlier today:
Port 1 (VLAN1,10,20; default VLAN ID 1) - untagPvidOnly
Ports 2-24 (VLAN1) - untagAll(access)
Ports 25-30 (VLAN20) - untagAll(access)
Ports 31-36 (VLAN10) - untagAll(access)

But using those settings, I just migrated 17 of my 25 devices, and something still isn't right with VLAN1.

If I remove port 1 from VLAN1, change the default to VLAN20, then VLAN20 works (gets DHCP from VLAN20 DHCP Server, can browse web, etc..).  The minute I associate VLAN1 with the port 1 going to pfSense EVERYTHING dies.

Any other tips on how I'm not getting my vlan memberships right in the nortel like I have in the Netgear?

Pretty disappointed in myself that I can't get this to work. This is a major kick in the nuts as a sysadmin.

Derelict

The best advice I can give you is when you start dealing with tagged VLANs is to forget VLAN1 (the default VLAN) exists.

Don't use it.

Unless there is absolutely no other option, a port should be:

1. untagged on any VLAN (except 1)

2. tagged on one or more VLANs (trunk ports to other switches, routers, wireless access points, etc)

Mixing tagged and untagged traffic on a port, especially in a multi-vendor environment, leads to unexpected results, grief, frustration, and downtime.  Unless you know exactly what you're doing and test, test, test before deployment.

heper

did you TAG vlan 20,30 on port 1 ? i only see vlan1 present in the "vlanids' column

Derelict

Did you assign the interfaces to the VLANs in Interfaces > (assign)??

kars85

Yeah, I have the interfaces assigned in pfSense. I also did assign 10 & 20 to port 1 early on in my trials and tribulations.  I'm trying to figure out a way to get rid of VLAN1 on the switch, and just move it's management IP over to another VLAN, like VLAN101. I think that's the issue here.

But then, all traffic that all the other ports that were on "VLAN1" (I quote it because my Netgear doesn't really tag the traffic, but the Nortel does) would need to be untagged leaving me with tagged and untagged traffic going through port1.  Yuck.

I'm afraid I will have to create another VLAN that I can tag like VLAN100 for what used to be LAN in pfSense, but I'm not sure how to handle the DHCP on that because I really don't want to reconfigure my static IP's and applications/esxi host. Can I turn off 192.168.1.1 on the LAN interface and have DHCP setup on VLAN 100 to pickup that range without missing a beat?

Derelict

@kars85:

Yeah, I have the interfaces assigned in pfSense. I also did assign 10 & 20 to port 1 early on in my trials and tribulations.  I'm trying to figure out a way to get rid of VLAN1 on the switch, and just move it's management IP over to another VLAN, like VLAN101. I think that's the issue here.

The switch either supports changing the management VLAN or it doesn't.

But then, all traffic that all the other ports that were on "VLAN1" (I quote it because my Netgear doesn't really tag the traffic, but the Nortel does) would need to be untagged leaving me with tagged and untagged traffic going through port1.  Yuck.

I have no idea what this means.  There is no such thing as tagged VLAN1.

I'm afraid I will have to create another VLAN that I can tag like VLAN100 for what used to be LAN in pfSense, but I'm not sure how to handle the DHCP on that because I really don't want to reconfigure my static IP's and applications/esxi host. Can I turn off 192.168.1.1 on the LAN interface and have DHCP setup on VLAN 100 to pickup that range without missing a beat?

Huh?  If you Interfaces > (assign) pfSense LAN to a different VLAN interface, all the config, rules, DHCP servers, etc will just move to the new tagged VLAN on the pfSense physical interface.

kars85

@Derelict:

@kars85:

Yeah, I have the interfaces assigned in pfSense. I also did assign 10 & 20 to port 1 early on in my trials and tribulations.  I'm trying to figure out a way to get rid of VLAN1 on the switch, and just move it's management IP over to another VLAN, like VLAN101. I think that's the issue here.

The switch either supports changing the management VLAN or it doesn't.

But then, all traffic that all the other ports that were on "VLAN1" (I quote it because my Netgear doesn't really tag the traffic, but the Nortel does) would need to be untagged leaving me with tagged and untagged traffic going through port1.  Yuck.

I have no idea what this means.  There is no such thing as tagged VLAN1.

I'm afraid I will have to create another VLAN that I can tag like VLAN100 for what used to be LAN in pfSense, but I'm not sure how to handle the DHCP on that because I really don't want to reconfigure my static IP's and applications/esxi host. Can I turn off 192.168.1.1 on the LAN interface and have DHCP setup on VLAN 100 to pickup that range without missing a beat?

Huh?  If you Interfaces > (assign) pfSense LAN to a different VLAN interface, all the config, rules, DHCP servers, etc will just move to the new tagged VLAN on the pfSense physical interface.

I don't know. :( I'm grasping at straws and have been grinding on this for days trying to get something to work that should only take minutes.

Do you know why this setup doesn't work or is there anything else I can take screenshots to help?

Port 1 (VLAN1,10,20; default VLAN ID 1) - untagPvidOnly
Ports 2-24 (VLAN1) - untagAll(access)
Ports 25-30 (VLAN20) - untagAll(access)
Ports 31-36 (VLAN10) - untagAll(access)

kars85

I hate to admit this, but the root of all my issues ended up being an unmanaged PoE switch I had been using being connected to my Nortel.  Two ports actually.  I basically started from scratch, port by port until I saw what connection brought the whole thing down.

Sheesh.  Time for a beer.

Derelict

Don't cross the streams.