Vlan confusion , badly need help.



  • Hey all. I configured a box to run pf sense.  I also bought a TP Link switch.  I have not configured the pf sense yet, because I am confused about vlan setup with the Tp link switch.  I envisioned the setup like this.  pf sense router  connected to port 1 on the switch.  then on port 2 desktop vlan.  Port 3 and port 4 would be a second vlan for my ip camera and its raspberry pi server.  The final vlan would be a wireless access point on port 5.  I have this so far….
    https://gyazo.com/c061ae361fe1c5cf403bc41d273a7955

    as well as this for PVID:  https://gyazo.com/09d22f9b35417aed240598887e3e09e6

    The way it was explained to me, untagged ports on the vlan are the access ports, and the tagged port is the port that acts like a trunk or basically passes the network traffic to the pfsense box.  Problems:I have no idea if I even did this correct.  Also,  from what I understand I have no way of actually managing the switch based on this setup and I am not sure if I need to add another vlan to do that, or modify vlan 2 aka desktop vlan.  Finally, people have told me to modify vlan 1, but not only can I not delete it, this tp link switch does not allow me to edit it.  Help!!! please!!!



  • If you configure VLANs it's a good practise to delete vlan1 if possible or to not use use it at all if not.
    To use a tagget port in your system, hardware should support IEEE 802.1Q (Vlan tagging). Taggins is basically a special marking of packets with VLAN number, which logicly separates all packets on NIC into 4096 different streams, so you should define this tag every time you configure other end of communication to be able to know what stream to read.
    Untagged ports transfer the VLAN data but seem like an ordinary port so you would not need to configure anything or meet hardware requirements on the other end.

    You did right, but to be able to manage the switch from 'desktop' port 2 you need to reconfigure it's management interface to use vlan2. OR if there is no such option ports 6-8 are still on vlan1, so connect you PC there and you will be able to access switch.

    Here's an example on D-Link switch. I was able to set vlan name to "IPMI" form "default" while configuring management interface. http://imgur.com/DGnjS2G



  • Thanks for uploading the pic and explaining.  Those sound like viable options, though someone else advised me to setup vlan2 as the physical interface for pf sense, and it would also act as a management interface for the switch.  What to tag, and what to untag, and the PVID settings got me stumped though.  I am just trying to set this project up for a class :X



  • vlan2 in pfSense as physical interface would act absolutelly the same as vlan2 through trunk port. Management interface for the switch can be configured on the switch only. And since yours is more of a low port number home model, there may not be such option. So you would need to have vlan1 tagged in your trunk as well to be able to manage it through devices connected to pfSense and not connecting directly to the switch.

    Btw, just noticed. You should probably remove untagged ports used in onther vlans from vlan1 (2-4,5). Different switches act different about multiple untagged vlans per port. Keep 1 untagged vlan and up to max amount of tagged per port, and you'll be fine.


  • Rebel Alliance Global Moderator

    While its standard practice in the enterprise to no use vlan 1..  For a home setup you do not have to worry about what vlan is your management managment vlan

    Its more than fine to leave vlan 1 as management and even use that managment vlan as one of your normal vlans so you can get to your switches.  There is no requirement that says your management vlan has to be different than say your normal lan vlan where you desktop is.

    I am curious why vlan 1 is listed on all your ports..  Did you take that screenshot before you changed the PVID of the ports?  Once you change the pvid of a port you be able to remove vlan 1 from it.  Its pvid (untagged) should be the only vlan on an access port.  One device connected to them.  Only trunk ports would have a native vlan.



  • I got everything working guys, thanks for the help.  I was badly over complicating the tp link's simple  untag access port, tag "trunk" port I guess you could say.  Untaggin the right access ports, and tagging port 1 of my switch in each vlan got it all working with the right PVID settings.  thanks