Question Home VLAN'ing Help

[EXCellR8]

Ughghghhghhhh, networking. I'll admit it's not my strongest suit, but I've been wrestling with this on and off for about a year now. I moved back in July of '23 and set up a new network from scratch. I've a LOT of devices but they're all on the same LAN, and I'm wanting to segment and organize everything a little better--as well as secure it using VLANs. Nothing too crazy, and I understand the limitations, but the problem is I've never gotten it to work.

Here's what I'm working with:

• pfSense firewall/router (single WAN, single LAN)
• Dell X1052 switch
• Unifi controller + 3x wireless AP's

I'll focus on the non-wireless connections to the switch for simplicity's sake, but I've got the following VLANs ID's configured on both the firewall and switch:

VLAN 1 (native LAN)	192.168.1.1/24	firewall and switch
VLAN 10	192.168.10.1/24	for LAN devices
VLAN 20	192.168.20.1/24	for IP cameras
VLAN 30	192.168.30.1/24	for wireless clients
VLAN 40	192.168.40.1/24	for IoT

*All of these interfaces have DHCP enabled

All pretty basic, yet I am struggling to understand why it's failing. So here's a scenario I had been testing:

Logging into the switch, I configured port #2 as my General port which is tagging traffic for all VLANs. Great, and for some reason setting this port to Trunk mode only allows for untagged traffic--which I figure must be a Dell thing idk. I assign port #11 on the switch as an access port for use with VLAN 10, and then connect a PC to port #11. Now, I feel like that PC should start grabbing a DHCP IP from the 192.168.10.1 address pool but it never does. And that's where I'm at, trying to figure out why.

I've created rules on pfSense to allow traffic to flow from VLAN 10 to the WAN, and vice versa, but that doesn't seem to do much. At this point I'm going to either flash the switch firmware, or try another switch, because I feel like this should be working?

I will also add that if I clear the VLAN association from port #11 on the switch, then the attached PC will grab a DHCP address from the native LAN basically right away...

Thanks in advance for any assistance, I know it's an obnoxious amount of info

 

[ch33zw1z]

what is upstream to port 2, and is it also set to pass all traffic. Untagged traffic is typically the native vlan aka default network in ubiquiti world, sounds like all the vlan traffic is not being passed to the switch

There should also be a trunk port to the to each AP

Edit: been a long time since I’ve touched pfsense, but vlans dont change too much

Configuring Switches with VLANs | pfSense Documentation

docs.netgate.com

 

[EXCellR8]

Port #2 on the switch is the pfSense appliance, on which I've set some rules on the VLAN interfaces (10 thru 40) to allow all traffic to WAN interface, but no clients connected off of the access ports on the switch can get to the web. All I've been able to do is ping the switch from a PC on an access port, in this case for reference port #11, but that was only when I set a static IP on that endpoint.

Seems like DHCP just doesn't want to work on the VLANs, or traffic just isn't making it through the switch.

What's also trivial to me is that if I switch port #2 to a trunk, I'm not able to tag any of the VLAN ID's on that port. Idk, seems busted... I might just try a Netgear switch instead. The interface on the Dell isn't what I'd call intuitive, yet everything seems to be configured correctly.

 

[ch33zw1z]

Ok Inside pfsense, which networks do you have as tagged and which are untagged?

Also inside pfsense, do you need to set your port to pass all traffic to the down stream trunk port?

You shouldnt need to do much on the switch.
1. Assign a trunk port to the upstream switch (which is a single port on the pfsense box)
2. Assign trunked ports for the AP’s (and of course here the controller software should be used to configure the AP’s to match the main config)
3. Assign additional ports to whatever vlan interface you want.

As long as pfsense is configured correctly, this should allow the dell switch to pass vlan traffic.

Typically you have a native / default vlan that’s untagged and is used to manage devices on the network. This may also be referred to as a ports PVID, and is also usually vlan id 1 (even if ubiquiti doesn’t outright say that in the gui )

For instance, that may be network 192.168.1.x/24. Then the management network would be something like

DG (pfsense): 192.168.1.1
Dell switch: 192.168.1.2
AP’s : 192.168.1.3-5

Also note: when you set the trunk port on the dell switch, there’s not any need to assign it specific vlan id’s, and trunk passes all vlan id’s (all tagged and untagged traffic) vlan routing doesn’t happen at the trunk port, happens at the router (pfsense)

2nd edit: my old ubiquit er-x did make it so you have to configure the pvid on each port, and additionally each vlan you wanted “trunked” off the same port. It was a little different

 

[EXCellR8]

Thanks for the info, here's what I have for tagged VLANS:


hn0 is the lan, which I believe is not tagged because it's the native LAN.

Here's all the interface assignments:



And here's "OPT1" which is VLAN 10's config:


As far as I know I have all of this set up correctly, but here's where I think I'm losing my mind slightly:


If I set port #2 here as the trunk and select all VLAN ID's, I can only set them as untagged. Since the trunk is meant for all traffic that makes sense, but then what is actually tagging the traffic? I assume it's the firewall but I feel like the traffic just isn't getting tagged and routed to where it needs to go...

Heh, I've poured over so many documentation sites, forums, and YT videos I feel like I can feel my brain smoothening out

 

[ch33zw1z]

Good pictures. I'll start at the Dell switch...So those VLAN's are greyed out and labeled untagged, but you had to configure those VLAN's on the switch. Are those configured as "untagged" in the VLAN configuration? If not, I find it a bit odd that you can't edit those to tagged. So I'm thinking check the VLAN configuration page.

Dell switch at the latest code?

As far as pfsense, it looks ok so far but i'm still googling.

For DHCP, did you have to create a DNS server for each VLAN?

 

[EXCellR8]

Thanks for the help, here's the Dell switch vlan config page:



As for DHCP on the VLANs, I read that leaving DNS blank would use the default DNS on the parent interface (which may not be accurate), but then I went and manually keyed them in for each VLAN. Didn't seem to do much unfortunately.

 

[ch33zw1z]

Ok, click the edit (config) on one of the VLANS 10 thru 40. Is there a tagged / untagged option in the VLAN configs?

You can double check 1 as well.

sorry, typed DHCP then DNS, my bad. Just curious about the DHCP servers, you mentioned not getting IP addresses

 

[EXCellR8]

No worries, this is all that shows up when you click edit for any of them:



You had mentioned updating the switch firmware but honestly this kind of makes me just want to try one of the others i've got lying around.

The clients are definitely not getting IPs via DHCP on any of the VLANs. I had configured port #11 on the switch as an access port for VLAN 10 (untagged) but i could only ever ping the switch if I assigned a static IP to that PC (on port 11). And even then I wasn't getting through to the Internet.

It's like there's something missing, or I'm just not looking in the correct spot.

 

[ch33zw1z]

Yea I agree something is off. My Google-fu seems ok, and even the manual reads like you should be able to choose the greyed out options for tagged on the vlans when setting the trunk settings.

You can also try the cli if you’re feeling up to it.

Have you tried a factory reset on the switch?

What other devices do you have to test with?

Latest code on the dell site for the x1052 is from 2021

For fun, if you plug a DHCP client directly into the pfsense box, do you get a DHCP address?

 

[EXCellR8]

Yea, if I clear the VLAN association on a switch port (connected directly to a computer) the client grabs an IP via DHCP right away. Just doesn't make sense to me...

I think, at this point, I'm just going to start from scratch on a different switch and focus on getting a single VLAN to work; then build from there. I did reset the switch and upgraded the firmware, but now it seems kind of sluggish and unresponsive on certain tasks. I recall the older Netgear switches being pretty straightforward with segmentation, and I could typically get them to work without much fuss. I don't know if my brain just doesn't compute with how the Dell system is portraying the config or something, but I'm kinda over it haha

Going to clear the VLANs in pfSense as well and re-assign the interfaces.

Appreciate the help though! I'll post back if I actually get anywhere.

 

[ch33zw1z]

Yea, if I clear the VLAN association on a switch port (connected directly to a computer) the client grabs an IP via DHCP right away. Just doesn't make sense to me...

I think, at this point, I'm just going to start from scratch on a different switch and focus on getting a single VLAN to work; then build from there. I did reset the switch and upgraded the firmware, but now it seems kind of sluggish and unresponsive on certain tasks. I recall the older Netgear switches being pretty straightforward with segmentation, and I could typically get them to work without much fuss. I don't know if my brain just doesn't compute with how the Dell system is portraying the config or something, but I'm kinda over it haha

Going to clear the VLANs in pfSense as well and re-assign the interfaces.

Appreciate the help though! I'll post back if I actually get anywhere.

Yep, you’re on the right track. Get the main network / native vlan working ok then add a vlan on top. 👍

 

[EXCellR8]

I think I may have found the problem to everything... I've been at this for so long on and off that I completely forgot my current pfSense appliance is a VM; I don't think VLAN ID is enabled, or it got turned off somehow, for the virtual switch.



So, I gotta go into my notes from awhile back because I can't remember what this should be set to... I think the native LAN "1" but not sure. It did kind of feel like VLAN info wasn't leaving the firewall, and I think this could explain why.

 

[ch33zw1z]

I think I may have found the problem to everything... I've been at this for so long on and off that I completely forgot my current pfSense appliance is a VM; I don't think VLAN ID is enabled, or it got turned off somehow, for the virtual switch.

View attachment 110868

So, I gotta go into my notes from awhile back because I can't remember what this should be set to... I think the native LAN "1" but not sure. It did kind of feel like VLAN info wasn't leaving the firewall, and I think this could explain why.

Yes very interesting. I didn’t think to ask, just kinda assumed u were running a standalone box. If this is your main main network and not testing…maybe a standalone?

 

[EXCellR8]

I had been running a standalone on a SFF PC awhile back, but I think I ran into some kind of compatibility issue with pfSense, so I moved it to a virtual. I'm almost wondering if when I re-created the VM more recently that I neglected to account for the VLANs. I'm pretty sure I had them working before, so I'll just plug away at it. Worst case scenario yes, I'll try a standalone. There have been some updates to pfSense since I first tried, so worth a shot.

 

[EXCellR8]

Well after thoroughly breaking everything, I decided to spin up another instance of pfSense on another unit--this one being a standalone.

Ran through the setup of a single VLAN with DHCP, which seems to work for IP assignment, but for some reason the clients aren't resolving DNS. I can manually set the DNS servers on the virtual interface, even though I shouldn't need to, but that doesn't seem to do much. IIRC leaving them blank should use the default DNS servers (in my case Google and Cloudflare public DNS) but still no web access on VLAN. Firewall rules don't appear to restrict DNS. Ughh

I did not try statically assigning DNS servers on endpoints, just to see what would happen, so I may try that tonight.