Question Home VLAN'ing Help

[EXCellR8]

Ughghghhghhhh, networking. I'll admit it's not my strongest suit, but I've been wrestling with this on and off for about a year now. I moved back in July of '23 and set up a new network from scratch. I've a LOT of devices but they're all on the same LAN, and I'm wanting to segment and organize everything a little better--as well as secure it using VLANs. Nothing too crazy, and I understand the limitations, but the problem is I've never gotten it to work.

Here's what I'm working with:

• pfSense firewall/router (single WAN, single LAN)
• Dell X1052 switch
• Unifi controller + 3x wireless AP's

I'll focus on the non-wireless connections to the switch for simplicity's sake, but I've got the following VLANs ID's configured on both the firewall and switch:

VLAN 1 (native LAN)	192.168.1.1/24	firewall and switch
VLAN 10	192.168.10.1/24	for LAN devices
VLAN 20	192.168.20.1/24	for IP cameras
VLAN 30	192.168.30.1/24	for wireless clients
VLAN 40	192.168.40.1/24	for IoT

*All of these interfaces have DHCP enabled

All pretty basic, yet I am struggling to understand why it's failing. So here's a scenario I had been testing:

Logging into the switch, I configured port #2 as my General port which is tagging traffic for all VLANs. Great, and for some reason setting this port to Trunk mode only allows for untagged traffic--which I figure must be a Dell thing idk. I assign port #11 on the switch as an access port for use with VLAN 10, and then connect a PC to port #11. Now, I feel like that PC should start grabbing a DHCP IP from the 192.168.10.1 address pool but it never does. And that's where I'm at, trying to figure out why.

I've created rules on pfSense to allow traffic to flow from VLAN 10 to the WAN, and vice versa, but that doesn't seem to do much. At this point I'm going to either flash the switch firmware, or try another switch, because I feel like this should be working?

I will also add that if I clear the VLAN association from port #11 on the switch, then the attached PC will grab a DHCP address from the native LAN basically right away...

Thanks in advance for any assistance, I know it's an obnoxious amount of info

 

[ch33zw1z]

what is upstream to port 2, and is it also set to pass all traffic. Untagged traffic is typically the native vlan aka default network in ubiquiti world, sounds like all the vlan traffic is not being passed to the switch

There should also be a trunk port to the to each AP

Edit: been a long time since I’ve touched pfsense, but vlans dont change too much

Configuring Switches with VLANs | pfSense Documentation

docs.netgate.com

 

[EXCellR8]

Port #2 on the switch is the pfSense appliance, on which I've set some rules on the VLAN interfaces (10 thru 40) to allow all traffic to WAN interface, but no clients connected off of the access ports on the switch can get to the web. All I've been able to do is ping the switch from a PC on an access port, in this case for reference port #11, but that was only when I set a static IP on that endpoint.

Seems like DHCP just doesn't want to work on the VLANs, or traffic just isn't making it through the switch.

What's also trivial to me is that if I switch port #2 to a trunk, I'm not able to tag any of the VLAN ID's on that port. Idk, seems busted... I might just try a Netgear switch instead. The interface on the Dell isn't what I'd call intuitive, yet everything seems to be configured correctly.

 

[ch33zw1z]

Ok Inside pfsense, which networks do you have as tagged and which are untagged?

Also inside pfsense, do you need to set your port to pass all traffic to the down stream trunk port?

You shouldnt need to do much on the switch.
1. Assign a trunk port to the upstream switch (which is a single port on the pfsense box)
2. Assign trunked ports for the AP’s (and of course here the controller software should be used to configure the AP’s to match the main config)
3. Assign additional ports to whatever vlan interface you want.

As long as pfsense is configured correctly, this should allow the dell switch to pass vlan traffic.

Typically you have a native / default vlan that’s untagged and is used to manage devices on the network. This may also be referred to as a ports PVID, and is also usually vlan id 1 (even if ubiquiti doesn’t outright say that in the gui )

For instance, that may be network 192.168.1.x/24. Then the management network would be something like

DG (pfsense): 192.168.1.1
Dell switch: 192.168.1.2
AP’s : 192.168.1.3-5

Also note: when you set the trunk port on the dell switch, there’s not any need to assign it specific vlan id’s, and trunk passes all vlan id’s (all tagged and untagged traffic) vlan routing doesn’t happen at the trunk port, happens at the router (pfsense)

2nd edit: my old ubiquit er-x did make it so you have to configure the pvid on each port, and additionally each vlan you wanted “trunked” off the same port. It was a little different

 

[EXCellR8]

Thanks for the info, here's what I have for tagged VLANS:


hn0 is the lan, which I believe is not tagged because it's the native LAN.

Here's all the interface assignments:



And here's "OPT1" which is VLAN 10's config:


As far as I know I have all of this set up correctly, but here's where I think I'm losing my mind slightly:


If I set port #2 here as the trunk and select all VLAN ID's, I can only set them as untagged. Since the trunk is meant for all traffic that makes sense, but then what is actually tagging the traffic? I assume it's the firewall but I feel like the traffic just isn't getting tagged and routed to where it needs to go...

Heh, I've poured over so many documentation sites, forums, and YT videos I feel like I can feel my brain smoothening out

 

[ch33zw1z]

Good pictures. I'll start at the Dell switch...So those VLAN's are greyed out and labeled untagged, but you had to configure those VLAN's on the switch. Are those configured as "untagged" in the VLAN configuration? If not, I find it a bit odd that you can't edit those to tagged. So I'm thinking check the VLAN configuration page.

Dell switch at the latest code?

As far as pfsense, it looks ok so far but i'm still googling.

For DHCP, did you have to create a DNS server for each VLAN?

 

[EXCellR8]

Thanks for the help, here's the Dell switch vlan config page:



As for DHCP on the VLANs, I read that leaving DNS blank would use the default DNS on the parent interface (which may not be accurate), but then I went and manually keyed them in for each VLAN. Didn't seem to do much unfortunately.

 

[ch33zw1z]

Ok, click the edit (config) on one of the VLANS 10 thru 40. Is there a tagged / untagged option in the VLAN configs?

You can double check 1 as well.

sorry, typed DHCP then DNS, my bad. Just curious about the DHCP servers, you mentioned not getting IP addresses

 

[EXCellR8]

No worries, this is all that shows up when you click edit for any of them:



You had mentioned updating the switch firmware but honestly this kind of makes me just want to try one of the others i've got lying around.

The clients are definitely not getting IPs via DHCP on any of the VLANs. I had configured port #11 on the switch as an access port for VLAN 10 (untagged) but i could only ever ping the switch if I assigned a static IP to that PC (on port 11). And even then I wasn't getting through to the Internet.

It's like there's something missing, or I'm just not looking in the correct spot.

 

[ch33zw1z]

Yea I agree something is off. My Google-fu seems ok, and even the manual reads like you should be able to choose the greyed out options for tagged on the vlans when setting the trunk settings.

You can also try the cli if you’re feeling up to it.

Have you tried a factory reset on the switch?

What other devices do you have to test with?

Latest code on the dell site for the x1052 is from 2021

For fun, if you plug a DHCP client directly into the pfsense box, do you get a DHCP address?

 

[EXCellR8]

Yea, if I clear the VLAN association on a switch port (connected directly to a computer) the client grabs an IP via DHCP right away. Just doesn't make sense to me...

I think, at this point, I'm just going to start from scratch on a different switch and focus on getting a single VLAN to work; then build from there. I did reset the switch and upgraded the firmware, but now it seems kind of sluggish and unresponsive on certain tasks. I recall the older Netgear switches being pretty straightforward with segmentation, and I could typically get them to work without much fuss. I don't know if my brain just doesn't compute with how the Dell system is portraying the config or something, but I'm kinda over it haha

Going to clear the VLANs in pfSense as well and re-assign the interfaces.

Appreciate the help though! I'll post back if I actually get anywhere.

 

[ch33zw1z]

Yea, if I clear the VLAN association on a switch port (connected directly to a computer) the client grabs an IP via DHCP right away. Just doesn't make sense to me...

I think, at this point, I'm just going to start from scratch on a different switch and focus on getting a single VLAN to work; then build from there. I did reset the switch and upgraded the firmware, but now it seems kind of sluggish and unresponsive on certain tasks. I recall the older Netgear switches being pretty straightforward with segmentation, and I could typically get them to work without much fuss. I don't know if my brain just doesn't compute with how the Dell system is portraying the config or something, but I'm kinda over it haha

Going to clear the VLANs in pfSense as well and re-assign the interfaces.

Appreciate the help though! I'll post back if I actually get anywhere.

Yep, you’re on the right track. Get the main network / native vlan working ok then add a vlan on top. 👍

 

[EXCellR8]

I think I may have found the problem to everything... I've been at this for so long on and off that I completely forgot my current pfSense appliance is a VM; I don't think VLAN ID is enabled, or it got turned off somehow, for the virtual switch.



So, I gotta go into my notes from awhile back because I can't remember what this should be set to... I think the native LAN "1" but not sure. It did kind of feel like VLAN info wasn't leaving the firewall, and I think this could explain why.

 

[ch33zw1z]

I think I may have found the problem to everything... I've been at this for so long on and off that I completely forgot my current pfSense appliance is a VM; I don't think VLAN ID is enabled, or it got turned off somehow, for the virtual switch.

View attachment 110868

So, I gotta go into my notes from awhile back because I can't remember what this should be set to... I think the native LAN "1" but not sure. It did kind of feel like VLAN info wasn't leaving the firewall, and I think this could explain why.

Yes very interesting. I didn’t think to ask, just kinda assumed u were running a standalone box. If this is your main main network and not testing…maybe a standalone?

 

[EXCellR8]

I had been running a standalone on a SFF PC awhile back, but I think I ran into some kind of compatibility issue with pfSense, so I moved it to a virtual. I'm almost wondering if when I re-created the VM more recently that I neglected to account for the VLANs. I'm pretty sure I had them working before, so I'll just plug away at it. Worst case scenario yes, I'll try a standalone. There have been some updates to pfSense since I first tried, so worth a shot.

 

[EXCellR8]

Well after thoroughly breaking everything, I decided to spin up another instance of pfSense on another unit--this one being a standalone.

Ran through the setup of a single VLAN with DHCP, which seems to work for IP assignment, but for some reason the clients aren't resolving DNS. I can manually set the DNS servers on the virtual interface, even though I shouldn't need to, but that doesn't seem to do much. IIRC leaving them blank should use the default DNS servers (in my case Google and Cloudflare public DNS) but still no web access on VLAN. Firewall rules don't appear to restrict DNS. Ughh

I did not try statically assigning DNS servers on endpoints, just to see what would happen, so I may try that tonight.

 

[ch33zw1z]

https://www.reddit.com/r/PFSENSE/s/uaPd6CSwZG

This guy create a couple videos about config. Maybe it will help

 

[Fallen Kell]

Well, I can tell you what I have done, but I am not using the exact same tools as you are. My pfsense system is mainly just routing to and from the internet only and as a firewall and pfblocker-ng running. Internally I have a layer 3 switch (i.e. it is also a router) which provides all my internal routing between VLANs (for the ones that are allowed to communicate with each other), or traffic to and from the pfsense system. I do not use pfsense for handling DHCP on the different VLANs (there was an article about it having issues if the pfsense system was not the router between the VLANs that there are problems with the DHCP running on it).

So, I use my wifi access point running dd-wrt (routing function disabled) to handle the DHCP services on the different VLANs (as my VLANs are broken down more by function, and all of them can and might have wifi devices on them, so all of them needed an access point, and thus I created VAPs for all my VLANs (for those that do not know, this is how a "guest" wifi network is created). I needed to create virtual interfaces (bridges) and assign them to each of the VLANs, and give them an IP. I also created virtual wireless devices for each of the three radio's my AP had on each of the VLANs they would be supporting. I then modified the DHCP service to have IP pools on each of the different VLANs, and added "options" lines in the config to specify which default route and default DNS for each of the different subnets (since something on VLAN 10 had to use VLAN 10's router IP, not the route IP used on VLAN 1 as it was on a different subnet). In the access point, I specifically blocked connection to the web interface, ssh, and telnet to the access point on all by my management VLAN (leave yourself a backdoor by defining a physical port on the access point tagged as the management VLAN, otherwise you may need to reset to factory if you screwed up somewhere and can't otherwise connect to the access point via the management VLAN). And for security sake, I enabled connection for DHCP which is UDP port 67 (DNS is provided by the pfsense system), and a default drop for anything else.

Finally back on my layer 3 switch, I defined the routing rules and ACLs between the different VLANs, creating a default block all, and opening up specific traffic (only the Admin VLAN can access the management VLAN, the Admin VLAN can connect to the production VLAN, the Admin VLAN can connect to the IoT VLAN, the Admin VLAN can connect to the IoT-NI VLAN, the IoT VLAN can only connect out to the internet, the Guest VLAN can only connect out to the internet, the production VLAN can connect to the internet, the production VLAN can connect to the IoT VLAN, the production VLAN can connect to the IoT-NI VLAN, etc...). As you can see I have a IoT VLAN and an IoT-NI VLAN, the difference is the "NI" means "No Internet", so items on this network can not connect out to the internet. I have two devices that get put on the Admin VLAN, my phone, and a VM I run on my server which is only accessible via console, and I have one unused port on the switch tagged as the Admin VLAN (again, my backup in case my phone gets destroyed/stops working, and something happened to the VM). The layer 3 switch's interface and the access point's interface are on the management VLAN.

I also added some rules on the pfsense system to block connections to it's management interface from anything not on admin VLAN (this way a guest on the guest vlan couldn't access the pfsense system), but it does accept DNS from all the internal VLANs and perform routing to the internet.

 

[EXCellR8]

Thanks for taking the time to type all that out, it's very helpful as a reference. I would love to get to the point where I can fine-tune some of the access on my network.

I do have a bit of an update, after days of getting absolutely nowhere. I finally got fed up with the Dell switch and its somewhat trivial GUI, and grabbed an old NETGEAR GS724TPS. Somewhere, I have some slightly newer Juniper units in storage but for now that's what I got. I also took some time to better organize the cabling and added some labels for easier management. Now, the UI on NETGEAR is ages old and barely works, and requires IE11 to tag VLAN ports, but ironically... VLANs are working now!!

So, at least I can get by on this for the time being and can confirm that my firewall is configured correctly. I mean it makes sense if I was trying everything on the fw, but at the end of the day it was the previous switch not working right. I'll probably move to a newer switch with a better UI, but at least for now I can get things functioning how I want.

Thanks for the help

 

[EXCellR8]

Ooof, downside to having the current standalone is I don't think the hardware is quite up to the task of handling pfSense and the traffic throughput. It's just a little Jetway ITX motherboard with an embedded dual core Atom CPU. I think it might be more easily overwhelmed than I thought it'd be, even with 8GB of memory. I might look into virtualization on a Win Server host again once I've straightened everything out, and know I can get it to work. For now it'll do, but I've definitely noticed some issues with latency and responsiveness of services.

 

[Fallen Kell]

Mine is running on a i7-4790, so a little more beefy with its 4 cores and hyperthreading (and clock rate) than most atoms. And as I said, it doesn't handle my internal network routing. I leave that to the Brocade ICX-6610 switch. Also, network cards play a large role in performance with pfsense. Ones with dedicated hardware offload engines are best for this usage case.

 

[EXCellR8]

Good to know, the server I was running pfSense on had a i5-9500 (i think) as well as a fairly decent 2.5G Intel NIC with 2 SFP+ ports. Seems like this ancient switch just works with the VLAN config on the firewall, unlike the Dell. Once I've got everything going, and I've still some work to do, I'll spin up another VM instance of pfSense or OPNsense.

Kicking myself for not ditching the Dell switch months ago when I first tried to get VLANs working, but I just figured newer=better=easier. I haven't used a Brocade switch, any other insight on yours? I really wish I could find my Juniper EX2200. I'll definitely need something newer at some point.

 

[ch33zw1z]

Good to know, the server I was running pfSense on had a i5-9500 (i think) as well as a fairly decent 2.5G Intel NIC with 2 SFP+ ports. Seems like this ancient switch just works with the VLAN config on the firewall, unlike the Dell. Once I've got everything going, and I've still some work to do, I'll spin up another VM instance of pfSense or OPNsense.

Kicking myself for not ditching the Dell switch months ago when I first tried to get VLANs working, but I just figured newer=better=easier. I haven't used a Brocade switch, any other insight on yours? I really wish I could find my Juniper EX2200. I'll definitely need something newer at some point.

Don’t beat yourself up too much, you’re learning and that’s ok!

 

[EXCellR8]

Thanks! Has certainly been a learning experience, to say the least haha

 

[Fallen Kell]

I haven't used a Brocade switch, any other insight on yours? I really wish I could find my Juniper EX2200. I'll definitely need something newer at some point.

Well the one I have uses a custom asic using the FastIron OS. Interface wise, it is mained designed to be command line, with most things mirroring CISCO (probably 80-90% same commands). There is a huge thread about these switches on Serve The Home Forums:

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

NOTE #1: do not PM me with switch questions, they will be ignored - post them in this public thread, where hundreds of other members can also answer, and the answer will be public for future users NOTE #2 06-22-2023: Yes, this post is still up to date and nothing has changed: in fact judging by...

forums.servethehome.com

That said it does have a web based interface that you can use for many functions, so it is a little easier to use than say a CISCO switch. But recognize, the 6610 in particular is a true enterprise switch, where noise level was never something they thought about. With dual fan units and a specific version of the power supplies, they can be reasonable. But if mine is running on a single powersupply, the fans all max out and I can litterally hear it from outside my house (and it is in an enclosed rack in my basement). Normal running, I can not hear it, but just be warned. Really, any switch with 40gb connection capability is going to be loud.