Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP 1

[kars85]

Hopefully someone can chime in, as it's one of the last pieces of the puzzle before I do the flip to to the Nortel.

I currently have 2 VLANs setup in pfSense & a Netgear GS724v3 switch. So, in the Netgear web interface, I have the uplink port of my pfSense router as a tagged port on each of those VLANs, with the respective ports I want on the VLAN untagged. All fine and dandy and rock solid for over a year since I first set it up.

My problem is finding the similar options within Nortel's web interface. Specifically, do I tag the pfSense uplink port on each VLAN and untag the actual ports I want to assign within a specific VLAN like I did in Netgear. I don't want to do any Layer 3 functions in the Nortel, just basic layer 2 with pfSense handling my routing.

I've tried the following screenshot, but no luck. VLAN member on port 25 can't get DHCP, can't ping the VLAN gateway in pfSense...nada. Wireshark confirms, it can see the Nortel autodiscovery, but everything past that hop stops. I've got an interface IP set on the VLAN in the 5520, enabled DHCP relay from that interface IP to the pfSense gateway IP, but still no luck.

Hopefully someone can chime in, since I think the Baystack's are pretty popular albeit a little dated.
Thanks!

 

[kars85]

Using the settings I outlined above, I just migrated 17 of my 25 devices, and something still isn't right with VLAN1.

If I remove port 1 from VLAN1, change the default to VLAN20, then VLAN20 works (gets DHCP from VLAN20 DHCP Server, can browse web, etc..). The minute I associate VLAN1 with the port 1 going to pfSense EVERYTHING dies.

Pretty disappointed in myself that I can't get this to work.

 

[derfloh]

Did you set port 1 as untagpvidonly?

 

[kars85]

Yep. I think there's something with VLAN1 that I'm just going to have to face the music and build out a specific VLAN.

I'm trying to figure out a way to get rid of VLAN1 on the switch, and just move it's management IP over to another VLAN, like VLAN101.

But then, all traffic that all the other ports that were on "VLAN1" (I quote it because my Netgear doesn't really tag the traffic, but the Nortel does) would need to be untagged leaving me with tagged and untagged traffic going through port1. Yuck.

I'm afraid I will have to create another VLAN that I can tag like VLAN100 for what used to be LAN in pfSense, but I'm not sure how to handle the DHCP on that because I really don't want to reconfigure my static IP's and applications/esxi host. Can I turn off 192.168.1.1 on the LAN interface and have DHCP setup on VLAN 100 to pickup that range without missing a beat?

 

[derfloh]

The VLAN ID of your pfsense 'LAN' doesn't really matter. Can be 1 or 100 or 1000 or 2222 or ... The Nortel switch doesn't tag these packets necessarily. You just configure (with untagPVIDonly and defaultVLAN) which VLAN will be used to handle untagged packets on that specific port.

Think of a common practice with IP phones. Let's say you have VLAN 50 for data (computers - no tagging) and VLAN 60 for the phones (tagged packets). To make that work you tell the phones to tag their packets with VLAN ID 60. The computer connected to the second port at the phone doesn't tag its packets and the switch has to know that these untagged packets will be handled as VLAN 50. You would configure these ports with members 50 and 60, defaultVLAN 50 and untagPVIDonly.

UntagPVIDonly means that untagged packets coming into the port will be in the port's defaultVLAN and packet from the defaultVLAN will come out of that port untagged. Devices that should be in another VLAN have to tag their packets with that specific VLAN ID and are expected to receive tagged packets.

Best would be in your situation to have another physical interface for 'LAN' on pfsense and only keep VLANs 10 and 20 as tagged on that interface. Second best (but much more work I think) would be to remove LAN from em0 and create it as another tagged VLAN on that interface. I think you have to configure really much like IP Address, DHCP and Firewall rules as well. In both situations the switch would have to be set to tagall on that port. Third best is to keep pfsense as it is and have the switch port as untagPVIDonly with defaultVLAN 1 and all three VLANs as members.

 

[kars85]

I hate to admit this, but the root of all my issues ended up being an unmanaged PoE switch I had been using being connected to my Nortel. Two ports actually. I basically started from scratch, port by port until I saw what connection brought the whole thing down.

Sheesh. Time for a beer.