Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP 1

Status
Not open for further replies.

kars85

Technical User
Aug 28, 2015
13
US
Hopefully someone can chime in, as it's one of the last pieces of the puzzle before I do the flip to to the Nortel.

I currently have 2 VLANs setup in pfSense & a Netgear GS724v3 switch. So, in the Netgear web interface, I have the uplink port of my pfSense router as a tagged port on each of those VLANs, with the respective ports I want on the VLAN untagged. All fine and dandy and rock solid for over a year since I first set it up.

My problem is finding the similar options within Nortel's web interface. Specifically, do I tag the pfSense uplink port on each VLAN and untag the actual ports I want to assign within a specific VLAN like I did in Netgear. I don't want to do any Layer 3 functions in the Nortel, just basic layer 2 with pfSense handling my routing.

I've tried the following screenshot, but no luck. VLAN member on port 25 can't get DHCP, can't ping the VLAN gateway in pfSense...nada. Wireshark confirms, it can see the Nortel autodiscovery, but everything past that hop stops. I've got an interface IP set on the VLAN in the 5520, enabled DHCP relay from that interface IP to the pfSense gateway IP, but still no luck.

XpnQ0Nw.png


Hopefully someone can chime in, since I think the Baystack's are pretty popular albeit a little dated.
Thanks!
 
I assume you have the pfsense connected to port 1 of the switch... And you have a port on that firewall tagging all the packets of all VLANs. Then you have to add the used VLANs (VLAN 20 in your example) as members to port 1. As long as only VLAN 1 is a member on port 1 no packet from VLAN 20 will reach any device connected to port 1. "tagall" is correct if pfsense will tag all packets.
 
So the question is, if I set up port 1 as tagAll, all network connectivity dies. Only the untagPvidOnly or untagAll options on port 1 let network communication work.

If untag options on Port 1 are set, port 25/VLAN20 as tagPvidOnly won't work still, but VLAN1 (my normal prod vlan) works.
 
Can you provide a screenshot how pfsense is configured?
 
You bet.

VLAN in pfSense configuration:
3r5MKkK.png


o0bshhX.png


xeFGBXp.png


How the Netgear Smartswitch is setup (and working):
VLAN1
fHI2Bd6.png


VLAN20 (disregard VLAN10 in the pic, it's been changed to 20 long ago)
R1iUow5.png
 
So VLAN 1 isn't used? Or is it on another interface on pfsense?

I assume two options.

1. You have interface em0 on pfsense with VLANs 10 and 20 tagged on it. You have another interface with VLAN 1 untagged.
Sol. Configure one switch port with VLANs 10 and 20 as members and make it tagall. Connect pfsense interface em0 to that port. Configure a second switch port with VLAN 1 as member and as defaultVLAN and make the port untagall. Connect the VLAN1 interface of pfsense with that port.

2. Every VLAN is on pfsense interface em0. VLANs 10 and 20 are tagged (like in your screenshot) and VLAN 1 is untagged in that interface em0.
Sol. Configure one switch port with VLANs 1, 10, 20 as members, define VLAN 1 as defaultVLAN and make the port untagPVIDonly. So untagged packets will drop into VLAN 1 (defaultVLAN on the port) and tagged packets run into the tagged VLANs 10 or 20 on that interface.

I prefer the first option because I don't like to mix server interfaces (I would see a firewall like a server in that case) with tagged AND untagged packets on one interface.
 
No I only have a WAN & LAN interface outside of my two other interfaces.

5Vpelh1.png


It almost sounds like the Nortel is explicitly using VLAN1 and needing it configured in the router in order to handle that traffic. Which, if true, is something I would have never thought coming from my Netgear. Can I just delete VLAN1 in the Nortel?
 
Ok... then you are with my first option...

Do you use "LAN" or is it only a leftover?

As I can see in you screenshot you will need the port on the Nortel switch configured with VLANs 1,10,20 as members an 1 as defaultVLAN and tagging set to "untagPVIDonly".

If you should delete VLAN 1 on the switch depends if you use VLAN 1 or not.
 
Bit myself in my own rear end while waiting to hear back from you. About to head down and get into the switch's console and resetup it's management IP.

At any rate, yes I use the LAN interface a lot. That is the majority of my home network. I don't think I have any use for an explicit VLAN1 and ultimately might be screwing me up here.
 
So what can you do now or what is not possible? Do you need some help in serial CLI commands?
 
Basically I accidentally took VLAN1 off port 1, so I lost communication with it's management web interface.

I was trying to eliminate VLAN1 from all other ports it had been applied to so I could see if those ports' functionality returned.
 
You can also connect your computer to ports 2-24 ;-)

If you want to manage the switch through VLAN 20 (Ports 25-30) you have to change the management VLAN

Connect a serial cable
Press STRG + Y
Enter 'configure terminal'
Enter 'vlan mgmt 20'

If you want to add VLAN 1 to port 1 again just enter
Code:
vlan members add 1 1
vlan ports 1 tagging untagall
vlan ports 1 pvid 1
 
I didn't mention it, but I really removed VLAN1 off of all ports. No worries, I just readded it via the console menu. I've got a little bit of work to do here in the next couple hours, but will reconnect pfSense back to this and will remove VLAN1 off on every port but port 1 and see if that gets me fixed up!
 
So I am I right if I assume that on pfsense you want to remove "LAN" and want to use VLAN10 (Work VLAN) instead?

Then yes, you should remove VLAN 1 from every switch port ('vlan members remove 1 all'), set Management VLAN to VLAN 10 ('vlan mgmt 10') and add VLAN 10 to the other ports ('vlan members add 10 1-24'; 'vlan ports 1-24 pvid 10'). You also have to configure the port the pfsense is connected to with VLANs 10 and 20 as tagged port ('vlan members add 10,20 1'; 'vlan ports 1 tagging tagall').
 
Eeek...sorry for the confusion. This is how I have had pfSense setup for a long time and would like to keep it that way.

WAN (obvious)
LAN (everything not in VLAN10 or VLAN20)
VLAN10 - segmented traffic from LAN
VLAN20 - segmented traffic segmented traffic from LAN

 
Then TBH I don't see the reason why you want to remove VLAN 1 from the switch ports because you will use it with pfsense 'LAN'.
 
Hmm...that was the only thing I could think of for the reason as to why setting port 1 as tagAll(trunk) would kill everything but VLAN10/20.

For clarity, can you relist how you would setup my port tag assignments with the pfSense interfaces of WAN/LAN (all normal traffic)/VLAN10 (segmented from LAN)/VLAN20 (segmented from LAN)?

Like this? Sorry my mind is about shot working on this basically the whole day. :(

Port 1 (VLAN1,10,20) - tagAll(trunk)
Ports 2-24 (VLAN1) - untagAll(access)
Ports 25-30 (VLAN20) - untagPvidOnly
Ports 31-36 (VLAN10) - untagPvidOnly
Ports 37-38 - not worried at this point...
 
Port 1 (VLAN1,10,20; default VLAN ID 1) - untagPvidOnly
Ports 2-24 (VLAN1) - untagAll(access)
Ports 25-30 (VLAN20) - untagAll(access)
Ports 31-36 (VLAN10) - untagAll(access)

If you keep the pfsense as it is.

If you change the pfsense 'LAN' to a tagged network the way you summarized it would be correct.
 
I really must have goofed up on describing the LAN interface's functionality :( sorry about that. I don't know why I would do that since I don't think I can setup the LAN physical interface as a VLAN in pfSense.

Setting the VLAN assignments how you have it listed replicates exactly how I want it setup.

THANK YOU! Internet high five, kind stranger. Thank you very much for sticking with me here...
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top