I built a pfsense box a while back and am finally getting around to setting up VLANs. I followed this guy’s guide which basically sets up a series of VLANs to segregate network traffic as most people do. This is all set up and appears to be working correctly. Now I need to configure the pfsense box’s primary LAN interface as a trunk to a switch so I can do VLAN tagging on specific switch ports or WiFi networks on UniFi APs.
I have a HP V1810-48G and am trying to figure out how to configure a Trunk interface such that I can connect my UniFi AP and other boxes to specific VLANs.
I have tried various configurations and can’t seem to get this to work on this switch. Am I wasting my time with this switch or am I doing something wrong.
I have tried configuring a Trunk interface on port 1 on this switch, and connecting the LAN interface on the pfsense box to it, but it doesn’t work. I have also tried setting VLAN 1 (untagged), and all other VLANs as tagged on that port 1 interface and it connects, but I can’t seem to get a tagged interface to get an ip address on the connected host. I’m not sure what I’m missing…
Any help would be much appreciated!
Set the port for the client host to access mode on the desired VLAN? Under VLAN Ports, select the Interface your client is on, and set PVID to the desired VLAN. Under Participation / Tagging, confirm that port is
Untagged for the desired VLAN, and not participating or tagged in any other VLAN.
Is access mode similar to “all”? I’m also not sure how to do that on this switch.
My apologies; the first sentence was meant as an overview in Cisco-esque terminology; the second sentence is the procedure to make it happen.
So, I have interface one (1) set as follows on the switch: 1U,10T,20T,30T,40T, Interface port 37 as: 1E,10E,20T,30E,40E
Interface 1 is directly connected to igb1 (LAN) on pfsense, which has subinterfaces for each VLANs on the same interface.
I have a laptop connected to port 37 with DHCP enabled. I should expect to get a 192.168.20.X IP on port 37
port 37 should be untagged on VLAN20
And all other vlans should be Excluded for 37?
Here’s what I get if try to untag it as an message:
A port can have only one untagged VLAN membership. If port is already untagged VLAN member in one VLAN and any other new VLAN is selected for untagged membership, then the port will be excluded from previously untagged VLAN (if any)
Also, do I need to need to configure a trunk on interface 1, or do I have that configured correctly?
oh, a very important thing I forgot to mention: in Cisco terminology (and hence the most commonly used terminology), “trunk” means a port on which multiple VLANs can be tagged. It stands in contrast to “access”, which refers to a port with only a single VLAN, with traffic being tagged/untagged on its way in/out of the switch. HP, however, uses “trunk” to mean link aggregation (LACP), an orthogonal concept.
Double-check that the PVID for each port is correct: for port 1, it should be VLAN1, and for port 37, PVID should be VLAN20. If the Participation screen lets you, the other VLANs for port 37 should be just blank (I believe
E means rejecting frames tagged with those VLANs).
Ah! Thank you for that clarification! I’ve been thinking I needed to trunk the interface and thought that HP’s term trunk was one in the same. I was confused about that.
So, for 37, I have E (excluded) for every VLAN EXCEPT 20. I.e. 20 is T (tagged) and the other VLANs are excluded to basically force it to tag all traffic on 20.
For port 1, I have VLAN 1 (default vlan) U (untagged), and all other VLANs (10,20,30,40,…) T (tagged). Is that correct?
correct for port 1.
For port 37, VLAN20 needs to be untagged (
U). This means that the host attached to that port doesn’t need to know about VLANs; it just sends traffic like usual, and the switch tags packets from the host to that switch port before sending them on. Conversely, packets on the switch in VLAN20 get untagged before getting sent out to the host on port 37.
That worked! I was able to get a 192.168.20.100 IP (start of my dhcp pool for that vlan) and could verify that it was on that VPN subnet and connected securely!
Now, how do I configure a port for the UniFi AP? Do I configure it just like the port 1 interface as well?
excellent! Yes, the AP would be untagged on a VLAN where it can reach its controller, and tagged for whatever VLANs its wireless networks are configured to use.
Well, my AP is configured to basically allow for multiple SSIDs where I can specify a vlan tag per network. So if I am understanding things correctly, that should be configured as a “trunk”, i.e. how I have it configured for port 1 right?
Now if I only wanted an AP to be on one vlan, then yes, I see what you mean. I want my AP to be able to separate out which SSID runs on what VLAN. I’m using a UniFi controller to set the Site’s config to specify a vlan for each SSID. So for instance, my main wifi ssid, would be untagged. A separate SSID would be configured on VLAN20, which if course is managed via the Unifi software/controller.
Yes. My point is that if UniFi controller is on a VLAN other than 1, you’ll need to set that VLAN to be the PVID (untagged) for the AP port. The AP’s untagged traffic needs to be on the same broadcast domain as UniFi controller.
Perfect! Yep, my UniFi controller is on the untagged interface. After setting up the UniFi AP on the port that’s set up like port 1, it worked perfectly!
Thank you so much for the help! I alway appreciate how extremely thorough you are!
you’re most welcome; glad you got it sorted!