INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
Hopefully someone can chime in, as it's one of the last pieces of the puzzle before I do the flip to to the Nortel.

I currently have 2 VLANs setup in pfSense & a Netgear GS724v3 switch. So, in the Netgear web interface, I have the uplink port of my pfSense router as a tagged port on each of those VLANs, with the respective ports I want on the VLAN untagged. All fine and dandy and rock solid for over a year since I first set it up.

My problem is finding the similar options within Nortel's web interface. Specifically, do I tag the pfSense uplink port on each VLAN and untag the actual ports I want to assign within a specific VLAN like I did in Netgear. I don't want to do any Layer 3 functions in the Nortel, just basic layer 2 with pfSense handling my routing.

I've tried the following screenshot, but no luck. VLAN member on port 25 can't get DHCP, can't ping the VLAN gateway in pfSense...nada. Wireshark confirms, it can see the Nortel autodiscovery, but everything past that hop stops. I've got an interface IP set on the VLAN in the 5520, enabled DHCP relay from that interface IP to the pfSense gateway IP, but still no luck.



Hopefully someone can chime in, since I think the Baystack's are pretty popular albeit a little dated.
Thanks!

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

I assume you have the pfsense connected to port 1 of the switch... And you have a port on that firewall tagging all the packets of all VLANs. Then you have to add the used VLANs (VLAN 20 in your example) as members to port 1. As long as only VLAN 1 is a member on port 1 no packet from VLAN 20 will reach any device connected to port 1. "tagall" is correct if pfsense will tag all packets.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
So the question is, if I set up port 1 as tagAll, all network connectivity dies. Only the untagPvidOnly or untagAll options on port 1 let network communication work.

If untag options on Port 1 are set, port 25/VLAN20 as tagPvidOnly won't work still, but VLAN1 (my normal prod vlan) works.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

Can you provide a screenshot how pfsense is configured?

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
You bet.

VLAN in pfSense configuration:






How the Netgear Smartswitch is setup (and working):
VLAN1


VLAN20 (disregard VLAN10 in the pic, it's been changed to 20 long ago)

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

So VLAN 1 isn't used? Or is it on another interface on pfsense?

I assume two options.

1. You have interface em0 on pfsense with VLANs 10 and 20 tagged on it. You have another interface with VLAN 1 untagged.
Sol. Configure one switch port with VLANs 10 and 20 as members and make it tagall. Connect pfsense interface em0 to that port. Configure a second switch port with VLAN 1 as member and as defaultVLAN and make the port untagall. Connect the VLAN1 interface of pfsense with that port.

2. Every VLAN is on pfsense interface em0. VLANs 10 and 20 are tagged (like in your screenshot) and VLAN 1 is untagged in that interface em0.
Sol. Configure one switch port with VLANs 1, 10, 20 as members, define VLAN 1 as defaultVLAN and make the port untagPVIDonly. So untagged packets will drop into VLAN 1 (defaultVLAN on the port) and tagged packets run into the tagged VLANs 10 or 20 on that interface.

I prefer the first option because I don't like to mix server interfaces (I would see a firewall like a server in that case) with tagged AND untagged packets on one interface.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
No I only have a WAN & LAN interface outside of my two other interfaces.



It almost sounds like the Nortel is explicitly using VLAN1 and needing it configured in the router in order to handle that traffic. Which, if true, is something I would have never thought coming from my Netgear. Can I just delete VLAN1 in the Nortel?

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

Ok... then you are with my first option...

Do you use "LAN" or is it only a leftover?

As I can see in you screenshot you will need the port on the Nortel switch configured with VLANs 1,10,20 as members an 1 as defaultVLAN and tagging set to "untagPVIDonly".

If you should delete VLAN 1 on the switch depends if you use VLAN 1 or not.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
Bit myself in my own rear end while waiting to hear back from you. About to head down and get into the switch's console and resetup it's management IP.

At any rate, yes I use the LAN interface a lot. That is the majority of my home network. I don't think I have any use for an explicit VLAN1 and ultimately might be screwing me up here.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

So what can you do now or what is not possible? Do you need some help in serial CLI commands?

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
Basically I accidentally took VLAN1 off port 1, so I lost communication with it's management web interface.

I was trying to eliminate VLAN1 from all other ports it had been applied to so I could see if those ports' functionality returned.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

You can also connect your computer to ports 2-24 winky smile

If you want to manage the switch through VLAN 20 (Ports 25-30) you have to change the management VLAN

Connect a serial cable
Press STRG + Y
Enter 'configure terminal'
Enter 'vlan mgmt 20'

If you want to add VLAN 1 to port 1 again just enter

CODE -->

vlan members add 1 1
vlan ports 1 tagging untagall
vlan ports 1 pvid 1 

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
I didn't mention it, but I really removed VLAN1 off of all ports. No worries, I just readded it via the console menu. I've got a little bit of work to do here in the next couple hours, but will reconnect pfSense back to this and will remove VLAN1 off on every port but port 1 and see if that gets me fixed up!

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

So I am I right if I assume that on pfsense you want to remove "LAN" and want to use VLAN10 (Work VLAN) instead?

Then yes, you should remove VLAN 1 from every switch port ('vlan members remove 1 all'), set Management VLAN to VLAN 10 ('vlan mgmt 10') and add VLAN 10 to the other ports ('vlan members add 10 1-24'; 'vlan ports 1-24 pvid 10'). You also have to configure the port the pfsense is connected to with VLANs 10 and 20 as tagged port ('vlan members add 10,20 1'; 'vlan ports 1 tagging tagall').

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
Eeek...sorry for the confusion. This is how I have had pfSense setup for a long time and would like to keep it that way.

WAN (obvious)
LAN (everything not in VLAN10 or VLAN20)
VLAN10 - segmented traffic from LAN
VLAN20 - segmented traffic segmented traffic from LAN

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

Then TBH I don't see the reason why you want to remove VLAN 1 from the switch ports because you will use it with pfsense 'LAN'.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
Hmm...that was the only thing I could think of for the reason as to why setting port 1 as tagAll(trunk) would kill everything but VLAN10/20.

For clarity, can you relist how you would setup my port tag assignments with the pfSense interfaces of WAN/LAN (all normal traffic)/VLAN10 (segmented from LAN)/VLAN20 (segmented from LAN)?

Like this? Sorry my mind is about shot working on this basically the whole day. :(

Port 1 (VLAN1,10,20) - tagAll(trunk)
Ports 2-24 (VLAN1) - untagAll(access)
Ports 25-30 (VLAN20) - untagPvidOnly
Ports 31-36 (VLAN10) - untagPvidOnly
Ports 37-38 - not worried at this point...

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

Port 1 (VLAN1,10,20; default VLAN ID 1) - untagPvidOnly
Ports 2-24 (VLAN1) - untagAll(access)
Ports 25-30 (VLAN20) - untagAll(access)
Ports 31-36 (VLAN10) - untagAll(access)

If you keep the pfsense as it is.

If you change the pfsense 'LAN' to a tagged network the way you summarized it would be correct.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
I really must have goofed up on describing the LAN interface's functionality :( sorry about that. I don't know why I would do that since I don't think I can setup the LAN physical interface as a VLAN in pfSense.

Setting the VLAN assignments how you have it listed replicates exactly how I want it setup.

THANK YOU! Internet high five, kind stranger. Thank you very much for sticking with me here...

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

Your welcome...

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
Using the settings I outlined above, I just migrated 17 of my 25 devices, and something still isn't right with VLAN1.

If I remove port 1 from VLAN1, change the default to VLAN20, then VLAN20 works (gets DHCP from VLAN20 DHCP Server, can browse web, etc..). The minute I associate VLAN1 with the port 1 going to pfSense EVERYTHING dies.

Pretty disappointed in myself that I can't get this to work.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

Did you set port 1 as untagpvidonly?

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
Yep. I think there's something with VLAN1 that I'm just going to have to face the music and build out a specific VLAN.

I'm trying to figure out a way to get rid of VLAN1 on the switch, and just move it's management IP over to another VLAN, like VLAN101.

But then, all traffic that all the other ports that were on "VLAN1" (I quote it because my Netgear doesn't really tag the traffic, but the Nortel does) would need to be untagged leaving me with tagged and untagged traffic going through port1. Yuck.

I'm afraid I will have to create another VLAN that I can tag like VLAN100 for what used to be LAN in pfSense, but I'm not sure how to handle the DHCP on that because I really don't want to reconfigure my static IP's and applications/esxi host. Can I turn off 192.168.1.1 on the LAN interface and have DHCP setup on VLAN 100 to pickup that range without missing a beat?

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

The VLAN ID of your pfsense 'LAN' doesn't really matter. Can be 1 or 100 or 1000 or 2222 or ... The Nortel switch doesn't tag these packets necessarily. You just configure (with untagPVIDonly and defaultVLAN) which VLAN will be used to handle untagged packets on that specific port.

Think of a common practice with IP phones. Let's say you have VLAN 50 for data (computers - no tagging) and VLAN 60 for the phones (tagged packets). To make that work you tell the phones to tag their packets with VLAN ID 60. The computer connected to the second port at the phone doesn't tag its packets and the switch has to know that these untagged packets will be handled as VLAN 50. You would configure these ports with members 50 and 60, defaultVLAN 50 and untagPVIDonly.

UntagPVIDonly means that untagged packets coming into the port will be in the port's defaultVLAN and packet from the defaultVLAN will come out of that port untagged. Devices that should be in another VLAN have to tag their packets with that specific VLAN ID and are expected to receive tagged packets.

Best would be in your situation to have another physical interface for 'LAN' on pfsense and only keep VLANs 10 and 20 as tagged on that interface. Second best (but much more work I think) would be to remove LAN from em0 and create it as another tagged VLAN on that interface. I think you have to configure really much like IP Address, DHCP and Firewall rules as well. In both situations the switch would have to be set to tagall on that port. Third best is to keep pfsense as it is and have the switch port as untagPVIDonly with defaultVLAN 1 and all three VLANs as members.

RE: Setting up a VLAN on a freshly wiped Baystack 5520 - No DHCP

(OP)
I hate to admit this, but the root of all my issues ended up being an unmanaged PoE switch I had been using being connected to my Nortel. Two ports actually. I basically started from scratch, port by port until I saw what connection brought the whole thing down.

Sheesh. Time for a beer.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close