pfSense Support Subscription

Author Topic: VLAN Through a TL-SG108  (Read 207 times)

0 Members and 1 Guest are viewing this topic.

Offline Presbuteros

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +4/-0
    • View Profile
VLAN Through a TL-SG108
« on: October 30, 2017, 06:18:02 am »
LAN network is 192.168.4.1/24

LAN is on a PIA VPN account.

A VLAN has been created and labeled as GUEST WIFI and tagged as 30.

A static IP has been assigned as 192.168.30.1

DHCP has been turned on for this interface.

The DHCP range has been set to 192.168.30.100 - 192.168.30.200

A firewall rule for GUEST WIFI has been set for IPv4 any-any-any

The switch is a TP-Link TL-SG108.  http://www.tp-link.com/us/products/details/cat-42_TL-SG108.html

The AP is a UniFi AP-AC-Lite.

The "Use VLAN" option is checked and "30" is entered.

The client can associate with the AP and automatically receive an IP of 192.168.30.100; however no traffic is passing from the client to pfSense.

A ping test from pfSense to the 192.168.30.100 client is successful.

The 192.168.30.100 client can access the 192.168.4.1/24 network, pfSense control panel, NAS, etc.

The 192.168.30.100 client cannot access the internet.

All services are running.

I am using DNS Resolver and DNS Query Forwarding is checked.

Is this a NAT issue or DNS?

Any help is appreciated getting clients on the VLAN30 out to the internet.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #1 on: October 30, 2017, 06:56:33 am »
That switch is dumb, it does not understand vlans.

If your going to run vlans through a switch it should understand what vlans are and need to be setup on the switch or you could run into problems.  Be it the switch leaves the tagging on the traffic or not.  jknott might tell you that modern switches do not strip the tags.  This does not mean its correct to do so.  The switch can not isolate the traffic if it does not understand the tags.

The cheaper line of tplink switches, the the 108E is suppose to support vlans - but it does not allow you to remove vlan 1 from each port..

I would suggest you get a switch that allows proper use - say the dsg-1100 from dlink, its only 35$ on amazon.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline Presbuteros

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +4/-0
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #2 on: October 30, 2017, 07:05:30 am »
That switch is dumb, it does not understand vlans.

...and that was the very thing I was hoping to avoid but I figured was another possible issue. A new switch is six weeks out with the risk that they steal it out of a USPS package. Building networks in the third-world is always interesting.

Thanks johnpoz for the quick answer!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #3 on: October 30, 2017, 07:27:24 am »
You could connect your AP direct to pfsense port..  Does your pfsense box have more than 1 interface that you can use on the lan side?

How do you have it connected? 

So your pfsense lan port native network is 192.168.4?, and this vlan 30 you is on this physical interface of psfense?

so you have

pfsense lan port (em0 lets call it)  then vlan 30 sits on this em0?

pfsense lan - switch --- AP

Where management IP of the AP Is on the 192.168.4..

And your created a SSID that you added the vlan ID 30 too?  Are you using the controller software from unifi running on the 192.168.4 network off the switch.. Or are you trying to setup the AP with just the smart phone app?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline Presbuteros

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +4/-0
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #4 on: October 30, 2017, 09:26:40 am »
You could connect your AP direct to pfsense port..  Does your pfsense box have more than 1 interface that you can use on the lan side?

Only 1 physical interface. re1

pfsense lan - switch --- AP

Just like that. LAN port - dumb switch --- AP

pfSense is 192.168.4.1
Unifi AP Management IP is 192.168.4.186

I created my SSID "VLAN30 test" and checked "use VLAN" and entered 30.

I am running UniFi Controller software on a PC, not a phone. Controller software is latest available as of 29/10, Version 5.5.24.

I think I answered all your questions. Oh, and screens too.

Does any magic happen on the UniFi "Networks" page?

Offline Grimson

  • Full Member
  • ***
  • Posts: 138
  • Karma: +24/-1
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #5 on: October 30, 2017, 09:48:28 am »
So how do the firewall rules on your GUESTWIFI interface look, and how is outbound NAT configured?

Offline Presbuteros

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +4/-0
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #6 on: October 30, 2017, 09:59:58 am »
GUESTWIFI rules are wide open for testing. I will tighten them down later.

NAT is an attempt to copy what I set up for the PIA VPN connection and I suspect could be a problem.

The WAN and OpenVPN entries in the Manual Outbound NAT section are confirmed working settings for the PIA VPN connection. I added the four additional GUESTWIFI entries in attempt to discover any setting that would send traffic out.

Thanks for taking a look.

Offline Grimson

  • Full Member
  • ***
  • Posts: 138
  • Karma: +24/-1
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #7 on: October 30, 2017, 10:18:38 am »
Well the outbound NAT rules are wrong the Interface and NAT Address for the 192.168.30.1 network should be WAN, and OpenVPN if the guest devices should use the VPN connection too. Currently your trying to NAT from the 192.168.30.1 network to the GUESTWIFI interface, so in essence back to the 192.168.30.1 network.

Edit: Also remove the additional rules for the loopback network.
« Last Edit: October 30, 2017, 10:24:40 am by Grimson »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #8 on: October 30, 2017, 10:27:49 am »
Yeah as Grimson already pointed out your outbound nat is all messed up.

Not sure why users don't mention that they took outbound nat out of automatic when they are having problems ;)

Why would you have not just left it hybrid if you wanted to send some clients out a vpn connection?  And created your rules for your vpn users in a hybrid outbound nat above the automatic?

Fix your outbound nat and you should be fine -- even if not really correct or getting true vlan isolation on your dumb switch.. As jknott is so found of mentioning new dumb switches sometimes do not strip the tags and pass them along.  So while you can pass tags across them.. It still does not make it a good or supported method..  But can be done in a pinch..

Really really - lets repeat that for clarity.. Really ;)  Suggest you get a smart switch that can actually do vlans if your wanting to pass vlan tags across a switch.  And I would not suggest the so called "smart" version of your tplink the 108e or 105e models because that company has no clue to what isolation of vlans actually means.  Since they do not allow you to remove vlan 1 from your ports.. So any untagged broadcast traffic is going to be broadcast to every single port, since even port is a member of vlan 1.  So when you get around to getting a smart switch that can do vlans - make sure it can remove vlan 1 from the ports your not going to be using in vlan 1.
« Last Edit: October 30, 2017, 10:31:46 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline Presbuteros

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +4/-0
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #9 on: October 30, 2017, 10:35:12 am »
Thank you both johnpoz and Grimson!

Once I revised the NAT rules the client can connect to the internet and is even behind the VPN.

I imagine that if I change the 192.168.30.0/24 to go out the WAN interface and not the OpenVPN interface the client will kick out the WAN, exposed and all...

I have already purchased a new switch. Three days shipping to a US address, repackage, then 4-6 weeks to here... A Christmas present.

I will start revising the firewall rules on VLAN30 to shore things up.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #10 on: November 01, 2017, 04:06:29 am »
What switch did you get?  Just curious.. Why would it take 4-6 weeks to get to you?  You live like in a hut in the middle of the jungle?  An igloo 300 miles from the south pole or something? ;) Package has to go by pack mule or something through the mountains.

Having a hard time understanding how anything could take 4-6 weeks to be shipped anywhere on the planet these days.  Its not taking a steamboat across the ocean, etc.. ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline Presbuteros

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +4/-0
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #11 on: November 03, 2017, 03:28:42 am »
Switch: Dlink DGS-1100-08

I did live in a rainforest before. Now I live by the coast. Same island. Yes, it takes that long for mail to get here using the USPS. Once a package leaves the US and enters the third world it is fair game. Most packages have made it untouched. One was raided and all the DVDs removed. I have sometimes have a hard time understanding how it can take that long too and I live here.

I just looked at our last set of packages to come in. They were shipped September 5 and arrived at our local PO on October 18.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: VLAN Through a TL-SG108
« Reply #12 on: November 03, 2017, 04:34:58 am »
Dude you live on some remote island somewhere?  Nice!

So like this is you ;)  One of these dots in the middle of nowhere...



- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)