Netgate SG-1000 microFirewall

Author Topic: SG-3100: How do I assign port(s) to a VLAN  (Read 357 times)

0 Members and 1 Guest are viewing this topic.

Offline alex_london

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
SG-3100: How do I assign port(s) to a VLAN
« on: November 02, 2017, 07:51:22 pm »
Hi,

I've been setting up my new SG-3100, and I'm stuck trying to figure out how to properly set up VLANs and allocate port(s) to them.

Here's what I have so far:
  • WAN (mvneta2) - Directly connected to ADSL router 1
  • OPT1 (mvneta0) - Directly connected to ADSL router 2
  • LAN1 (mvneta1) - Connected to unmanaged switch
  • LAN2...4 (mvneta1) - Currently disconnected

Now I have a separate unmanaged switch that would be in my DMZ, and I'd like to assign LAN2 to a separate VLAN and configure an interface in the DMZ on that port (so I can configure WAN-to-DMZ and DMZ-to-LAN rules).

The onboard Marvel 6000 switch seems to not have any configurable options. I have created a VLAN on "mvneta1", but not sure where to go next - I need traffic on the 4 LAN ports (or at least on 1 of them) to be separate from the rest.

EDIT: I should add that I have found the Switch options pages, but these are all read-only; specifically the Interface/Switch/VLANs page, shows 5 groups, all configured as "Default System VLAN", with all 5 ports assigned to all of them (I assume 5 ports as 1 is the internal uplink port of the switch).

How would I go about doing this?

Thanks,
-Alex
« Last Edit: November 02, 2017, 07:57:54 pm by alex_london »

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11869
  • Karma: +458/-15
    • View Profile
Re: SG-3100: How do I assign port(s) to a VLAN
« Reply #1 on: November 02, 2017, 11:43:11 pm »
Hi Alex,

Unfortunately we were not able to get the code into the GUI to configure the switch in time for 2.4.1. However if you wish to use it before a snapshot with the gui code is available I can give you some instructions on configuring it manually. The hardware and config code is there already.

Let me know and I'll run some tests here to confirm a working setup.

Steve

Offline alex_london

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: SG-3100: How do I assign port(s) to a VLAN
« Reply #2 on: November 03, 2017, 05:45:20 am »
Steve,

Yes some help would be appreciated!

I should add, a few minutes ago I came across this post: https://www.netgate.com/blog/ive-got-99-problems-but-a-switch-aint-one.html. On a hunch, I tried manually browsing to https://<pfSense IP and port>/switch_vlans_edit.php, and the page is there - just no way to browse to it from the GUI.

I haven't tried anything yet, in case this is not working (or even worse actually breaks something).

So I'll await your suggestions.

Thanks!
-Alex

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11869
  • Karma: +458/-15
    • View Profile
Re: SG-3100: How do I assign port(s) to a VLAN
« Reply #3 on: November 03, 2017, 09:33:30 am »
Hi Alex,

That page is not functional yet.

Ok, so to do this we need to use the command line tool etherswitchcfg. That needs to be run at boot because the switch reverts to its default config when the sg-3100 is rebooted. There are a number of ways to do that but I prefer to use the shellcmd package as it stores all the values in the config file and makes it easy to read and edit them from the gui. So first go to the package manager and install the shellcmd package which will then appear in Services > Shellcmd.

In this example I am setting port 1 (LAN1) to be available as VLAN100 on the LAN interface.

Whilst it's possible to merge some of these commands I did it use four separate commands for clarity. So add new shellcmds for each one:

Set the switch to 802.1q VLAN mode
Code: [Select]
etherswitchcfg config vlan_mode DOT1Q
Remove port 1 from the default VLAN
Code: [Select]
etherswitchcfg vlangroup0 vlan 1 members 2,3,4,5
Create a new VLAN group set that as VLAN 100 and add port 1 as untagged and port 5 (the internal port) as tagged
Code: [Select]
etherswitchcfg vlangroup1 vlan 100 members 1,5t
Set port 1 to tag incoming traffic as VLAN 100
Code: [Select]
etherswitchcfg port1 pvid 100
You can apply those manually at the command line or just reboot to have the shellcmds run and you should see that config applied. You can check by running etherswitchcfg with no arguments or via the     Interfaces > Switches > VLANs page. See attached screenshots.

Once that's in place you can create a VLAN100 interface on LAN in pfSense in the normal way and it will affectively be port 1.

Steve
« Last Edit: November 05, 2017, 09:44:58 am by stephenw10 »

Offline alex_london

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: SG-3100: How do I assign port(s) to a VLAN
« Reply #4 on: November 03, 2017, 11:17:51 am »
Thanks, I'll give that a shot! Seems straightforward enough... (famous last words  ;) )

-Alex

EDIT: Worked like a charm, thanks!
« Last Edit: November 04, 2017, 08:22:55 am by alex_london »

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11869
  • Karma: +458/-15
    • View Profile
Re: SG-3100: How do I assign port(s) to a VLAN
« Reply #5 on: November 05, 2017, 09:43:55 am »
Great  :)

That should be relatively easy to replace with the GUI options when they are added to a snapshot. Though those commands will remain effective in all likelihood. I expect (though I can't be 100% sure!) the shellcmds to apply after the interface setup in the boot sequence so they would override it.

Steve