The pfSense Store

Author Topic: How can untagged traffic end up on a VLAN?  (Read 344 times)

0 Members and 1 Guest are viewing this topic.

Offline Atreides

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
How can untagged traffic end up on a VLAN?
« on: December 24, 2017, 07:39:39 pm »
If what I understand about VLANs is correct, if described simply, there are just adding a tag to a packet. Why then, if I set a port to be untagged traffic on my switch, and send it to pfSense over a trunk, will it be accepted in the default VLAN from that switch? Why does pfSense know that untagged traffic will be on VLAN 1, or whatever VLAN is the default was on the switch? Shouldn't the traffic not be accepted on any VLAN because its untagged?

For example, I have a tp-link switch which I have set two ports to be access ports (UNTAGGED) and on the default VLAN. When I set the interface they are being accepted on in pfSense to igb1, I won't get traffic from those two switch ports. If I set them to VLAN 1 on igb1, I will get traffic from those two ports. Shouldn't they be accepted on igb1?

Maybe I am misunderstanding how a default VLAN works, is traffic on the default VLAN untagged? If so why does a VLAN accepted it at all on pfSense?

Offline Grimson

  • Full Member
  • ***
  • Posts: 265
  • Karma: +36/-3
    • View Profile

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1093
  • Karma: +43/-9
    • View Profile
Re: How can untagged traffic end up on a VLAN?
« Reply #2 on: December 24, 2017, 08:37:58 pm »
Quote
I have a tp-link switch

That's the problem right there.  TP-Link doesn't understand VLANs and, as a result, sells equipment that doesn't handle VLANs properly.  If you want to run VLANs, stay away from TP-Link.  I have a TP-Link access point and have a similar problem, where native LAN traffic is winding up on the VLAN.

Once again, for VLANs, stay away from TP-Link.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9605
  • Karma: +1090/-309
    • View Profile
Re: How can untagged traffic end up on a VLAN?
« Reply #3 on: December 24, 2017, 08:54:14 pm »
Which can be extrapolated to stay away from tp link as a brand entirely since pretty much all networking gear of any substance whatsoever must understand dot1q.

Just get a d-link. Same price point and it generally works.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Atreides

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
Re: How can untagged traffic end up on a VLAN?
« Reply #4 on: December 25, 2017, 01:13:11 am »
Quote
I have a tp-link switch

That's the problem right there.  TP-Link doesn't understand VLANs and, as a result, sells equipment that doesn't handle VLANs properly.  If you want to run VLANs, stay away from TP-Link.  I have a TP-Link access point and have a similar problem, where native LAN traffic is winding up on the VLAN.

Once again, for VLANs, stay away from TP-Link.

That links to a smart switch, mine is a managed TL-SG3424, do you think the same stands for it?

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1093
  • Karma: +43/-9
    • View Profile
Re: How can untagged traffic end up on a VLAN?
« Reply #5 on: December 25, 2017, 06:26:54 am »
Quote
I have a tp-link switch

That's the problem right there.  TP-Link doesn't understand VLANs and, as a result, sells equipment that doesn't handle VLANs properly.  If you want to run VLANs, stay away from TP-Link.  I have a TP-Link access point and have a similar problem, where native LAN traffic is winding up on the VLAN.

Once again, for VLANs, stay away from TP-Link.

That links to a smart switch, mine is a managed TL-SG3424, do you think the same stands for it?

I don't know, but given TP-Link's track record, I wouldn't be surprised.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14840
  • Karma: +1377/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: How can untagged traffic end up on a VLAN?
« Reply #6 on: December 25, 2017, 07:58:38 am »
Yeah for the longest time they were saying it was designed that way without the ability to remove vlan 1 on purpose and that there was nothing wrong with it.. They just recently posted that it would be corrected and that there should be a new beta software to fix the problem in next week or so.

Taking that they clearly do not seem to understand how vlans are suppose to function, until their recent post.  Which we still have not seen the fixed firmware.  I am with jknott here, I wouldn't assume any of their other switches got it right either ;)  All I can tell you is that the cheaper tp-link 105e and 108e switches do not correctly isolate vlans since every port has vlan 1 which can not be removed.

You would have to do some testing on their higher end models to validate that they do not bleed vlan traffic.  Or just get a switch you know gets it right, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1093
  • Karma: +43/-9
    • View Profile
Re: How can untagged traffic end up on a VLAN?
« Reply #7 on: December 25, 2017, 10:09:26 am »
Quote
I wouldn't assume any of their other switches got it right either

Nor their access points.  As mentioned in other threads, I have a WA901N AP, which has the same problem.  Even though their 2nd level support recongnized the problem a few years ago, there has been no fix so far.  I may replace the software with DD-WRT.  I expect that will work better.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2502
  • Karma: +150/-16
  • volunteer since 2006
    • View Profile
Re: How can untagged traffic end up on a VLAN?
« Reply #8 on: December 25, 2017, 10:43:57 am »
I have several TL-SG3210 (trying to be a cheaper SG300-10 derivate) and 1x TL-SG5428 as well as 1x TL-SG5412F.
Those are fully managed L2 "JetStream" switches and do not exhibit the behaviour of the entry-level smart switches. This is at home only. Since we use Cisco in the office and at client's site's extensively I probably would buy those for my home now as well.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.