VLAN tagging question:

[G+_Jason Brown]

VLAN tagging question:

 

Host ports on the switch should be Untagged so the switch will tag them on Ingress with your specified tag.

 

If that port was set to Tagged the switch would expect the host to have tagged the packet. with this setting the switch will do nothing to the packet.

 

Now the port to the gateway (pfsense) on the switch, should that we tagged or untagged? As the tagged packets leave (Egress) that port I would think the port should be set to Tagged, since the packet has been already tagged by the Ingress port the host is on.

 

I'm using a TPLink TL-SG108E and its a bit confusing. I'd like to set the port the router is on to a trunk port, but TPlink is calling this function to be link aggregation and not a typical trunk port where all vlan data moves across it.

 

Pfsense is setup for with my vlan and firewall rules look ok. My test host ( raspberry pi) is on switch port 4 and pfsense is on switch port 2.

 

if I set pfsense port to tagged or untagged it changes nothing.

 

I hope this is enough someone might see whats wrong. I feel like I understand the ingress function of the switch ports but not what happens to the packets leaving the router port and returning. I'll post some pictures.

 

Thank you.

 

 

[G+_Robert Gauld]

The raspberry pi port should be untagged and the pfsense tagged. What are the symptoms of your problem?

Does the pi get a network address from the pfsense?

Can they ping each other?

[G+_Jason Brown]

figured out that my pfsense firewall rule on the VLAN side did not include Destinations outside my LAN Net (outside world). That fixed that problem. I watched a couple videos that show people making firewall rules that block the LAN from the VLAN network, but without those rules my PI cannot see the LAN anyway. I liked this video but the firewall rules dont seem to be behaving like I think they should. I'm sure I must be making some mistake.Maybe a fresh set of eyes and rewatching things. I'm not a fan of the TPLINK switch I'm using either.

 

 

[G+_Akira Yamanita]

The tagging happens at egress. For ingress, the assignments act as a filter and the PVID determines VLAN membership for untagged packets. If the Pi is going to communicate with the LAN (VLAN 1), is there a reason why you are separating them?

[G+_Jason Brown]

Akira Yamanita I'm really just playing with it to see how VLANs work. I was trying to reproduce some parts of the above posted youtube video. Need to play with the firewall rules as I'm not seeing the behavior on the VLAN side. With only one firewall rule allowing traffic from the VLAN to the WAN I'm still blocked from seeing the LAN network.