× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

New to VLAN's - Need help setting up GS105Ev2 in 802.1Q Advanced configuration

Tagit446
Tutor

New to VLAN's - Need help setting up GS105Ev2 in 802.1Q Advanced configuration

Hi,

I recently purchased a GS105Ev2 to isolate an NVR sercurity cam system by using VLANS. I am having trouble trying to understand what should be tagged, untagged, and blank on the web gui VLAN membership config page.


I use pfSense as my router and that has 4 network ports on the NIC. One port is used for the WAN and the other 3 as LAN's. On LAN1 I have 3 clients consisting of one windows pc, a network printer and an NVR security system. The other 2 LAN's are also being used but are irrelevant to this post. I have put the GS105Ev2 between the pfSense router and the LAN1 clients. I have put the following clients on the GS105Ev2/192.168.10.10.

Port 1 - pfSense router/192.16.10.1,

Port 2 - windows pc/192.168.10.11,

Port 3 - network printer/192.168.10.12,

Port 4 - NVR security cam box/192.168.50.11 VLAN,

Port 5 - unused.

All IP's are assigned statically in pfSense.


In pfsense I created one VLAN 192.168.50.1 and in the GS105Ev2 I created VLAN ID 50 in VLAN > 802.1Q > Advanced > VLAN Configuration. This leaves me with the default VLAN 1 and VLAN 50 in the GS105Ev2. In VLAN > 802.1Q > Advanced > Port PVID I assigned 50 to port 4 and left the other ports at the default 1 PVID. This is as far as I got. I am finding the rest of the setup confusing.


What I want is to have the NVR isolated so that it cannot communicate with any other device connected to the GS105Ev2 except through firewall rules in pfSense if I choose. The NVR does not need internet access but does need to be accessed remotely through OpenVpn.


With all of that explained, I cannot figure out what should be tagged, untagged, or blank for each port on VLAN's 1 and 50 in the GS105Ev2. I also do not understand why VLAN 1 cannot be deleted and if I need to create a VLAN 1 or different VLAN in the router and assign the windows pc and printer to VLAN 1 or the different VLAN. Even though I have no VLAN 1 in the router, the windows pc and printer ports are currently untagged members of VLAN 1 in the GS105Ev2 and I have internet access on the windows pc. The only reason I have it like that is because I know they cannot be assigned to PVID 50 so I was forced to assign them to PVID 1 for lack of other options.


My current config:

VLAN 1 - Ports 1-5 all untagged.

VLAN 50 - Port 1 tagged, ports 2-3 blank, port 4 tagged, port 5 blank.


So my questions,

1. Do I need to create another VLAN in pfSense for the windows pc and printer or just leave them on VLAN 1 in the GS105Ev2?

2. If I have to add another VLAN for the windows pc and printer, which new VLAN ports should be tagged, untagged, or blank?

3. If I leave the windows pc and printer as they are on VLAN 1, which VLAN 1 ports should be tagged, untagged, or blank?

4. For VLAN 50, which ports should be tagged, untagged, or blank?


I have looked online and in the help docs but for some reason I just can't wrap my head around what should be tagged, untagged or blank. If anyone is so inclined, an easy to understand explaination of tagging would be appreciated but I would also be equally happy if someone just answered my 4 questions.

 

Sorry for the wall of text but I wasn't sure what info was needed to answer my questions.

Model: GS105Ev2|ProSafe Plus 5 ports switch
Message 1 of 2
schumaku
Guru

Re: New to VLAN's - Need help setting up GS105Ev2 in 802.1Q Advanced configuration

Amazing people always challenge in the switch community about much more complex things like security appliances than what the simple VLAN capable switch do serve for...

 

There is no reason to delete the VLAN 1. K.I.S.S. - the "problem" often read about the default VLAN was caused decades ago by a major vendor where the was not configureable on the ports and LAGs causing mess and security issues.

 

Keep your main network on the VLAN 1, and add 802.1q VLAN(s) for additional networks - which are by definiton isolated networks, permitting a correct configuration.

 

Case A. Each port connecting to the security appliance, VLAN/multi-SSDI capable access points, systems operatiing VMs an contaners requiring access to mutiple networks must be configured like this - create as many VLAN xxx as you want:

 

  1. VLAN 1, [U]ntagged, PVID 1 ... this makes the normal network running, and applies also to ports where you want to connect computers, printers, and whatever has access to the main network. The switch will send any untagged frames incoming to the VLAN 1 (this is what the PVID 1 is for), and send frames from the VLAN 1 out untagged to the connected device.
  2. VLAN xxxx, [T]agged.  ...this makes up the port to become a trunk port by adding the additional 802.1q tagged network - to send and receive VLAN xxxx tagged frames from/to the VLAN xxxx.
  3. Double check the port(s) are set to allow tagged and untagged (both) packets/frames if the witch is supporting.

Case B. In case you like to make a switch port assigned to a edicated VLAN (and only then!) use this:

 

  1. VLAN xxxx, [U]ntagged, PVID xxxx ... this makes the port being an access port for the VLAN xxxx. The switch will send any untagged frames incoming to the VLAN xxxx (this is what the PVID xxx is for), and send frames from the VLAN xxxx out untagged to the connected device.
  2. Untick any other [U]ntagged of [T]agged VLAN membrships, specifically the VLAN 1 which is by default an untagged member.
  3. Allow only untagged packets/frames if the switch does support.

As simple as this.

Message 2 of 2
Top Contributors
Discussion stats
  • 1 reply
  • 1851 views
  • 0 kudos
  • 2 in conversation
Announcements