This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Hi, I'm trying to connect 2 Ethernet Plus switches in series, like this: pfSense <> switch A <> switch B
I'm having a real hard time making this work with VLANs and I've been trying for days now. I'm trying to use VLANs only and I can never reach switch B.
On pfSense I have the standard [untagged] LAN plus VLAN 1 and VLAN 8, along with any to any rules for each interface.
Starting with switch A after a factory reset, latest FW 1.0.0.11, it has 5 ports, I have port 5 plugged in to pfSense and port 4 plugged in to a PC that I'm using to manage everything (switch B not plugged in yet). After power-up I get an IP from the LAN. So far so good.
I start by adding VLANs 1 and 8. I also add dummy VLANs 501, 502, 503, and 505.
My plan is to use port 1 to connect to switch B.
Port 2 and 3 won't be used so I set each of them to their respective dummy VLANs 502 and 503, including the PVID.
The next thing I do is configure VLAN 1. I set port 1 and 5 to be tagged, and port 4 to be untagged.
I do not want to accept any untagged traffic on port 1 and 5 so I set those to their respective dummy VLANs, including the PVID.
The only port now that can handle untagged traffic is port 4, which connects to the PC, and it has PVID 1 and is configured for untagged VLAN 1.
I configure VLAN 8 to be tagged on port 1 and 5.
I reboot the switch, and as expected now instead of getting an IP from the LAN I'm getting an IP from VLAN 1.
Btw. it looks like to get an IP, the switch first tries untagged and then tries the tagged ports, starting with the lowest VLAN ID. If I had VLAN 3 and I didn't have 1, then it would get an IP from VLAN 3 instead.
Now I go ahead and plug in switch B.
The connection is switch A, port 1 to switch B port 1.
Switch B has already been configured at this point, as follows:
Port 1 goes to switch A, port 2 is empty but I will pretend it goes to the next thing. Ports 3 to 8 are not used.
For VLAN 1 and 8 I configured port 1 to be tagged and port 2 to be untagged.
I put the unused ports 3 to 8 on dummy VLAN 500, including the PVID.
Port 2 doesn't have anything plugged in so it shouldn't matter what the PVID is, so I kept it as 1.
I disabled untagged traffic on port 1 by adding it to dummy VLAN 601.
To summarize for switch B, the only port that is plugged in is port 1, which belongs to VLAN 601-U, 1-T, and 8-T, with PVID 601.
Switch B should be able to get an IP from DHCP on VLAN 1 or on VLAN 8 but it doesn't and it is unreachable.
Even if I set the PVID from switch B, port 1 to be 1, it makes no difference.
Why doesn't it get an IP address?
In summary: pfSense VLAN 1 <> port5,vlan1-T,switch-A,vlan1-T,port1 <> port1,vlan1-T,switch-B
I take it one step further and assign a static IP by the DHCP of VLAN 1 and I assign the same static IP in switch B, but I still can't reach it.
Does anybody know what I'm doing wrong or something I can try to further trouble-shoot this?
Hi schumaku, thank you very much for the response. You helped me solve my issue and it turns out I did not select the wrong product for my project, which would have been a shame because I bought a ton of those when the 5-port was only $15 and the 8-port was $28. I think I have over 10 in total, so I would have been bummed out.
The solution is that whichever VLAN is used for management, probably the lowest VLAN ID, in my case I'm using VLAN 1, the PVID of the parent switch of the port that is used to daisy chain them, perhaps called the trunked port or perhaps uplink, it needs to match that VID, so in my case 1, and that's it.
I just tried it by daisy chaining 3 of these switches, each one uses a single ethernet cable between them, and I'm pushing a whole bunch of VLANs all the way through and I'm able to access each of the switches and each of them is getting the IP from the DHCP of VLAN 1, so it is working beautifully, again in large part to what you wrote, so thank you again.
As a tribute to these wonderful switches a picture of my project. Bottom left is my current network which is a rats nest to say the least and at the top right is the new network that I'm building which uses VLANs and will be much better. Once it is done I will start migrating all my things over to the new one. I can say it's a lot of fun to learn all this stuff and I really enjoy making my own cables too. Makes me feel like I know what I'm doing (even though I'm still a noob) haha.
1. Most Plus switches (few exceptions only) are built on unmanaged switches, not on managed cores supporting a managed core and for example a proper management VLAN.
2. The device management is implemented (few core functions plus the configuration options on a Web UI) on a simple microcontroller, the complete IP stack, including DHCP, and the Web UI for configurations does work on untagged frames only. This does prohibit implementing a "dummy" management VLAN or using a tagged VLAN for the management or to connect a DHCP server over a tagged connection.
This should (or could) explain all "issues" - simply limitations of the switch design - you experience. This is how it was possible for Netgear (plus some other vendors offering similar products on the market) to implement such a switch for the cost of a naked unmanaged switch. End of the story.
Hi schumaku, thank you very much for the response. You helped me solve my issue and it turns out I did not select the wrong product for my project, which would have been a shame because I bought a ton of those when the 5-port was only $15 and the 8-port was $28. I think I have over 10 in total, so I would have been bummed out.
The solution is that whichever VLAN is used for management, probably the lowest VLAN ID, in my case I'm using VLAN 1, the PVID of the parent switch of the port that is used to daisy chain them, perhaps called the trunked port or perhaps uplink, it needs to match that VID, so in my case 1, and that's it.
I just tried it by daisy chaining 3 of these switches, each one uses a single ethernet cable between them, and I'm pushing a whole bunch of VLANs all the way through and I'm able to access each of the switches and each of them is getting the IP from the DHCP of VLAN 1, so it is working beautifully, again in large part to what you wrote, so thank you again.
As a tribute to these wonderful switches a picture of my project. Bottom left is my current network which is a rats nest to say the least and at the top right is the new network that I'm building which uses VLANs and will be much better. Once it is done I will start migrating all my things over to the new one. I can say it's a lot of fun to learn all this stuff and I really enjoy making my own cables too. Makes me feel like I know what I'm doing (even though I'm still a noob) haha.
I'm still playing around with this, trying to find rhyme or reason how it works and I can't. I still get it to work but basically I have to try a bunch of different things and then eventually it works.
If anybody else is having trouble with it, here is another thing to try, which has worked for me:
5-port switch (GS305E), factory reset.
First I connected using the static IP. I added VLAN 8, put all ports on 8, all of them tagged except for the first one which I put as untagged. Set all PVIDs to 8. Took all ports off of VLAN 1. Not able to delete VLAN 1 but no ports are configured for it. Then cycled power and plugged port 5 into the pfSense machine. Waited 30 seconds, then plugged the management PC into port 1 (the untagged one). Both the switch and the PC got an IP from VLAN 8.
I took it one step further by adding VLAN 2 and again I added all ports to VLAN 2 in the same way, keeping port 1 untagged and the rest tagged, but I kept all PVIDs at 8. Cycled power and now the PC stayed on VLAN 8 but the switch got switched to an IP from VLAN 2. This again confirms to me that the lowest VLAN number is used to get the IP and regardless of the PVID.
If I didn't succeed, my next step would have been to add a sacrificial switch between the main switch and the pfSense to change over to the desired VLAN. This can be a backup solution. Next I will try it with the 8-port switch, I think it works differently.
I needed to edit my post but wasn't allowed, so I have to reply to it.
With my last configuration what happened was that the switch itself was on VLAN 2 but the PC was on VLAN 8 (because of the PVID). I could no longer access the switch interface.
I took it back to the laptop where I have it set up to use the static IP of the switch (192.168.0.239) and this allowed me to get back in, then I made one change, which is to set up a special port for management. For this I changed port 3 to be untagged for VLAN 2 and I set the PVID to 2. Next I switched it back the way it was with a power-cycle and everything was the same way as before but now when I moved the management PC from port 1 to port 3, it got an IP from VLAN 2 and then I was able to access the switch interface. Note that I had to manually change https to http for it to come up.
There is probably another solution which is to forward the port within pfSense so that the PC on VLAN 8 can talk to the switch on VLAN 2 but the way I have it set up now I don't actually mind it. There will be 2 ports reserved for the PC, one is for normal use and the other one is if I need to manage the switches.
Now for the 8-port switch. As I had already suspected, it works differently. From a developer point of view I would have kept the 5 and 8 port running the same firmware, just one having 3 ports disabled, and I was under this assumption from day 1 but this is not the case. Despite both even having the same FW version (1.00.11EN for the 8-port).
I configured it the same way as the 5-port. All ports on VLAN 8 tagged, except port 1 VLAN 8 untagged. All PVIDs are 8. All ports removed from VLAN 1. Just like before the management PC got an IP from VLAN 8 but the 8-port switch actually got an IP from the untagged LAN. This is where the 5-port would have gotten an IP from VLAN 8 as well.
Then I did the same change as before, which was to include VLAN 2 and this time the 8-port switch still got an IP from the untagged LAN. The 5-port in this case would have switched to an IP from VLAN 2. The only thing that works the same is that when I switch the PC from port 1 to port 3 (the one set up as the management port), the PC does switch from VLAN 8 to 2 just like the 5-port did, but I still can't access the interface because the switch is on the untagged LAN.
To try and solve this issue I created a fake VLAN that exists only on the switch, VLAN 33. The port that goes to pfSense, which is port 8, is configured as untagged for VLAN 33. I created another management port, which is port 4, which is also untagged on VLAN 33. Then I set the PVID of port 4 also to 33.
This time when I switched the PC to port 4, it came out untagged on port 8 (this was expected despite tagged VLAN 2 and 8 on port 8), and now I was able to access the switch interface. The problem with this is that I don't want anything to use the untagged LAN and when everything is all set and done I will block the LAN and only allow my VLANs. The 8-port switch does not allow me to use a VLAN for it, but the 5-port switch does.
2 more key differences that I noticed:
When doing a factory reset using the reset button, the 5-port switch lights up all LEDs to show when this is done but the 8-port switch has no feedback.
The 5-port switch has an option that is under System->Maintenance->Access Control which lets me set an IP address (and mask?) presumably to only allow management from one PC. I think that's a nice feature and completely missing from the 8-port.
The conclusion is, and I will verify this in my next post, the 8-port switch can still be used for VLANs but it can't be the root switch. A 5-port switch (GS305E) must be used after pfSense/DHCP server and it can translate the untagged LAN from the 8-port switch to the proper management VLAN.
The management PC is also plugged in the 5-port switch (on p5) and I got the 8-port switch on VLAN 1 and am able to access the interface form the PC.
The key configuration is that the PVID of the 5-port switch that goes to the 8-port is 1 (or whatever the management VLAN / lowest VID is supposed to be, in my case 1).
Here is the full configuration and I'm using VLANs 1, 2, 8, 10, and 20, starting with the 5-port:
Port 1 = 1T, 2T, 8T, 10T, 20T, 301U, PVID 301
Port 2 = 1T, 2T, 8T, 10T, 20T, PVID 1 (PVID 1 here is crucial)
Port 3 = 303U, PVID 303
Port 4 = 304U, PVID 304
Port 5 = 1U, PVID 1
To summarize, port 1 goes to pfSense, port 2 goes to the 8-port switch, port 3 and 4 are not used, port 5 goes to the management PC. 301, 303, and 304 are dummy VLANs that only exist on this switch and are not used.
Now the 8-port switch:
Port 1 = 1T, 2T, 8T, 10T, 20T, 401U, PVID 401
Port 2 = 1T, 2T, 8T, 10T, 20T, 402U, PVID 402
Port 3 = 403U, PVID 403
Port 4 = 1U, PVID 1
Port 5 = 2U, PVID 2
Port 6 = 8U, PVID 8
Port 7 = 10U, PVID 10
Port 8 = 20U, PVID 20
To summarize, port 1 goes to the 5-port switch, port 2 is not used but would connect to the next switch, port 3 is not in use, ports 4 through 8 are for testing.
The way to think how this works is that when the 8-port switch requests the IP it will come out untagged and it reaches the 5-port switch and because of the PVID 1 it will get tagged to VLAN 1 and then it goes out through ports 1 and 5 (on the 5-port switch) and the DHCP server (pfSense picks it up from port 1 tagged as VLAN 1). Then that IP goes back in tagged format all the way to the 8-port switch and everybody is happy.
I have one last test to report. I continue where I left off except now I'm adding a 2nd 8-port switch at the end, so it looks like this:
pfSense <-> 5-port <-> 8-port-A <-> 8-port-B
I configure the latest 8-port-B switch the same way as the one before, except for the dummy VLANs I'm going with 501, 502, and 503 instead of 401, 402, and 403, otherwise 100% the same config.
As I expected at first I was not able to reach the interface of the new switch. The reason is that it plugs into 8-port-A, port 2, which has PVID 402, which means untagged incoming traffic leads to nowhere and as such the new 8-port switch is not able to get an IP. All I had to do was switch the PVID to 1 (on 8-port-A switch, port 2) and then it started working, where the new switch got an IP from VLAN 1.
As a sanity check to show that the 5-port switch works better with VLANs I added one more switch to the end like this:
I configured it almost the same as 5-port-A except I'm making port 2 unused and calling it the end of the line.
Port 1 = 1T, 2T, 8T, 10T, 20T, 601U, PVID 601
Port 2 = 602U, PVID 602
Port 3 = 603U, PVID 603
Port 4 = 604U, PVID 604
Port 5 = 1U, PVID 1
This worked and I'm able to access the switch interface despite the fact that this switch connects to 8-port-B, port 2, which is configured with PVID 502. As expected in this case the 5-port switch must be using VLAN 1 tagged to get the IP.
To summarize countless hours of tinkering:
A) The first switch has to be a 5-port and after that it doesn't matter.
B) Any port that connects to an 8-port switch needs to have the management VLAN as the PVID.
I made 2 more findings to share. What happens when the 5-port switch (GS305E) can reach 2 different DHCP servers?
In this case server A and server B, whereas server A is meant to pass-through for other things but server B is the actual one that is supposed to be used, like for the switch management.
It looks like this:
DHCP - A <---> [port 1, 33U, PVID = 33 ... port 2, 1T, 2T, 8T, 10T, 20T, 33T, PVID=542] <---> DHCP - B
Initially the switch tries to get the IP from B because presumably it is available via the lowest VLAN ID. However what happens if B isn't available. In my case, A is a simply router and B is a PC running pfSense. If there would be a power outage (I have UPS but ignore that or if the outage is longer), DHCP A will probably be online before B. In this case the switch gets the IP from A and sticks with it.
The second thing I noticed, if this happens, it appears I can not access the switch interface from the A-IP. I can only guess that the interface is still looking for VLAN 1 and the IP of the switch is now from VLAN 33. To me this is hardly because of performance of the processor, this just sounds like a firmware bug. I can look past that because I only paid $15 for these switches, just something to keep in mind.
Switch A is a GL-AR750S-Ext with openWRT / luci. I first attempted to block the switch from getting an IP address. This continuously failed or maybe it was already too late to try and block it because it had already received a session, I don't know. I attached a screenshot of my attempts, all of which failed.
This is when I went to plan-B and set a static IP in the switch. I always use static IPs but I like it when they come from the DHCP server, I don't know why, this is why I didn't do that sooner. As expected this worked great.
My last test was like this: Plug in switch, wait 1 minute, plug in to DHCP - A, wait another minute, then plug in to DHCP - B and try to access the switch (from B) and it worked right away.
This finally concludes the skeleton setup of my new network. Everything from here will be straight forward stuff in pfSense and physically connecting stuff up.
