pfSense and Cisco SG350 managed switch - help needed on setup. Especially VLAN's

[The Dark Knight]

So I've had a home server running for a while now that has pfSense in a Hyper-V instance. Had a few unmanaged switches, WiFi AP's etc, and all was working perfectly.

 

However I got a Cisco SG350-28 managed switch today, and just cannot figure out how to setup VLAN's. It works out of the box as an unmanaged switch by default perfectly. But obviously, I don't want it to do just this. Please can the networking gurus on Neowin help me set this up? I'm trying VLAN's for the first time in my life! 

 

Got 2 NIC's on the server, 1 for WAN and 1 for LAN. The LAN port is connected to the Cisco switch on the last port. I've tried setting up like in the steps mentioned below, but it doesn't work. So obviously I've done something wrong. Just can't figure out what. The switch is already updated to the latest firmware and is getting its IP through DHCP from pfSense.

 

Created VLAN in pfSense with a tag of 20

Created an interface for it, binding it to my LAN

Enabled DHCP server for the VLAN and specified the pool

Created a firewall rule to allow all WAN traffic - source and port is any, destination is WAN address and any port. Is this correct?

 

The Switch is where it gets totally confusing! I've tried multiple tutorials online, nothing worked. Have already reset the switch to factory settings 5 times till now! 

 

Please help!

[Mindovermaster Moderator]

I'm not as good as budman, but are you creating VLANs on your switch or server? Because I think you have to allow that on the switch as well as the server.

 

Just my 2 cents...

[The Dark Knight]

I've tried both. Tried some tutorials I found online, they mention that VLAN's have to be setup on pfSense and the switch. I think I've got the pfSense part right (not fully sure though). Where I'm totally stuck is the switch configuration.

 

Have asked BudMan on PM, but I think he's busy just now.

[+BudMan MVC]

33 minutes ago, The Dark Knight said:

Created a firewall rule to allow all WAN traffic - source and port is any, destination is WAN address and any port. Is this correct?

No that would only allow access to your Wan address..  Internet is always going to be ANY..

 

Post up your configuration in pfsense, and your config on your ports in your switch... From your PM if your dicking with that L2 or L3 mode per port I think you are going about it the wrong way...

 

But any vlan you tag on pfsense would need to be tagged on the trunk port you have connected to your switch..

 

I can post up example of my vlan setup on my sg300 and pfsense if you need.

[The Dark Knight]

Thanks BudMan! Here are the screenshots:

 

 

 

 

 

Cisco screenshots:

 

 

I've connected pfSense to the switch on port 26 which is slightly separated on the switch physically to help differentiate it easily. Clicking on Edit for that port under Interface Settings gives me the above options.

 

 

Here I've got Port 6 which has my WiFi AP plugged in, on which I want to create a restricted VLAN for internet access only. These are the settings when I click on Join VLAN under Port VLAN Membership.

 

Do I need to add or edit anything in the section below? I actually want to disable VLAN1. Read online somewhere where someone created a VLAN just for the management interface. This is not crucial though, but would be nice to have. So that it is separated from my primary unrestricted LAN as well.

 

 

And should I leave SmartPort enabled or turn it off?

 

 

 

I've reset the Switch to factory defaults. I didn't try setting L3 on any individual ports, but I did end up getting locked out several times. Hence the multiple resets.

[sc302 Veteran]

1 you need to be able to route for vlanA to have access to vlanB.  

 

Sg switches are generally configured for layer2 with the option to be able to set it to layer3.  Once you set to layer3 the switch can act as a router.  This isn't needed in your case just information for you.  

 

What you need to do is to set your vlans on your pfsense, this will do the intravlan routing and will make your pfsense box your router (no need to switch over the switch into layer3 mode).  

 

Once you have configured your lans on the pfsense box you will have to trunk those networks over to your switch.  Once trunked to your switch, you can create the vlan database on your switch to be able to support those vlans.  Then you can assign ports to talk to those specific vlans by creating access ports, and those access ports will be tagged with the correct vlan.  

 

To understand this better, Trunk (tagging) happens between two switches when you want to encapsulate vlans...Access (untagged) happens between a switch and a device (computer, tablet, phone, refrigerator, toaster, etc).  Default vlan on a trunked port states that the device on the other end will communicate as an untagged and tagged device allowing for trunks to be encapsulated as well as standard packets to go across to the device, usually to manage the device as part of a management vlan.    To put it more simply, Access is for your devices that you can hold in your hand (touch and feel).  Trunking is for encapsulating vlans between switches and only between switches or systems that have the logic to be switches (vmware, hyperv, firewalls, etc).

[+BudMan MVC]

From what I am reading about the current firmware for the sg350's is they now default to layer 3 mode.. But doesn't matter you can still use them as just layer 2.

 

You shouldn't be doing any routing on your switch... Do the routing on pfsense.

 

Your interface connected to pfsense need to be in trunk mode.. Native untagged wold be vlan 1 in your case, and the vlan tagged would be vlan 30

[The Dark Knight]

Thanks for the responses, sc302 and BudMan! I've now understood the basic differences between Trunks, Access ports, etc. However the options in the Switch are still quite overwhelming. If you don't mind, could you please explain step by step what I need to do to setup 1 VLAN on the switch? I'll do the rest then. 

 

I deleted all the earlier configs in pfSense, and put it back to how it was when I had an unmanaged switch. Then I went ahead and setup one VLAN, an interface for it, and the firewall rules. Screenshots below. Are the firewall rules correct this time?

 

 

 

 

 

Also, since I run pfSense in Hyper-V, do I need to change anything in the following sections or I can leave them as it is?

 

 

 

 

 

[The Dark Knight]

In the Switch management now. So first, I create a VLAN like this. Is this correct? Does the name need to match with what I have on pfSense or just the ID will do?

 

 

Then under Interface Settings, I click on Edit for port 26, and get this. So I have to change this to Trunk? As mentioned earlier, pfSense is connected to the switch on this port. I hope I won't get locked out of the switch after changing this!

 

 

Do I need to change any of these under Port to VLAN?

 

 

After changing port 26 to Trunk, the screenshot below will say Trunk instead of Access. But what else do I need to set in here?

 

 

And finally, what settings are needed for port 6? My WiFi AP which I'll be using for the Restricted network is plugged in here.

 

[sc302 Veteran]

Work in pfsense first.  Gt that configured first.  Vlan1 is the default vlan, nothing to configure there.  Create your second vlan and give it an ip in pfsense. Don’t forget to set your dhcp for that second vlan. 

 

Then configure a port in pfsense to trunk the vlans over to the switch. On the switch configure the same vlan number in the vlan database.  Nothing you should have to do on the switch as all of the ports should be dynamic and auto sense. They know if they should be in trunk or access and what pfsense is trying to push. 

 

Fyi i dont like the GUI. Don’t know where to do things and IMO it isn’t laid out very logically. I spend more time trying to figure out where to put things vs just typing it out. Cli is much more logically laid out. But I get that looking at a blinking cursor with no understanding on how to get started is a bit overwhelming.  But it isn’t any more overwhelming than looking and the GUI and figuring out what to do, you simply have the option to click around in the GUI and do absolutely nothing or very little and a little satisfaction with drop downs vs knowing the commands. Let me give you a hint with the cli....”?” Brings up what you can do in the prompt you are in, just like looking at the GUI at all of the options but you need to be able to understand and comprehend the text in front of you, the descriptions of the commands sometimes are not very good to explain what to do next. 

 

 

[+BudMan MVC]

With sc302... If your vlan setup on pfsense?

 

I am not a fan of automatic or smartports, for for that matter general mode being set on a port.  Your port should be set as either access or trunk.  If you have 1 device connected to it then the port is ACCESS.  And you will set that port to be in what vlan you want it to be in.  Sure you can do some auto configuration of ports.. But to be honest that sort of configuration takes some prework, etc.  And is going to be more confusing that just understanding the basics of what a access port is, trunk and what the PVID is..

 

If there is a device like router or switch or accesspoint that will work with vlans.. Then the port is trunk.

 

Yeah you can do it from cli, but its going to be much easier for you via gui unless you have been working with these switches for years like sc302 or myself.. Yes the amount of function presented in the gui can be overwhelming..

 

Its really this simple..  So port connected to pfsense trunk, port connected to AP trunk.

 

Port 26 (pfsense) = Trunk, vlan 1 untagged vlan 30 tagged (1U,30T) pvid vlan 1

Port 6 (accesspoint) = Trunk, vlan 1 untagged, vlan 30 tagged (1U,30T) pvid vlan 1

 

Vlan 30 set on your SSID you want these restricted devices to connect too.

 

All your other ports would be either access vlan 1, pvid 1 or if you want a wired device to also be on this vlan 30 then access 30 untagged, pvid 30.

[The Dark Knight]

Thanls again for the rsponses guys!

 

I actually feel more alienated in a CLI than a GUI. Sure, something completely new like this, I completely agree with you sc302, I don't know most of the options in the GUI. But I still don't fell that lost as opposed to how I would be with a blinking cursor.

I've created the VLAN in pfSense already. I posted the screenshots above in my reply before yours. Where I lost you is when you said to create a port on pfSense to trunk the VLANs to the switch. I have no clue how to do that!

 

BudMan: Thanks! Ok, so I've disabled SmartPort completely. And understood the difference between Access and Trunk. In my setup, don't have an AP that understands VLAN's, so that would be Access only, and not Trunk. Yes, VLAN is setup in pfSense with an ID of 30. Screenshots of it in my reply above. Also, before I change the AP settings, I'm just testing the config changes using a laptop, and not the AP. And so I'm doing this on port 10 instead of port 6. I've tried setting it up again to match up like you said, with 1U, 30T on the pfSense port in Trunk mode. However it is still not working. I'm just getting an auto configuration IP of 169.254.131.238 on the laptop. Attaching screenshots below.

 

 

 

[sc302 Veteran]

But if you knew all that you had to do once you were in was type in the following

conf t

vlan 20

exit

exit

wr

 

to configure your vlan and have your switch function on vlan 30 wouldn’t that be so much easier than screwing with menus on top of menus to configure that?

a little effort and questioning is all it takes.  How many menus do you have to go through before you even get to the point where you can put that info in?

 

and here is how to configure a port:

conf t

int gi26

switchport mode trunk

switchport trunk allowed vlan 1,20

exit

exit

wr

 

the command "exit" gets you out of the prompt you are in.  "switchport mode" programs the port to either be in access or trunk.  'switchport trunk allowed vlan" tells the port what vlans to talk on (chances are the port is configured to allow all vlans to communicate).  

 

if you had a range of ports that you wanted to configure the same it would be

conf t

int range gi21-26

 

this would configure ports 21-26.

 

the command "wr" writes the config to memory so that when you reboot the switch, it will retain the config.  

 

Again, how many screens did you have to go through to configure that?

 

at the cli if you put in a command like "conf" followed by a "?" it will give you all of the possible additional verbs you can do with the root command

 

 

[+BudMan MVC]

Why does 26 have all those other vlans on it?  What are those I vlans 2-9I, 11-19I ?

 

Did you enable dhcp server on pfsense vlan 30?  What exactly are you plugging into port 10, you access point?  Plug say a computer or something into so you can validate your vlan is working.  Getting 169.254.x.x points to a dhcp client not getting an answer from dhcp server.

 

And sc302 is correct once you understand how it all is meant to work, and the IOS your using.. the ios that comes on smb switch is not the same as what is on a typical cisco catalyst switch.. I find myself trying to do normal cisco commands all the time and the wondering if I typed something wrong because it not working.. Then it dawning on me - oh yeah not full ios

 

Can you post the config from cli for those ports.

 

Here is my trunk to pfsense interface I run some vlans on

sg300-28#sho run int gi5
interface gigabitethernet5
 description "sg4860 WLan and vlans"
 switchport trunk allowed vlan add 3-4,6-7
 switchport trunk native vlan 2
!
sg300-28#

Here is an access port I have a pi on that is in my dmz vlan (3)

sg300-28#sho run int gi3
interface gigabitethernet3
 description pi-zero
 switchport mode access
 switchport access vlan 3
!
sg300-28#

Here is a connection to my PC, that is just in my default vlan (9 in my case)... Enterprise habit of disable vlan 1, and use specific vlans.

 

sg300-28#sho run int gi28
interface gigabitethernet28
 description I5-win
 switchport mode access
!
sg300-28#

On my switch vlan 1 has been disabled, and my native management vlan is 9.. To match up to the IP space being used... So for example vlan 3 is 192.168.3/24, vlan 2 is 192.168.2/24 and vlan 9 or my default vlan that all my trusted stuff is in 192.168.9/24

[sc302 Veteran]

yea the sg series is a little different, but so is LAN Base from LAN Lite from IP Base from IP Lite.  not all commands cross over, some versions commands are depreciated vs others work just fine and can't use the newer version of the command.  iOS is really a mess as a whole and can't really be considered iOS anymore as a language that you know.

[The Dark Knight]

26 minutes ago, sc302 said:

to configure your vlan and have your switch function on vlan 30 wouldn’t that be so much easier than screwing with menus on top of menus to configure that?

a little effort and questioning is all it takes.  How many menus do you have to go through before you even get to the point where you can put that info in?

I completely get what you're saying...but I still prefer the GUI any day. It's the primary reason I'm running Windows as the host on this machine instead of Linux. Linux is mostly CLI. The GUI is only fine for very basic stuff.

3 minutes ago, BudMan said:

Why does 26 have all those other vlans on it?  What are those I vlans 2-9I, 11-19I ?

 

Did you enable dhcp server on pfsense vlan 30?  What exactly are you plugging into port 10, you access point?  Plug say a computer or something into so you can validate your vlan is working.  Getting 169.254.x.x points to a dhcp client not getting an answer from dhcp server.

 

And sc302 is correct once you understand how it all is meant to work, and the IOS your using.. the ios that comes on smb switch is not the same as what is on a typical cisco catalyst switch.. I find myself trying to do normal cisco commands all the time and the wondering if I typed something wrong because it not working.. Then it dawning on me - oh yeah not full ios

I seriously have no idea....I didn't create any of those VLAN's. Yes, enabled DHCP on pfSense for VLAN30. Currently just trying with a laptop on port 10, not an AP. If you don't mind, and are free, could you connect over Teamviewer and take a look? Would be very grateful!

 

True, but for you guys this is like second nature as these are your fields of work. I am just a creative guy who also happens to like all this stuff, so keep experimenting with things. And since I'm creative, I also prefer GUI's. 

[sc302 Veteran]

14 minutes ago, The Dark Knight said:

I completely get what you're saying...but I still prefer the GUI any day. It's the primary reason I'm running Windows as the host on this machine instead of Linux. Linux is mostly CLI. The GUI is only fine for very basic stuff.

I seriously have no idea....I didn't create any of those VLAN's. Yes, enabled DHCP on pfSense for VLAN30. Currently just trying with a laptop on port 10, not an AP. If you don't mind, and are free, could you connect over Teamviewer and take a look? Would be very grateful!

 

True, but for you guys this is like second nature as these are your fields of work. I am just a creative guy who also happens to like all this stuff, so keep experimenting with things. And since I'm creative, I also prefer GUI's. 

creative = thinking outside of the box

 

creative = figuring things out

 

creative = taking on challenges

 

creative /= playing with predefined pictures and clicking around.  That is how a child figures things out, not a creative mind that likes to design.

 

FWIW, I too like guis when they makes sense.  The cisco gui doesn't make a whole lot of sense.  

 

Also, linux is gui...the fear of the command  line makes you think otherwise from what you have heard yet fear to experience.    

 

here is a ubuntu desktop, it is a linux fork...plenty of things for you to click around in.

 

here is linux mint, also plenty for you to click around in.

 

[+BudMan MVC]

I would be up for a TV session sure - but I have to leave for work here in few minutes.. But unless something major comes up at work.. Pretty sure could find some time today when I get there... I will ping you here when I get in..  I am in Central timezone it is currently 8am.. Couple of hours from now should work for the TV session... Ping you when get there - my cal is pretty open this morning.. So unless something hits the fan should be free

[c.grz]

I'd say it takes a logical mind to understand CLI and that the creative types prefer the GUI.

[sc302 Veteran]

2 minutes ago, c.grz said:

I'd say it takes a logical mind to understand CLI not creative and that the creative types prefer the GUI.

It takes a logical mind to do any of this.  It takes a creative mind to figure things out.  A truly creative mind isn't limited by interface, but simply challenged by it.  To do what I do it takes not only a logical mind but a creative mind where the limit is only my capability of understanding.

[c.grz]

1 minute ago, sc302 said:

It takes a logical mind to do any of this.  It takes a creative mind to figure things out.  A truly creative mind isn't limited by interface, but simply challenged by it.

My experience differs so we shall say your opinion is right for you and my opinion is right for me.

[The Dark Knight]

14 minutes ago, sc302 said:

creative = thinking outside of the box

 

creative = figuring things out

 

creative = taking on challenges

 

creative /= playing with predefined pictures and clicking around.  That is how a child figures things out, not a creative mind that likes to design.

 

FWIW, I too like guis when they makes sense.  The cisco gui doesn't make a whole lot of sense.  

 

Also, linux is gui...the fear of the command  line makes you think otherwise from what you have heard yet fear to experience.    

 

here is a ubuntu desktop, it is a linux fork...plenty of things for you to click around in.

 

 

here is linux mint, also plenty for you to click around in.

 

 

Again, agree with you. I did try setting up on my own, which is how I've learnt whatever I've learnt all these years. I do use Linux CLI, in fact I've learnt quite a bit about it (although still a beginner compared to others) in the recent past. I use Pi-hole, NextCloud, Plex, etc...all on Linux. Other than Pi-hole, everything else is on Ubuntu Server, which is pure CLI. But I've reached there after months of hunting for information, trying and failing, strating over multiple times, etc. But for this, I would still prefer using the GUI, simply because it is there, and everything can be managed using it. I will definitely look into the CLI for it, but just not now. At least want to have it up and running and serving the basic need for which I bought it, to isolate my devices and traffic. 🙂

[The Dark Knight]

12 minutes ago, BudMan said:

I would be up for a TV session sure - but I have to leave for work here in few minutes.. But unless something major comes up at work.. Pretty sure could find some time today when I get there... I will ping you here when I get in..  I am in Central timezone it is currently 8am.. Couple of hours from now should work for the TV session... Ping you when get there - my cal is pretty open this morning.. So unless something hits the fan should be free

Thanks a LOT BudMan! 👍👍😃

I'm on IST, so 7:45pm over here currently. Can stay up till 1 am before I drop! 😄

 

Look forward to your revert!

 

I've reset the Switch to factory, again. Wow, 9 times since yesterday! 🤣

[sc302 Veteran]

5 minutes ago, c.grz said:

My experience differs so we shall say your opinion is right for you and my opinion is right for me.

it is a bit closed minded don't you think, that the only way to be creative is to point and click around in a predefined environment?

 

artists are creative, they start with blank canvases.  They usually don't start with connect the dots when they are creating art.

[c.grz]

21 minutes ago, sc302 said:

it is a bit closed minded don't you think, that the only way to be creative is to point and click around in a predefined environment?

 

artists are creative, they start with blank canvases.  They usually don't start with connect the dots when they are creating art.

Since when were we discussing art? We're discussing CLI vs GUI.