Question GS110TP VLAN assistance ?

[shanedude02]

Okay, so I have a PfSense running, 3 VLANS
1 - Data
10 - CCTV
20 - Guest
All network scopes set up with dhcp servers
Port group created with all 3 vlans.

Goes off to a GS110TP, into Port 8.
Port 8 is Untagged VLAN 1, Tagged 10 and 20, PVID is set to 1

I have a couple of Ruckus AP's, 2 SSID's, data + guest
The Data SSID's VLAN i've left as 1 on the Ruckus.
The Guest SSID's VLAN I've set as 20 on the Ruckus.
The Ruckus' are in Port 4 and 5.
I've got Data Untagged, Guest Tagged, PVID as Data (1).
Data's SSID works fine, Guest, no contact to DHCP...
Tried
Untagging 4, and 5 for VLAN 20 and 1, no cigar, as well as tagging both.
It's almost like it's stripping out the VLAN Tags at the PVID section.

Is this by design, or have I got something misconfigured?

 

[bill001g]

You can only have 1 untagged vlan on a port. Most switches give you a warning or won't allow the configuration if you try 2 different vlans untagged.

Try a more simple test to start. Set port 4 to vlan 20 untagged. This is now a simple end device port. Plug a pc into it and make sure you get a ip from the dhcp server from the range you setup for vlan 20.

If this does not work then the problem is in the pfsense setup could be the vlan stuff likely related to the virtual IP address or the dhcp setup.

It should in theory work with both the AP and the switch ports set to vlan 1 untagged and vlan 20 tagged.

It has been a while since I did it but mirosoft support vlan tags in windows. You should be able to test using a pc connected to the port and set the vlan to 20 tagged. Just a different test device to see if it is the AP config causing the issue.

 

[shanedude02]

You can only have 1 untagged vlan on a port. Most switches give you a warning or won't allow the configuration if you try 2 different vlans untagged.

Try a more simple test to start. Set port 4 to vlan 20 untagged. This is now a simple end device port. Plug a pc into it and make sure you get a ip from the dhcp server from the range you setup for vlan 20.

If this does not work then the problem is in the pfsense setup could be the vlan stuff likely related to the virtual IP address or the dhcp setup.

It should in theory work with both the AP and the switch ports set to vlan 1 untagged and vlan 20 tagged.

It has been a while since I did it but mirosoft support vlan tags in windows. You should be able to test using a pc connected to the port and set the vlan to 20 tagged. Just a different test device to see if it is the AP config causing the issue.

The 1 untagged VLAN on a port, this is exactly what I thought but the switch had me questioning myself cause it let me do 2...

VLAN's PfSense side are working cause I did try what you've said with the network adapter and setting it there, drops me into the correct pool, if the port is untagged 20 as well as PVID 20...

 

[bill001g]

I have not used ruckus stuff so I am unsure if there is any strangeness to how you have to set this up.

Be a bit careful about setting the PVID. A untagged vlans like it says does not have a tag. Most times you can leave this default....it is used for strange configurations where you can set the PVID to not match the vlan number.

Set lets say in addition to your configuration you have 2 pc and you hook them on port 6 & 7 with both those port set to vlan 20 untagged. So the pc by default has no concept of vlans and there is not a tag field in the packet. Note the tag does not even exist it is not blank or 1 or 20 it does not exist at all.

So if the pc on port 6 send a packet to the pc on port 7 the data just comes in port 6 and is forwarded to port 7. No concept of vlan tags exist. The switch has a different mac address forwarding table for each vlan. But if the pc on port 6 want to talk to a pc connected via wifi on the ruckus the switch will add a tag with the number 20 in it as it sends it out port 5 for example. The ruckus should recieve this packet and remove the vlan tag completely and send it to the end pc on the wifi.

 

[shanedude02]

I have not used ruckus stuff so I am unsure if there is any strangeness to how you have to set this up.

Be a bit careful about setting the PVID. A untagged vlans like it says does not have a tag. Most times you can leave this default....it is used for strange configurations where you can set the PVID to not match the vlan number.

Set lets say in addition to your configuration you have 2 pc and you hook them on port 6 & 7 with both those port set to vlan 20 untagged. So the pc by default has no concept of vlans and there is not a tag field in the packet. Note the tag does not even exist it is not blank or 1 or 20 it does not exist at all.

So if the pc on port 6 send a packet to the pc on port 7 the data just comes in port 6 and is forwarded to port 7. No concept of vlan tags exist. The switch has a different mac address forwarding table for each vlan. But if the pc on port 6 want to talk to a pc connected via wifi on the ruckus the switch will add a tag with the number 20 in it as it sends it out port 5 for example. The ruckus should recieve this packet and remove the vlan tag completely and send it to the end pc on the wifi.

The bit that I think is throwing this all off is the PVID part, but i'm not too sure.

On an Aruba switch with a Unifi AP, what i'd usually do is untag the port in a "management" vlan to drop the AP into there, and then tag all the VLAN's corresponding to the SSID's.

This is what I'm trying to do with the netgear and ruckus and it's not playing ball, but the Netgear also has the requirement for a PVID... -- My thinking with this was maybe tag the 2 VLAN's I wanted and set the PVID to the ""management"" VLAN but apparently not haha...

The Netgear seems to ignore the untagged ports and go with what's set in the PVID unless i'm missing something major out somewhere

 

[bill001g]

PVID is used for 2 main purposed. First it is the number that is placed inside the packet on a tagged connection. The second is it is used to identify what cisco calls the "native" vlan. It is the number that is used to associate the traffic that is untagged on a port.

What makes this somewhat confusing is you can actually assign a PVID of 50 to vlan "10". The default names of vlans are numeric that match the PVID by default on most switches. You also on many switches add another name that can use any characters you want. This is all for display purposes only the PVID matters.

All this fancy ablity does not mean much on someone with 1 switch or someone using consumer grade switches. The fancy commerical switches have ways to corrdicate all these names and PVID across multiple platforms. This is mostly related to spaning tree which you don't care about when you do not have mulitple devices.

On home equipment you can call a PVID xxxxxxx on one switch and yyyyyyy on another and it will work fine it is just confusing.

 

[shanedude02]

PVID is used for 2 main purposed. First it is the number that is placed inside the packet on a tagged connection. The second is it is used to identify what cisco calls the "native" vlan. It is the number that is used to associate the traffic that is untagged on a port.

What makes this somewhat confusing is you can actually assign a PVID of 50 to vlan "10". The default names of vlans are numeric that match the PVID by default on most switches. You also on many switches add another name that can use any characters you want. This is all for display purposes only the PVID matters.

All this fancy ablity does not mean much on someone with 1 switch or someone using consumer grade switches. The fancy commerical switches have ways to corrdicate all these names and PVID across multiple platforms. This is mostly related to spaning tree which you don't care about when you do not have mulitple devices.

On home equipment you can call a PVID xxxxxxx on one switch and yyyyyyy on another and it will work fine it is just confusing.

Problem solved.
I blame Ruckus (Maybe a bit of me too)
Under the Ethernet ports config on the AP, I completely glossed over the dropdown which defaults to "Access Port". Changed it to "Trunk Port" and all good!

 

[nigelivey]

Problem solved.
I blame Ruckus (Maybe a bit of me too)
Under the Ethernet ports config on the AP, I completely glossed over the dropdown which defaults to "Access Port". Changed it to "Trunk Port" and all good!

I think thats a you thing not the Ruckus, if carrying multiple SSIDs and Vlans it has to be a trunk! What APs are they? You should grab yourself a 2nd hand zone director, make life simple.