Messages

Good to know! Thnx! :)

Is this now A or B ?

The whole 'Administrative VLANs vs. Operational VLANs' thing still seems to have no exact purpose by the looks of it ?!

This is for B, but A has similar config just on different ports (e.g. B's port 7 = A's port 2, B's port 1 = A's port 8).

Regarding administrative vs operational, as far as I understand, admin ones are what you define in the config, and operational is based on who actually is a member of those VLAN. I didn't really test this part so I am not fully certain how it works. I just know that if in GUI Admin VLAN does not match Op. VLAN usually my setup is not working. So maybe it's used to indicate when you have issues in your config. E.g. You set X, but that's not happening based on your current setup (aka Operational VLAN), meaning something is not correctly set up.

GUI in SG250 is awful and I ended up doing updates via config files.

That's why I love Switches that have SSH access too : It's quicker and easier !!! :)

Could you post GUI screenshots of how it looks now with this new config ?

This one does have SSH access, and I presume that would have been easier, but I felt there were more chances I would mess something up this way. Certainly if you're comfortable to syntax then that's a way to go.

Here we go:

After 2 days of tinkering with Cisco switches I finally managed to get it to work. Actually GUI in SG250 is awful and I ended up doing updates via config files. In case someone ends up looking for similar config:

Port which connects to OPNsense (same config on the ports between 2 switches):

Code Select Expand

interface GigabitEthernet1
 switchport mode trunk
 switchport trunk native vlan none
 switchport trunk allowed vlan 10,20,30,40
Port where WiFI AP connects (AP lands on VLAN 10, and it can serve 2 different SSIDs - TRUSTED (20) and GUEST (40).

Code Select Expand

interface GigabitEthernet7
 switchport mode trunk
 switchport access vlan none
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,40

Port for my office (Proxmox on 10, VMs on 20, MacBook on 20, Brother printer is untagged and defaults to 30). I believe this config is insecure as Brother could in theory VLAN hop into 10 or 20 if it would tag its packets. So I need to get another managed switch.

Code Select Expand

interface GigabitEthernet5
 switchport mode trunk
 switchport access vlan none
 switchport trunk native vlan 30
 switchport trunk allowed vlan 10,20,30

Administrative and Operational VLANs ?! What's in a name ?!

This is what Cisco says:
• Administrative VLANs-Port is configured for these VLANs.
• Operational VLANs-Port is currently a member of these VLANs.

And real CISCO Switches also use the whole VLAN Trunk Database thing to allow/accept VLANs but I think that does not apply here ??

Indeed, I believe these are their simple small business switches.

I can't seem to even get it to work even on a single switch.. The IOT devices connect if I set VLAN 30 untagged, but I cant's seem to configure
the AP port (2nd port) properly.

Do I also add PVID 10 on Trunk ports where APs connect??

This depends on your APs. Since you mentioned, you have multiple SSIDs on them, I assume, that each has a VLAN assigned on the AP. In this case, the switch port has to be assigned as tagged tot the VLAN and no PVID set.

The PVID is responsible to tag incoming packets on the respective port. So you only need it to connect non-VLAN-aware devices to a VLAN.

So on trunk port #2 I set 20 and 40 as tagged and 10 as untagged, but it's not working. Perhaps I am not setting this properly in the interface.

Thanks! So I added PVID 30 on IOT access ports. Do I also add PVID 10 on Trunk ports where APs connect?? This didn't help with IOT devices auto-obtaining IPs.

Regarding you other suggestion, I set my static IP within the VLAN 10's range, and set the gateway, but I still can't reach anything on that subnet.

You're missing the PVID on the untagged switch ports.

For the wifi, what if you configure static IP and gateway on a device? Can you access the gateway and other devices, presumed, there are firewall rules allowing it?

Thanks! So I added PVID 30 on IOT access ports. Do I also add PVID 10 on Trunk ports where APs connect?? This didn't help with IOT devices auto-obtaining IPs.

Regarding your other suggestion, I set my static IP within the VLAN 10's range, and set the gateway, but I still can't reach anything on that subnet.

Also don't know if that matters but my switches by default are operating on layer 2 (it's possible to make them layer 3 I believe). But I would expect that OPNsense takes care of layer 3 stuff.

Hi everyone! I am attempting to make a setup with LAN and 4 VLANs.

In first room I have a Cisco SG250 switch (Switch A) with following desired config:

- Port 1 - connects to another Cisco SG250 switch which is located in a closet (Switch B).
- Port 2 - Grandstream WIFI AP connects here and should land on MGMT VLAN 10. The AP will have 2 SSIDs - one for TRUSTED VLAN 20 and one for GUEST VLAN 40.
- Port 3-7 - IOT VLAN 30 for IOT devices.

Closet switch desired config (Switch B):
- Port 1 - connects to OPNsense/Protectli on igc1 port (LAN interface)
- Port 2-6 - other non-VLAN aware devices (these land on 192.168.2.1/24 network)
- Port 7 - another Grandstream WIFI AP connects here which is on MGMT VLAN 10. This will be the slave AP for a first one and will have same 2 SSIDs, one for TRUSTED VLAN 20 and one for GUEST VLAN 40.
- Port 8 - here connects the Switch A

Right now when all is connected I see that AP is giving SSID on the network but if I connect I don't get the IP addresses (I had SSIDs configured previously). However, most of the IOT devices don't get an IP and I can't reach APs either (neither from OPNsense itself).

All the devices on LAN network work fine. When I connect manually to switch A on IOT port and do DHCP I do not get the IP.

There are separate Dnsmasq DHCP assignments running for each VLAN - 192.168.<VLAN_ID>.1/24 subnet.

Would appreciate any tips or hints on where I am going wrong with this.

OPNsense assignments:


Switch A:


Switch B: