DEC2752: Getting switch online

[Flattery6100]

Hi!  I'm setting up a new DEC2752.  I've set up VLANs for one of the ethernet ports and set up firewall rules.  I've now plugged a small managed switch into that port to try to get it online.  I see the switch's static IP in DHCP leases, but it shows as offline and I can't ping it.  I tried factory resetting the switch but it behaves the same.

I don't have anything on the base interface for the port, just the VLAN interfaces, which I think is correct.  What do I need to do to allow the switch to communicate?

Thanks!

[Flattery6100]

I've tried hooking up to the switch and setting up the ports like so:

PORT 1:  Untagged VLAN 1
PORT 2:  Untagged VLAN 10
PORT 3:  Untagged VLAN 20
PORT 4:  Tagged VLANs 10, 20, 25
PORT 5:  Tagged VLANS 10, 20, 25

I've also tried adding VLAN 1 as Tagged or Untagged on PORT 5.

PORT 5 is intended to be the link to the firewall.
PORT 4 is for a wireless AP.
PORTS 1-3 are for a direct machine connection.

If I plug into PORT 1, I can access the switch and nothing else.
If I plug into PORT 2, I can't access anything.

[Flattery6100]

The switch is intended to be in VLAN 2 on the firewall, with VLAN 99 as the management VLAN (though I've also got VLAN 10 allowed to get to everything while I'm trying to get this set up).

[Flattery6100]

I tried setting the PVID, since I do have that set in the pfsense I'm migrating from, and I think that let me get an IP assigned via DHCP from opnsense, but I can't do anything beyond that.

[Flattery6100]

Running a packet capture does show traffic, so.. enabling logs on rules to see if any of them are being hit.

[Flattery6100]

Logs show that everything is being passed.  wtf?

[Flattery6100]

Okay, I restarted the firewall and the switch, and - I was able to hit google.com once from browser (and also dig it once from the terminal), then it all went back to not working.

Any ideas?

[va176thunderbolt]

I've done something similar before, except I setup a port on the firewall with all of the clans tagged, and another on my switch with all of the clans tagged. I then assigned switch ports to whatever clan I wanted the connected device to be in.

The vlans for you switch (2 and 99) are not defined on the firewall, is vlan 10 defined on the swithport connected to the firewall?

[Flattery6100]

All of the VLANs are defined on the firewall and assigned as children of the port that the switch is connected to.  The port itself is unassigned.

I took the switch back to my apartment to test it in a known-good environment and it works perfectly without any changes, so it's clearly something on the firewall.  I will bring the switch back with me tomorrow morning to see what I can figure out.

[Flattery6100]

So that we have it for tomorrow:

PORT 1: Untagged VLAN 1
PORT 2: Untagged VLAN 10
PORT 3: [ignoring]
PORT 4: Untagged VLAN 2, Tagged VLANs 10, 25, 99
PORT 5: Untagged VLAN 1, Tagged VLANs 2, 10, 25, 99

PORT 5 is the trunk to the firewall.
PORT 4 is the trunk to a wireless AP.

From the VLAN perspective:
VLAN 1: Untagged PORTs 1, 5
VLAN 2: Untagged PORT 4, Tagged PORT 5
VLAN 10: Untagged PORT 2, Tagged PORTs 4, 5
VLAN 25: Tagged PORTs 4, 5
VLAN 99: Tagged PORTs 4, 5

PVIDs:
PORT 1, VLAN 1
PORT 2, VLAN 10
PORT 4, VLAN 2
PORT 5, VLAN 1

[Flattery6100]

I definitely get correctly mapped, since I get a 192.168.10 address, and the firewall rules look right as well (just found that you can go to the interface and expand the group rules, which is where I have all rules defined).  I'm at a loss.  Is there something I can look at / some info I can provide to help figure out why I can't get anywhere when coming in via the trunk port?

[Flattery6100]

I'm going to cry.  I restarted the firewall and it's working.  I am connected to the VLAN 10 port on the switch and able to get around both inside and outside the network.

[Flattery6100]

As they say, problems that go away on their own come back on their own. I can restart the firewall and get it working for a time, but it keeps breaking and needing a restart. Any ideas? Any logs to look at?