Laptop & Managed Switch (TL-SG10) & VLANs

[z0rk]

Hello,

I am running OPNsense 22.7.10_2-amd64 on a desktop with three NIC cards: WAN, LAN (192), and LAN02 (172). I have to abandon this setup and switch to a laptop.

I understand that instead of using USB Ethernet adapters it's better to setup VLANs with a managed switch (https://forum.opnsense.org/index.php?topic=9363.msg42382#msg42382) like the TP-Link TL-SG10 series.

Setting up VLANs on OPNsense itself seems straightforward enough. I've looked at screenshots of the TL-SG10 configuration interface and read up a bit on the topic of VLANs (https://www.theregister.com/2017/06/30/vlans_at_20/).

Traffic flow should be something like this I believe:
Internet > Modem > Switch port 1 (WAN) > Switch port 2 (LAN) & port 3 (LAN02)

This seems straight forward enough but for some reason I still struggle on how to get this to work. I was hoping that someone in particular who is familiar with TL-SG10s can help to get this fast tracked.

Thank you very much

[bartjsmit]

What is the model number of your TP-Link? Make sure it ends in 'E', such as the TL-SG108E. They have a few unmanaged switches in the same price range with similar model numbers.

On the SG108E, select VLAN, 802.1Q VLAN and create yours, e.g:

VLAN ID 555, VLAN Name WAN, under Untagged tick your WAN modem switch port 1 and under tagged tick your OPNsense laptop port 2, click Add/Modify
VLAN ID 172, VLAN Name LAN02, under Untagged tick the devices/AP's that have 172 addresses, click Add/Modify
VLAN ID 192, VLAN Name LAN, under Untagged tick the devices/AP's that have 192 addresses, click Add/Modify

If you have a Multi-SSID AP you can add its port to multiple VLAN's as Tagged.

Bart...

[Demusman]

Hello,

I am running OPNsense 22.7.10_2-amd64 on a desktop with three NIC cards: WAN, LAN (192), and LAN02 (172). I have to abandon this setup and switch to a laptop.

I understand that instead of using USB Ethernet adapters it's better to setup VLANs with a managed switch (https://forum.opnsense.org/index.php?topic=9363.msg42382#msg42382) like the TP-Link TL-SG10 series.

Setting up VLANs on OPNsense itself seems straightforward enough. I've looked at screenshots of the TL-SG10 configuration interface and read up a bit on the topic of VLANs (https://www.theregister.com/2017/06/30/vlans_at_20/).

Traffic flow should be something like this I believe:
Internet > Modem > Switch port 1 (WAN) > Switch port 2 (LAN) & port 3 (LAN02)

This seems straight forward enough but for some reason I still struggle on how to get this to work. I was hoping that someone in particular who is familiar with TL-SG10s can help to get this fast tracked.

Thank you very much

Post pics of the 802.1q and pvid pages in the switch and interfaces/vlans from the router.

[miroco]

I found this video helpful.

Netgear GS108Ev3 Review and Setup
https://www.youtube.com/watch?v=VY6WPrMZjyk

Admittedly it covers a Netgear 8 port GS108Ev3 and not a TP-Link. Though I'm pretty convinced that TP-Link took more than a casual glance at the Netgear counterpart.

If you are about to buy a switch, don't just pick one with enough ports to satisfy your immediate use case. With VLANs this is specially true. I made this mistake myself by buying a 5 port Netgear GS105Ev2. You'll outgrow a switch faster than you think.

[z0rk]

What is the model number of your TP-Link? Make sure it ends in 'E', such as the TL-SG108E. They have a few unmanaged switches in the same price range with similar model numbers.

Yes, I meant the 'E' series. Thanks so much for this. I will get one of these and test it out. Again, thank you.

[z0rk]

I found this video helpful.

Netgear GS108Ev3 Review and Setup
https://www.youtube.com/watch?v=VY6WPrMZjyk

If you are about to buy a switch, don't just pick one with enough ports to satisfy your immediate use case. With VLANs this is specially true. I made this mistake myself by buying a 5 port Netgear GS105Ev2. You'll outgrow a switch faster than you think.

I am sure to check it out, miroco. An TP-Link 8-port switch is about as much as I can afford right now. Thanks for the heads-up though. Cheers

[z0rk]

Post pics of the 802.1q and pvid pages in the switch and interfaces/vlans from the router.

Will do once I get the switch. Thank you, Demusman.

[z0rk]

VLAN ID 555, VLAN Name WAN, under Untagged tick your WAN modem switch port 1 and under tagged tick your OPNsense laptop port 2, click Add/Modify
VLAN ID 172, VLAN Name LAN02, under Untagged tick the devices/AP's that have 172 addresses, click Add/Modify
VLAN ID 192, VLAN Name LAN, under Untagged tick the devices/AP's that have 192 addresses, click Add/Modify

Hi Bart
I've purchased a TL-SG105E V5 and configured it.
I created three vlans to correspond with WAN, LAN (192) and LAN02 (172). They all use em0 as the parent interface which is the laptop ethernet port.
I then assigned each vlan (vlan01 - WAN, vlan02 - LAN, vlan02 - LAN02) to the pre-existing interfaces, ue0 (LAN), ue1 (LAN02) and em0 (WAN).
I connected modem > port 1, laptop ethernet port > port 2, 172 device > port 3, 192 device > port 4 on the switch.
When I rebooted opnsense DHCP didn't pick up the WAN.
When I connect my other laptop to port 4 to access opnsense at 192.168.1.1 it can't be reached.
Do you have any suggestions what to try next?
Thank you

[Demusman]

Not gonna work like that.
You need one trunk port that goes to the laptop.
Then you need access ports for the devices to connect to.

So port 1 will be the trunk in this example but you can use any.
Port 1 will have all 3 vlans tagged on it.
Port 2 will be WAN which connects to the modem. untag vlan555 on it.
Port 3 will be LAN, untag vlan192 on it.
Port 4 will be LAN2, untag vlan172 on it.

The trunk brings all vlans to the switch, then you can use them on the access ports.
Don't use vlan1 on any ports.
Go to Vlan PVID page in switch and set the pvids to the same as vlan, so port 1 leave at 1, port 2 pvid vlan555, port 3 pvid 192, port 4 pvid 172

[Demusman]

You're looking for this:

[z0rk]

Don't use vlan1 on any ports.

Ok, I think I got it.
What do you mean by 'Don't user vlan1 on any ports'. Do you mean vlan ID 1?

Thanks much, Demusman

[Demusman]

Yes, set vlan ID1 as not a member of any ports in the switch.
Just like the pic I posted.

[z0rk]

Yes, set vlan ID1 as not a member of any ports in the switch.
Just like the pic I posted.

Ok, that's what I figured.

I am close but still no cigar.
WAN, vlan01 (switch port 2) doesn't pick up an IP address.
I've temporarily set LAN, vlan02 to DHCP and connected switch port 3 to my internal network. The laptop ethernet port is connected to TRUNK (switch port 1). I am able to access the OPNsense web GUI so I know that this bit is working, presumably LAN02, vlan03 as well.
Maybe I need to make some changes to the WAN interface configuration? I've attached a screenshot of my interface assignments and the WAN config page.
Almost there I hope 

[Demusman]

Are you sure you should get a public address?
Not sure how your modem works, if you get a private address uncheck block private addresses.

A way to check the switch would be to set a static address on your wan.
Turn off the firewall. (ssh in and do pfctl -d, -e will reenable)
Plug a pc into port 2 on the switch with a static address in the same subnet as the wan and see if you can ping it.

[z0rk]

Are you sure you should get a public address?

The way I am currently set up in production is modem > NIC on desktop which is my WAN. WAN interface is set up with DHCP and it picks up a public address.

On the laptop WAN (vlan01) doesn't pick up any address 0.0.0.0/8 although it's configured for DHCP as well (see screenshots). I will do the testing as you suggested sometime tomorrow.

Thanks for all your help