I suck at VLANs, part I

Hey guys I am trying to setup some VLANs with pfSense and my TP-Link managed T1600G-52PS switch. I am unable to get a DHCP IP address when connecting my computer to the switch. It looks like the device can’t talk to pfSense.

However, I can confirm that the pfSense side of things works 100% because I am able to obtain a VLAN subnet IP address via DHCP when connecting my computer directly into the LAN port of my pfSense.

Clearly, I am doing something wrong on the switch side. And since I don’t know what I’m doing, I’m not surprised it’s not working. :joy:

I’d appreciate some help if anyone’s game…

VLAN 30: (DHCP server enabled on pfSense) – VoIP phones go on this VLAN

Switch (
Port 1: trunk to pfSense LAN
Port 3: I want all traffic going through this port to have VLAN 30 added to its packets.

As the title says, I suck at VLANs and this is my first time doing it. My understanding is that:

  • I should UNTAG port 1 (trunk) for VLAN 30
  • I should TAG port 3 for VLAN 30
  • I should set port 3 PVID to 30
  • I shouldn’t set up VLANs on the phones themselves. Tagging the ports on the switch is enough.

For good measure, since it’s VOIP traffic, I also did the following in QOS:

  • Enabled “Voice VLAN” and set it to 30, with a priority of 5
  • Enabled “Voice VLAN” on all my VLAN 30 ports

What did I do wrong?

Here are some screenshots of what I configured on the switch: https://imgur.com/a/eoyLrfH

Well perhaps I suck slightly less at vlans than you so maybe I can offer some insights on how I approached it as it works :slight_smile:

Firstly I have a multi-NIC pfsense box going to a 48 port Netgear switch. There is a configured LAN port but I don’t use it, though I could just plug into the box and access pfsense if required.

There is a LACP aggregation between the router and switch, did it because I could. The Netgear switch has some default vlans, I left these alone, and started my numbering from 10, 20, etc. All ports are on vlan 1, when setting up the vlans on the switch I had to first create the new vlans, then add the port to the new vlan followed by removing the port from the default vlan1 (which I don’t use). Your switch will have a process to follow.

BTW I configured the switch without it being connected to the router.

The router was then configured with vlans, only after each device was individually configured did I connect them. I followed this approach after messing it up several times and being locked out of the switch when it was connected to the router and I was trying to configure it.

There are several switches which are then daisey-chained over trunk LACP.

What I noticed is that on the Netgear VOIP has a default vlan, maybe your switch does too, I don’t use VOIP but it should work on any vlan. However I think I would prefer that pfsense prioritises traffic rather than the switch. Perhaps it doesn’t make a difference.

I would just take it step by step make sure you can setup one vlan before proceeding. Now would be a good time to read the manual :wink:

1 Like

I think I see what’s wrong. Your understanding of tagged and untagged is backwards.

In your case port one is a trunk port. It’s carrying all the vlans from pfsense to the switch and then the switch will allow those vlans to be distributed port by port. So instead of setting port one to untagged vlan 30 traffic, tag every vlan that you implement in pfsense on port one of the switch. That should cover getting the vlans to the switch.

Now for the rest of ports where the actual computers and servers will be connected. If you connect a device that doesn’t recognize vlan traffic, you need to make sure the port is untagged. So in your case you said port 3 needs to be on vlan 30. So for this port set port 3 as vlan 30 untagged and then this is the important part. Set the PVID to vlan 30 as well.

In addition vlan 1 is the system vlan. If you don’t want for example port 3 to be able to get to the switch interface, remove PVID 1.

Let me know if you have any questions. I have a spare TP Link jetstream 24 switch with the same interface and I can take some screenshots to give you a hand.

I forgot to mention… Make sure that only PVID 1 is being used for your trunk port(s). If it’s set to anything else the traffic doesn’t pass. That may be another issue you are running into. Trust me it took me forever to figure that out.

1 Like

This is super helpful, thanks a lot! It works now!

Just so I better understand the basics of VLANs, could you clarify what each setting does? Here’s my understanding:

  • TAG 30: allows VLAN30 to be passed on this port
  • UNTAG 30: no idea what this does? Can you expand on the meaning of untagging? It sounds like it should “remove” the tag, but I assume it doesn’t?
  • PVID 30: adds VLAN30 to all packets that sent from the device connected to this port.

Hi @cmer - think of TAG as ‘Talk’, and UNTAG as ‘Unaware’.
A single port can be a member of multiple TAGGED vLANs. Meaning that you could connect a Single Wireless Access Point, and have multiple SSIDs on different vLANs. This means that the device is vlan-aware.
Meanwhile Untagged is where the device connecting to it is unaware of vLANs. It’s all about context. If you’re plugging in a WAP, you’d want a Tagged port. If you’re plugging in a PC, chances are you’ll want it untagged. Your trunk port should always be tagged. i.e. untagged vLAN 1, tagged vLAN x, x, x

A port can only be a member of 1 untagged vlan at any given time though.

Imagine vLANs as little flags that data packets carry with them.

Hope this helps your understanding :slight_smile:

1 Like

Hmm just to clear up some misconceptions – but I think you might have it already figured out. Ports can have untagged VLAN and any other VLANs that traverse the port need to be tagged.

So if you have pfsense connected to switch – I’m betting you want both virtual LANS (1 and 30) passed from pfSense to the switch. By convention, VLAN1 is usually untagged and any other VLAN is tagged (although you could switch this if you wanted). So for the switch port connected to pfsense – TAG VLAN 30 and keep VLAN 1 untagged. Inherently you need to make sure the pfsense passes out VLAN30 traffic as tagged (You would do this in pfSense under the Interfaces->VLAN assignments (notice this might be different if you have virtualized pfSense since the hypervisor might be responsible for the tagging on the traffic).

On port 3 – You want traffic by default to be on VLAN 30 and you’re assuming devices connected to this port are VLAN unaware. You untag VLAN30 (or make VLAN 30 the untagged network). I you wanted to pass VLAN 1 information (for whatever reason) – you could pass VLAN1 as tagged, however if you want no VLAN 1 information passed (tagged or untagged) you would removed VLAN 1 from the port group.

In terms of PVID – I believe this relates to trafffic entering into the switch. Traffic coming into your port 3 is untagged. When the switch receives this traffic, it will automatically tag the untagged traffic via the PVID. The information will flow back through the switch to port 1, where any VLAN 1 information would be untagged and VLAN 30 information would remained tagged passed back to the switch.

I’m aware the definition of trunk vs access ports however I think this terminology relates to trunk ports carrying tagged and untagged information and access ports that only deal with one of the VLANs. Sometimes I think this terminology is kind of confusing. Both devices on either side of a port (so for example the switch and the connected computer), need to know what information will be untagged or tagged on the wire. If the computer or device is VLAN unware – that means it can only process untagged network traffic and hence only deal with one VLAN. If the device is VLAN aware, then both devices need to know in advance what traffic belonging to what VLAN is going to be tagged, and what traffic is going to be untagged. If both devices are VLAN aware, its totally possible to tag all traffic between the two devices and leave no network untagged. It’s also possible to designate one VLAN as untagged (which usually is VLAN1) and the rest tagged.

I’m sure I totally messed up that information. Good luck. Looks like you figured it out. (Also PVID behavior is kind of dependent on the switch type – some devices will automatically set the PVID to the same tag you place on the port and other will require you to set PVID and tag independently. I can’t imagine a scenario when they would be different, but maybe the networking gurus could answer this one. Either way you’re always safe if you set the PVID.

1 Like

Thanks so much again everybody. You made things much easier to understand. In case this is ever useful for someone else in the future, this is what I did:

PORT 1 (pfSense): TAG VLAN1, VLAN30
PORT 3 (VoIP phone): UNTAG VLAN30, PVID 30

@cmer – depending on your pfsense setup – what happens with

Port 1 (on switch) - Untag VLAN1, Tag VLAN30
On pfsense – Tag VLAN30, (by default VLAN1 untagged)

Could you explain @kevdog? I don’t understand what you mean in your last message. thanks!

I prefer to look at tags as extra envelopes used in sending packets. If I have a packet on a VLAN to send out to a client and that client has the ability to open the envelope, then use a tagged port. But if the client doesn’t understand tagging then the switch will have to open the envelop (untagged port) before sending the packet to the client.

1 Like