Pfsense VLAN configuration on NETGEAR switch

Could you please explain VLAN configuration on NETGEARS switches with pfsense, especially when can be many switches connected one by one.

NETGEAR GS116Ev2 - 16 port
NETGEAR GS108Ev3 - 8 Port
NETGEAR GS105Ev2 - 5 port

What and howe must be defined.

Where “T” port, where “U”, and what does mean empty field.

I am struggling with that for 3 weeks.

It’s hard to answer without knowing what networking knowledge and experience you have.

Without understanding what vlans are, it is going to be hard to configure the vlans on the switches.

T means tagged for this vlan, U means untagged for this vlan, I assume empty means not a member of this vlan.

You can have only one U untagged per port (although the Netgear will allow multiple vlans with U (for example it comes with VLAN 1 predefined with every port as a member, and the PVID for every port set to one, only the vlan specified by PVID will use the untagged frames (there should be a separate screen to define the PVID for each port). PVID is port vlan id, and it specifies the vlan associated with untagged (aka standard ethernet) frames on that port.

This post on the Ubiquiti forum has many links to vlan and networking foundational topics (near the end). None of the links has anything about vlans on pfsense, but Tom has covered that in his youtube videos (for example see this recent post)

For an overview of what vlans are, I highly recommend this youtube video What are VLANs? – the simplest explanation Also see this post.

Perhaps all of this is old hat to you. If so I appologise in advance for suggesting these resources.

Here’s a post where I did a mini-review of a Netgear GS908E. It has a chicken scratch network diagram and screen shots of the corresponding config. But it wasn’t meant as a tutorial. (edited to correct link)

1 Like

That’s a a good explanation by @BuckeyeNet covers the main points on vlans.

I’ve setup my Netgear switches in a star formation around the house, which is also connected to a box running PfSense, so I can guess what you are trying to do.

What I can tell you is how I basically set up vlans and configured the switches.

First I configured my main switch (in isolation) with it’s own IP address etc. When it came to setting up the vlan:

  1. I set up the multiple vlans 10, 20, 30 etc in the VLAN Configuration menu option
  2. checked off the ports in VLAN Membership menu option for my first vlan (10)
  3. In Port PVID Configuration I checked the PVID Configured box with the vlan for the port I had just configured.
  4. Then I went back to VLAN Membership and removed the port from vlan 1.
  5. Repeat the steps for the next vlan 20 etc. One by one.

Once all was completed, I went to system > management > IP configuration and set the
Management VLAN to 10.

To ensure I wasn’t locked out of the device, I kept one port which my laptop was connected to on vlan 1, until the unit was fully configured, then changed that port to something else. I’ve left vlan 1 in place and don’t use it for anything.

With Netgear the first couple of vlans are defaults, so I would start from 10 and work upwards on your numbering.

The steps above are straight forward, however, if you remove the port from vlan 1 before it has been correctly assigned you will have a world of pain !

Connections between switches and the PfSense box are over LACP/LAGG (will depend on what the switch supports).

Under Switching > LAG > LAG Membership select LAG 1 and check off two ports, then go to LAG Configuration and enter LAG type static or LACP (it depends on what you are connecting it to). So there are now 2 cables connecting your switches / pfsense box if one fails the other will continue to work.

[For the ports to work as a LAG/LACP they need to be marked as “T” on all the vlans you have created, set the management vlan as the default in PVID Configuration]

The interface is clunky, but the important step is to get the sequence correct, then it works without any issue. Just reset the switch and it won’t take more than 30 mins. Reading the manual really helps in this instance :wink:

Thanks for your help, with so simple task.
I made droving “how I understand that configuration”
Also, I would like to have VLAN 1 & 2 at unifi AP, like SSID 1 in VLAN 1 and SSID 2 in VLAN 2.
Please can you point me where I am wrong?

Yeah that looks like it should work.
Does the FW to Switch 1 work ? Are you using the vlan 1 on the netgear switch ? If so, just try with using vlan 10 on the switch instead.

For now I have “default” settings on switches, without VLAN, and UNIFI AP already can use VLAN, but I also want put computers in different VLAN.

Ok.

I’ll assume your pfsense is configured.

You’ll need to configure your Switch 1 with your first vlan, then your second, then your third as described earlier …

Plug your switch into the Pfsense box and ensure your interfaces, rules etc are set up correctly.

Then check you can access the internet over each vlan via different ports on switch 1.

Once you have Switch 1 configured as you wish, then move on to Switch 2 …

Thanks, I understand.