VLAN Headaches / Netgear + pfsense

I’ve installed pfsense on a NUC, and am using a “smart” Netgear XS512EM. Currently my pfsense install is rather basic. I’ve created my VLANs, and just copied the default “allow all rules” from the LAN over to all my VLANs. I’ve also installed pfblockerng and apcupsd, both of which are functioning.

I feel like I’m pretty close on my setup, but I’m missing something. When I try and “activate” the VLANs on my switch by changing the PVIDs I end up losing access to the switch, firewall, or internet. Sometimes with a VLAN working though. I feel like it’s the switch configuration that’s messing me up currently.

Below is my switch config for the VLANs. I’m really not clear on the ports 1, 2, and 3. 1 is the Firewall. 2 and 3 are wireless access points (these access points have multiple VLANs on them) I believe this means 1,2,3 should be marked as tagged or trunks? I just realized looking at this image, I didn’t add the firewall back to every VLAN (I had to reset the switch, I believe it should be in every VLAN?).

The PVID’s are what really throw me. I can only assign a single PVID to a port. So does the firewall and access points just remain in VLAN 1 (default)?

I have images of my pfsense config, and Unifi ap vlan config uploaded as well, if anyone things those could hold clues as to what’s going on. In pfsense, I have those interfaces active, and DHCP on. The APs are assigned to specific SSIDs as well. Doesn’t mean I haven’t overlooked something though.

Netgear is a pain to configure vlans on, but I hope this helps you out. :slight_smile:

For example:

  • Ports 1 - 5: VLAN 10
  • Ports 6 - 10: VLAN 20
  • Port 20: VLAN Trunk Link

The Setup:

  1. Go to Switching - VLAN - Advanced - VLAN Membership.

  2. In the VLAN ID drop down menu, select VLAN 10.

  3. Mark ports 1, 2, 3, 4 & 5 with a U. This designates an untagged port and is used for ports which connect to client devices such as as PCs.

  4. Mark port 20 with a T. This designates a tagged port and is used for the VLAN trunk link.

  5. Click Apply.

  6. In the VLAN ID drop down menu, select VLAN 20.

  7. Mark ports 6, 7, 8, 9 & 10 with a U.

  8. Mark port 20 with a T.

  9. Click Apply.

  10. In the VLAN ID drop down menu, select VLAN 1.

  11. Remove ports 1 - 10 from VLAN 1. To do this click on the ports until they are blank (i.e. until they contain neither a U or a T).

Note: VLAN 1 is the management VLAN by default. Be careful not to remove the port you are managing the switch through from the management VLAN!

  1. Click Apply.

Configure port PVID settings for untagged ports:

  1. Go to Switching - VLAN - Advanced - Port PVID Configuration.

  2. For each port marked as untagged above, set the PVID of that port to the VLAN ID of the VLAN it was assigned to.

For Example: Above we added ports 1, 2, 3, 4 & 5 as untagged members of VLAN 10. Therefore we sets ports 1, 2, 3, 4 & 5 with a PVID of 10. Select ports 1 - 5 and type 10 in the PVID field.

  1. Click Apply.

  2. Select ports 6, 7, 8, 9, & 10 and type 20 in the PVID field.

  3. Click Apply.

1 Like

Thank you for your reply. So I’ve found out. Unfortunately, while trying to keep my entire network at least 2.5GbE, I didn’t find a ton of options. I did finally get this working. I came across another post on here, that mentioned Netgear switches do weird things if you try and configure them hooked to the firewall. So I configured the two seperately. I also found / noticed, two my Wireless networks did not have VLans tags associated with them. (Not sure if it was like this the whole time, or just me temporarily trying to restore internet.) Either, now just time to start sorting out rules to keep the VLANs from talking to each other.

The only thing I’ve actually noticed, and from my initial research that doesn’t have a solution, is I’ve lost the ability to use WOL with my server. It appears most people just use the built in WOL feature in pfsense, which isn’t as convenient as my scripts. Not sure if there is a work around to make WOL work between VLANs.

You could try to send the magic packet to the broadcast address of the respective subnet e.g If that doesn’t work you might be able to work around it, by creating a DHCP reservation with a static ARP entry on an unused IP in that subnet with a generic MAC, e.g., FF:FF:FF:FF:FF:FF. Then you could try to send a magic packet with the correct MAC address of the device you want to wake up to that address.

Discalaimer: I did not test whether this actually works, and I have no idea if there are any security implications by doing so.

If that doesn’t work either, you could try to send the packet via UDP ports 0, 7 or 9, which would require an additional UDP allow rule.

The best thing to do is probably just use WOL on pfSense. You could also write a script to run the WOL commands over SSH, so you don’t have to manually log into pfSense’s web interface every time you want to wake up a device.