Netgear VLAN Setup Help?

stevenkan · Apr 11, 2024

I just bought a GS110TPv3 with the intention of setting up VLANs to eventually segregate WiFi traffic from a common UniFi WAP, but first I wanted to test with just a plain ol' laptop and Ethernet cables, to be sure I understand how to set up the VLANs. Well, I don't, despite I've watched this video several times and read this page and this page as well.

I defined VLAN20 and assigned it to ports 2 and 7 on the switch as Untagged, as I think I want these to be access ports, right?
I defined VLAN30 and assigned it to ports 3 and 8 on the switch as Untagged.
VLAN1 is the default/native VLAN, Untagged on all ports by default, so I removed it from 2,3,7, and 8.

I started out with a simple test, connecting switch Port 1 to my LAN0, and connecting my laptop to Port 5. I get a connection and a DHCP address of 0.233, which the same as if I'd connected my laptop directly to the blue switch. This also works on port 4 or 6.

Then I connected the cables like this, thinking that Ports 2 and 7 would behave like a switch, and connect me to the blue network, but I get a Not Connected:

a similar test through ports 3 and 8 fails:

If I connect directly from my laptop to the red switch, I get a .50.x DHCP address"

So I must have entered something incorrectly or neglected to turn something on. Anyone know Netgear managed switches?

Thanks!

Paladin · Apr 11, 2024

From your description, I think you did it more or less right. The only factor might be the Protecli PFsense. If the PFSense is configured to use VLAN tagging for that second interface then it might be spitting out tagged frames and the switch might be dropping them or the computers might be dropping them when they arrive from the firewall.

Test with a couple of laptops or whatever plugged into 2 and 7 with manual IP configuration and see if they can ping each other (mindful of windows firewall blocking it by default) or 3 and 8. If that works then things are as they should be, most likely. At that point go back to the firewall to double check how it is configured. But basically I think you have things mostly correct. Check the netgear for any kind of log entries or something that might indicate some kind of error and make sure you don't have any kind of loop or spanning-tree issue where the new smart switch is unhappy with the old dumb one for some reason.

stevenkan · Apr 12, 2024

Thanks. I will try that experiment tomorrow.

But would anything outside the managed switch even see any VLAN tags?

Paladin · Apr 12, 2024

As long as the config is all untagged, then no, they should not. The firewall is the question mostly though, since we have not seen that config at all. Is it a separate physical port on the firewall? Does it have any VLAN config at all?

JessF · Apr 12, 2024

Had a hunch since I've seen it on similar switches. Went to netgear and found the manual for the switch. Yep - you have to set PVID on a separate configuration page. What you have set up now is only outgoing traffic for VLAN 20/30 being untagged on those interfaces.

Below the VLAN Status, there is Port PVID Configuration:

(Page 159 of the manual - section 9):

In the PVID field, specify the VLAN ID to assign to untagged or priority-tagged frames received on the port.
The default is 1.

w00key · Apr 12, 2024

Netgear is "special" yes, just like TP Link. See https://kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch

Paladin · Apr 12, 2024

JessF said:
Had a hunch since I've seen it on similar switches. Went to netgear and found the manual for the switch. Yep - you have to set PVID on a separate configuration page. What you have set up now is only outgoing traffic for VLAN 20/30 being untagged on those interfaces.

Below the VLAN Status, there is Port PVID Configuration:

(Page 159 of the manual - section 9):

Ugh, I was thinking about that and then, "No, they can't still be doing it that wrong can they?!"

If that fixes it... yearghh.

So the instructions basically boil down to "Assign the desired VLAN to the port. Then do it again. Then do it again."

:biggreen:

stevenkan · Apr 12, 2024

JessF said:
Below the VLAN Status, there is Port PVID Configuration

Ding ding ding! Chicken dinner!

Thanks! VLANs 20 and 30 are now working.

Thanks!

stevenkan · Apr 12, 2024

Paladin said:
So the instructions basically boil down to "Assign the desired VLAN to the port. Then do it again. Then do it again."

I did read the PDF documentation*, and it does give instructions for PVID assignment, but it's not clear that it is a necessary step.

Is there any valid reason to have a port assigned to a VLAN, but not assign the PVID? I can't find it now, but in clicking around yesterday, either through the PDF or the HTML documentation, I found something about PVIDs and inbound vs. outbound traffic. Could one use PVIDs to create one-way traffic through a port? e.g. receive from VLAN20 but don't send to VLAN20?

Or is it just a poor implementation all around?

* the PDF documentation is mind-numblingly difficult to read because they repeat the page of instructions for logging in, e.g. starting with "1. Connect your computer to the same network as the switch." for every. single. possible. operation.

Gandalf007 · Apr 12, 2024

So I'm guessing that since this model is called "smart" it's only web-managed and doesn't have the CLI? I find the Netgear CLI a lot more straightforward, since it's IOS-style, and the VLAN settings which are on three different web screens can be set in the same interface section, e.g.

Code:

interface 1/0/7
! 'switchport mode general' is default on the Netgear switches
description 'a server'
vlan pvid 1234
vlan participation include 1234
! to fully emulate an access port, add this:
!vlan ingressfilter
exit

I used to be confused by all the different VLAN settings which can be made for a port in general mode, which is the default. I highly recommend setting the ports to access or trunk instead, which is in the "VLAN Trunking Configuration" screen. This more closely matches what other switch brands use and also automatically applies settings like ingress filtering, frame acceptance, and/or excluding the default VLAN. The above example is then reduced to:

Code:

interface 1/0/7
description 'a server'
switchport mode access
switchport access vlan 1234
exit

For the web, I believe you can make all the settings you need on the VLAN Trunking Configuration screen, if you set the port mode to access or trunk.

stevenkan said:
Is there any valid reason to have a port assigned to a VLAN, but not assign the PVID? I can't find it now, but in clicking around yesterday, either through the PDF or the HTML documentation, I found something about PVIDs and inbound vs. outbound traffic. Could one use PVIDs to create one-way traffic through a port? e.g. receive from VLAN20 but don't send to VLAN20?

Or is it just a poor implementation all around?

You'd only do that in certain advanced routing configurations. I believe their making switchport mode general the default is a poor decision -- it would be much better if ports were in access mode with access vlan 1 by default, and they encouraged switchport mode trunk for tagged VLANs, and you'd only choose general mode if you really needed the advanced configuration.

Note that regardless of web/cli interface, it is possible to make settings which are not used because they only apply to a different port mode (this also applies to other switch brands as well). It's a lot easier to see this and do cleanup via the CLI though...

Rich (BB code):

switchport access vlan 100
switchport trunk allowed vlan 200,300
switchport trunk native vlan 300
vlan participation include 300,400
vlan pvid 300
vlan tagging 400

All of these settings could be simultaneously configured on a port, but only those matching the active mode (switchport mode access | trunk | general) will take effect.

stevenkan · Apr 12, 2024

stevenkan said:
. . . I found something about PVIDs and inbound vs. outbound traffic.

Here's an article saying similar:

In other words, the untagged VLAN defines what’s going outbound from the switch and the the PVID identifies what’s coming inbound from the device. I guess you could theoretically have different VLANs for each, but I can’t think of a use case for that.

stevenkan · Apr 12, 2024

Gandalf007 said:
So I'm guessing that since this model is called "smart" it's only web-managed and doesn't have the CLI? I find the Netgear CLI a lot more straightforward, since it's IOS-style, and the VLAN settings which are on three different web screens can be set in the same interface section, e.g.

Code:

interface 1/0/7 ! 'switchport mode general' is default on the Netgear switches description 'a server' vlan pvid 1234 vlan participation include 1234 ! to fully emulate an access port, add this: !vlan ingressfilter exit

Hmmm. I found this article that suggests it might exist:

It was during a port scan on my GS110TP where I realized there were more than the expected HTTP and HTTPS ports responding. After increasing the scope to a full TCP scan I saw 2 ports in the upper range that took my interest:

So I tried the following:

Code:

~ steven$ telnet 192.168.0.10 6000
Trying 192.168.0.10...
telnet: connect to address 192.168.0.10: Connection refused
telnet: Unable to connect to remote host
~ steven$ ssh admin@192.168.0.10 6000
(admin@192.168.0.10) Password: <wrong password>
(admin@192.168.0.10) Password: <wrong password>
(admin@192.168.0.10) Password: <correct password>
~ steven$

So it responds to ssh, and knows whether or not I'm entering the correct password, but then just kicks me right back out.

stevenkan · Apr 22, 2024

stevenkan said:
Ding ding ding! Chicken dinner!

Thanks! VLANs 20 and 30 are now working.

Thanks!

And now I have my SSIDs properly segregated:

There are a whole bunch of potential gotchas on the UniFi side, which I got answered over there. I hope I never have to do this again.

Oh wait, I have 2 more sites to do . . .

stevenkan · May 2, 2024

stevenkan said:
Oh wait, I have 2 more sites to do . . .

Second site finished. Even though I was attempting to do pretty much exactly what I was trying to do at Site 1, it still took me a few hours because there are so many ways to trip oneself up and lose access to the device you're managing.

Site 3 next week . . .

Xelas · May 3, 2024

Just be aware that if you have multiple independent sites with Unify devices on them, managing them all via a Unifi controller from another site over the internet is not secure.

stevenkan · May 4, 2024

Xelas said:
Just be aware that if you have multiple independent sites with Unify devices on them, managing them all via a Unifi controller from another site over the internet is not secure.

I have a separate Unifi controller at each site. That’s because when I rolled them out I didn’t know it was possible to manage multiple sites from one controller

But now I’m glad I did it that way. I’m not a fan of cloud management for internal infrastructure. Seems like a disaster waiting to happen.

stevenkan · May 8, 2024

Gandalf007 said:
For the web, I believe you can make all the settings you need on the VLAN Trunking Configuration screen, if you set the port mode to access or trunk.

I think I have one of the dumber Netgear switches, because it doesn't have a VLAN Trunking Configuration screen. I just has these options down the left margin of the screen:

and I have examples of Config, Membership, and Status, above. PVID looks like this:

stevenkan · May 8, 2024

. . . and now I think I might understand what PVID is used for. At my first two sites the trunk ports are used only for the WAPs, but at my 3rd site I want to put some dumb stuff (in big red ellipse) beyond the far end of the trunk ports, for physical infrastructure reasons:

If I want to keep the dumb stuff, from the other side of those two unmanaged switches, in VLAN101, is that why I would set the two trunk ports (2 and 4) of the Netgear GS110TPv3 switch to PVID 101?

IIUC the PVID on the other 3 trunk ports (1,3,5) won't matter because they won't be carrying any untagged traffic, since the Unifi WAPs behave like they have a managed switch inside.

Do I have this correct? Thanks!

edit: added link

w00key · May 8, 2024

Pvid (in a sane switch) tags incoming untagged and unwraps outgoing tagged packets so dumb devices on the other end have no idea VLAN is even used.

Works for your case yes.

I tend to have the networking devices on their own vlan and pvid, so Unifi mgmt traffic and router, switch ssh/https services aren't open to 99% of the devices on site, only specific ones (special ssid and a few pvid mgmt ports, and VPN to HQ + certain trusted subnets).

stevenkan · May 8, 2024

w00key said:
I tend to have the networking devices on their own vlan and pvid, so Unifi mgmt traffic and router, switch ssh/https services aren't open to 99% of the devices on site, only specific ones (special ssid and a few pvid mgmt ports, and VPN to HQ + certain trusted subnets).

Ah, that would be a good idea. If I do this, I would probably restrict the pfsense management to that same "management VLAN" as well. The onion is getting bigger!

stevenkan · May 9, 2024

stevenkan said:
. . . and now I think I might understand what PVID is used for. At my first two sites the trunk ports are used only for the WAPs, but at my 3rd site I want to put some dumb stuff (in big red ellipse) beyond the far end of the trunk ports, for physical infrastructure reasons:

If I want to keep the dumb stuff, from the other side of those two unmanaged switches, in VLAN101, is that why I would set the two trunk ports (2 and 4) of the Netgear GS110TPv3 switch to PVID 101?

Nope! Since there is no managed switch between the trunk port and the dumb devices, there is nothing to strip the VLAN tags, and the dumb devices will never see the traffic!

I scratched my head for about an hour on this one.

I don't have enough managed switches lying around to do this properly, but I did run two strings of Ethernet down to the shed, so I was able to put the WAP on the trunk line and the dumb devices directly on the red network.

This was, by far, the hardest of the 3 sites, because I was also moving a bunch of my infrastructure into the new VLANs, so I was constantly moving the Unifi controller from one part of the network to the other, by moving its network cable. This difficulty was compounded by the fact that it's headless, so I had to remember to manually change its IP address before moving it, over RDP, which would, of course, disconnect me from it.

But I have it mostly finished. There are a few connectivity issues remaining, but I think those are firewall related, and not VLAN or WiFi related.

Whew!!!

stevenkan · May 9, 2024

stevenkan said:
Nope! Since there is no managed switch between the trunk port and the dumb devices, there is nothing to strip the VLAN tags, and the dumb devices will never see the traffic!

. . . and I suppose that's why we have the native/default VLAN, which I didn't think to use.

I might do that down the road if I want to declutter things a bit, but right now it's working, so I will probably let it ride for awhile.

Netgear VLAN Setup Help?

Ars Legatus Legionis

Ars Legatus Legionis

Ars Legatus Legionis

Ars Legatus Legionis

Ars Scholae Palatinae

Ars Praefectus

Ars Legatus Legionis

Ars Legatus Legionis

Ars Legatus Legionis

Ars Tribunus Angusticlavius

Ars Legatus Legionis

Ars Legatus Legionis

Ars Legatus Legionis

Ars Legatus Legionis

Ars Praefectus

Ars Legatus Legionis

Ars Legatus Legionis

Ars Legatus Legionis

Ars Praefectus

Ars Legatus Legionis

Ars Legatus Legionis

Ars Legatus Legionis