Configuring ports and VLANs on a Hasivo switch

[Function]

hi, i bought a hasivo network switch and want to set up VLANs but the web interface is confusing to me. this is my first managed switch. before, i only configured subnets on individual physical ports on my firewall (opnsense).

i've searched up tutorials on VLANs and i think i understand the basics of tagging and untagging, but the hasivo interface has so many options and i have no idea what things like "1UP, 3T" on "trunk" vs. "access" that just has "1UP" or administrative vs. operational VLAN mean.

when looking up VLAN / switch config tutorials online it's all just cisco switches using terminal.

my desired setup for now is to connect the switch to my opnsense using one cable (trunk i guess?), to have one port on the switch which uses the default VLAN so i can always talk to the switch and my opnsense, and then 3 ports which have a non-default VLAN which have their own subnets and firewall rules that i can configure in opnsense so i can isolate these networks.

can someone help me out? i would highly appreciate it

 

[BoGs]

mine is on the way - watching - if I get it before its figured out I can help here.

 

[nabsltd]

my desired setup for now is to connect the switch to my opnsense using one cable (trunk i guess?), to have one port on the switch which uses the default VLAN so i can always talk to the switch and my opnsense, and then 3 ports which have a non-default VLAN which have their own subnets and firewall rules that i can configure in opnsense so i can isolate these networks.

True "trunk" ports expect that (almost) every packet that comes in to them over the cable is tagged, and make sure that every packet sent out over the cable is tagged. The "almost" is that you can (but probably shouldn't) configure the trunk port to accept untagged packets from the VLAN matching the PVID (i.e., the default VLAN for that port). This also implies that a trunk port has more than one VLAN "assigned" to it, and that it only considers packets from those VLANs as acceptable for ingress, and obviously only sends out packets with those VLANs.

So, if you want to connect your pfSense firewall (currently between your WAN and LAN) to a switch port with more than one VLAN, then you need to configure multiple virtual interfaces on the LAN side of the pfSense box, with each interface having a separate VLAN attached to it. Then, give each VLAN a separate subnet, and on each subnet, the default gateway would be the LAN IP address on the pfSense box that has the same VLAN. This makes pfSense tag all traffic to the switch with the VLAN, and the switch then sends it to the appropriate ports. Sending to the Internet has nothing to do with VLANs, so you don't change your WAN config at all, but you will have to add new NAT rules for the new subnets.

For the rest of the ports, if they have only one VLAN, then set the PVID of the port to that VLAN, mark the port as "untagged", and you are done. The switch will strip VLAN tags from packets sent out on these ports, the devices on those ports won't have any idea they are "on a VLAN", but will just send untagged packets, and the switch will add tags if necessary. For any ports with more than one VLAN, you have to do a similar thing as you did for the connection to the pfSense box, but you would instead use the PVID for devices on that port that don't know about VLANs and will use the default, while devices on other VLANs need to be configured with the VLAN (so the packets get tagged). In the same way, the switch would have to be set to tag packets to the VLANs on that port that don't match the port PVID.

TL;DR:

1. Ports with one VLAN set the PVID to that VLAN, mark them as members of VLAN, and mark that VLAN on that port as untagged.
2. Ports with client machines and more than one VLAN, do step 1 for the "default" VLAN on that port, and mark all other VLANs on the port as tagged. Clients on the port with VLANs not matching the PVID must tag their packets.
3. Ports to other switches/routers are trunks, and you mark all VLANs that you want to pass over the link as tagged. The device at the other end must be set to tag all packets.

 

[Function]

@nabsltd thanks a lot for your reply, your explanation of PVIDs was very helpful and i think i've done that part correctly.
right now i'm only looking to configure a few ports, each with a single VLAN and no overlap or anything (simple config for now).

so where before all the ports acted as if the switch was an unmanaged switch, now i have ports which definitely do something different but even though i've set up VLANs for the opnsense port the switch is connected to and matched the VLAN IDs and created FW rules to allow traffic to the internet, i can't connect to the internet (ping 1.1.1.1) or even get an IP address for a client connect to any of the VLAN2 or VLAN3 ports (VLAN1 is default i think).

i've attached some screenshots of my switch and FW config in hopes that someone can tell me what i'm doing wrong.

 

[nabsltd]

Interface MGE8 needs to tag all outgoing packets to the opnsense box. Right now, it's getting untagged packets, which it thinks are for the default VLAN of 1. Since the destination IP (10.0.2.1) for the packet isn't on VLAN 1, it never sees the packets.

The best way to test is by pinging from the switch to 10.0.2.1, if the switch has that capability.

 

[Function]

The best way to test is by pinging from the switch to 10.0.2.1, if the switch has that capability.

it does, and there was 0% loss, all with the configuration just like in the screenshots i sent.

what's curious is that the switch at some point seems to have reset the PVIDs for ports 2 and 3 back to 1, making connection possible again (as if the client was connected through the hasivo LAN on my opnsense directly).

 

[Function]

i'm confused, i thought whatever port i connect to my opnsense must be trunk, preserving the VLAN tags that the switch assigns to packets from other ports. how do i need to configure MGE8? hybrid, access, trunk, or tunnel? i'm pretty sure it's not access, that's what i have to use for the ports where connected clients send untagged packets which then get tagged, or where tagged packets for a client get untagged before being sent.

 

[frogtech]

i am making some assumptions here based on my own experience with a similar issue, that i havent yet figured out as ive often been confused on the subject with regards to layer 2 (VLAN) and layer 3(routing) functionality. specifically with opnsense. admittedly i havent looked at all of your images. is the hasivo switch you bought advertised as layer 3? if you are assigning IP addresses to virtual interfaces then most likely it is a layer 3 switch that can do inter vlan routing. from what ive seen this is why you may still be able to ping addresses in different VLANs if you have a directly connected subnet or a default route between the two devices.

i would do a quick little test on opnsense side, go into the firewall settings under Firewall > Settings > Advanced, look for "Disable Firewall" and check "disable all packet filtering". then see if your device that could not previously reach the internet, can, after you disable all packet filtering. if it works, then you have an OPNsense firewall rule issue, which is something i havent yet quite figured out, because when i get connectivity issues, i am checking the "live view" of the OPNsense firewall and seeing the blocks, but not really quite getting how to interpret the information and turn it into a firewall rule (for me this is mainly due to how the information is presented to the user and how i am thinking about the flow of traffic).

i would perform that test quick and then quickly re-enable your firewall packet filtering.

 

[Function]

Solved!
Thanks to everyone in this thread!!