General Questions

I bought a damn expensive switch just for VLAN-support, knowing that M0n0wall would handle dot1q.

So, I switch from portbased VLANs to 802.1q, everythings fine, all ports are VLAN1 and nothing is trunked cause all ports are default using untagged outgoing packets.

So, I guess to get the router to know anything about the VLAN's I plan setting up I need to set the outgoing tags on the port leading to the router. So I set that port to T as in Tagged, and loose contact to the router.
Rebooting and stuff doesn't help, only way to get back into the router is to remove those tags on the switchport going to M0n0wall.

Even before creating any other VLANs so it cant be me locking myself out or something.

Anyone?
It should work, right?
And I would need to tag outgoing to the router of course, or it wont know anything bout the VLANs?

This is how the VLAN-settings look on my Netgear.....dont really get all of it :s

First you choose port-based or 802.1q, and I dont really know what port-based (without trunking?) could be good for, but maybe if you dont want to route at all between the totally isolated VLANs.

(http://seb1974.no-ip.org/forum-posts/vlan1.jpg)


Then we have the VLAN membership selection, and I'm fooling around with 2 VLANs for a start just to try things out. U means Untagged, T means Tagged but doesn't work when I set port1 to T, and empty means not member of the VLAN.

(http://seb1974.no-ip.org/forum-posts/vlan2.jpg)
(http://seb1974.no-ip.org/forum-posts/vlan3.jpg)


Then lastly, and this I dont get, there are some Port VLAN ID configuration, while I thought that VLAN membership for different ports was made above, so I really dont get this but whatever.
I thought trunk-ports were to be member in all VLANs to be able to trunk, as I set port1 to be member of both VLAN 1 & 2 above, but here you can only assign one VLAN/port :s

(http://seb1974.no-ip.org/forum-posts/vlan4.jpg)

Started gotting some knowledge about those PVID which apparently stands for Permanent VLAN ID.
That thing seems to define the default VLAN, and does so port for port individually.
As default most switches has PVID 1 on all ports, hence default VLAN for the whole switch is VLAN 1.

Not totally sure how that works, but if you move a port to VLAN 10 I guess you must change the PVID of that port to 10 also, if you have a non VLAN aware pc plugged in or else it will tag all you send with VLAN 1 instead of 10.


Anyway, I think I'm on to something here.....it seems you need to add the VLAN interfaces in M0n0wall BEFORE starting to tag. Now I'm tagging and at least that works, have to go out for a while but then I'll try more and see if I can get different VLANs talking to each other and stuff.

One thing I'm thinking of now is weather I should ditch the physical LAN-interface and just use the OPT2/OPT3 that are its virtual interfaces everywhere....like ditch DHCP-server, firewall rules and everything for the physical one and enter it on the subinterfaces only? Does anyone know?

Thanks

This guide is for a different switch (hp procurve 1800-8g) and for pfSense but it should get you on the right track:

http://pfsense.site88.net/mysetup/index.html

This guide is for a different switch (hp procurve 1800-8g) and for pfSense but it should get you on the right track:

http://pfsense.site88.net/mysetup/index.html

Well...I dont know. Thanks anyway

I'm been fooling around like crazy here and I think I'm onto how its supposed to be.

I'm setting the physical interface to some small /30 that will never be used, just some random 192.168.x.x.
The physical net will NEVER be used....disable its DHCP-server, disable all its firewall rules etc.
Instead, use the subinterfaces (two in my cases), and of course have those two on different networks, choose two different after your own taste, maybe one in 172 and one in 192 or whatever.

Then on the switch I dont use the VLAN1 anywhere, I dont even add that subinterface in the router, instead I creat two additional VLANs and assign ports after my liking, then I make sure the PVID (default VLAN for each port) are changed to the VLAN the port belongs to (non-VLAN-aware clients). That way I can be sure noone can in any way exploit my native VLAN1, since none of my used VLANs use it at all.


THATS how I'm on my way of setting it up now and it SEEMS this is working....gonna lab a lot and make sure the firewall/routing works as intended between my regular VLAN and what is supposed to be the isolated guest-VLAN.