Forums

Stories

Knowledge Base

Business Community > Switches > [TL-SG105E] Can you force all traffic connected to this switch to the router?

< Switches

[TL-SG105E] Can you force all traffic connected to this switch to the router?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

[TL-SG105E] Can you force all traffic connected to this switch to the router?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

rcmpayne

LV1

2018-04-30 05:43:57

Posts: 10

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2017-10-27

[TL-SG105E] Can you force all traffic connected to this switch to the router?

2018-04-30 05:43:57

Model : TL-SG105E

Hardware Version : 3.0

Firmware Version : 1.0.0 Build 20160715 Rel.38605

ISP :

I have two TL-SG105E switches and my pfsense Server (DL180G8) is connected to port 2 of Switch 1. Port 4 on each switch is APs

Switch 1
port 1 -> Connected to Switch 2
port 2 -> PFSense Router
port 3 - > blank
port 4 -> AP

Switch 2
port 1 -> Connected to Switch 1
port 2 -> NAS port 1
port 3 -> NAS port 2
port 4 -> AP

I'd like to get all my AP traffic through my server's firewall so i can use LAN rules, proxy, MITM. Is this possible with TL-SG105E without connecting the APs directly to the Server?

6 Reply

R1D2

LV6

2018-05-02 04:51:28

Posts: 4334

Helpful: 987

Solutions: 173

Stories: 3

Registered: 2015-12-05

Re:[TL-SG105E] Can you force all traffic connected to this switch to the router?

2018-05-02 04:51:28

Yes, if you create a separate subnet for the APs on the pfSense server and use VLANs to connect the devices to this subnet. To be able to do so, yout must configure the pfSense to either use VLANs or to assign an Ethernet port to this subnet.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻

rcmpayne

LV1

2018-05-07 08:25:52

Posts: 10

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2017-10-27

Re:[TL-SG105E] Can you force all traffic connected to this switch to the router?

2018-05-07 08:25:52

R1D2 wrote

Yes, if you create a separate subnet for the APs on the pfSense server and use VLANs to connect the devices to this subnet. To be able to do so, yout must configure the pfSense to either use VLANs or to assign an Ethernet port to this subnet.

Thanks,

So on pfsense i created a new Vlan 2 on the LAN side for now as i want to get this working using one eth port.

Vlan Tag: 2
[*]Vlan Priority: 0
[*]Desc: Vlan for Unifi APs

Next, I added the interface. It created OPT3 and assigned it a new IP outside of the LAN IP (192.168.0.2)

Lan: IPv4 Static
[*]Enabled: yes
[*]IP Addr: 192.168.2.2

Went to DHCP and adjusted the new VLAN DHCP tab

DHCP enabled: yes
[*]Range: 192.168.2.100 192.168.2.110

On Unifi controller i created a new wifi SSID for testing:

Name: Vlan2
[*]Enabled vlan and gave a value: 2

Checked the firewall rules on pfsense and added a Src/dest any/any with ipv4
[*]Confirmed that the new ssid was listed on the APs and said it was using vlan2.
[*]Connected to Vlan2 from my laptop, would not get ip.
[*]Manually added a IP address to my laptop and did not help
[*]Ran a pcap on pfsense router over vlan interface, no traffic
[*]Ran a pcap on pfsense router over lan interface with promiscuous mode enabled
[*]Viewed the pcap in wireshark and did not find any from laptop mac or with a vlan tag

Not sure why pfsense is not getting any traffic from the AP that has a ssid with vlan 2

R1D2

LV6

2018-05-07 09:51:05

Posts: 4334

Helpful: 987

Solutions: 173

Stories: 3

Registered: 2015-12-05

Re:[TL-SG105E] Can you force all traffic connected to this switch to the router?

2018-05-07 09:51:05

You need to create a trunk (tagged) port on the switch for pfSense and the UniFi and an access (untagged) port for your PC. Assign PVID 2 to the access port and let PVID 1 assigned to the trunk port.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻

rcmpayne

LV1

2018-05-07 10:07:29

Posts: 10

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2017-10-27

Re:[TL-SG105E] Can you force all traffic connected to this switch to the router?

2018-05-07 10:07:29

R1D2 wrote

You need to create a trunk (tagged) port on the switch for pfSense and the UniFi and an access (untagged) port for your PC. Assign PVID 2 to the access port and let PVID 1 assigned to the trunk port.

not sure i follow how to do this on the two switches i have.

rcmpayne

LV1

2018-05-07 10:39:30

Posts: 10

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2017-10-27

Re:[TL-SG105E] Can you force all traffic connected to this switch to the router?

2018-05-07 10:39:30

OK, made a new change to the vlan 2 in the switches, and now I can connect to the test vlan ssid and its getting DHCP via vlan DHCP address that i enabled in pfsense. I cant access anything on 192.168.0.x lan or wan yet tho.

So from watching a few vids and docs online, PVID is the default vlan assigned to any non-aware vlan device (vlan 1 in my case) and that when you have a device that can be configured to use vlans, you need to tag them. So with the new settings, any non aware device connected to any port on my switch will use vlan 1 and if any device brodcasting on vlan2 (unifi APs) will be able to also route on any port.

So to ensure that all AP traffic is routing through the pfsense router for all LAN traffic, do i need to do anything else here like limit the tagged ports?

R1D2

LV6

2018-05-07 16:01:46

Posts: 4334

Helpful: 987

Solutions: 173

Stories: 3

Registered: 2015-12-05

Re:[TL-SG105E] Can you force all traffic connected to this switch to the router?

2018-05-07 16:01:46

rcmpayne wrote

So from watching a few vids and docs online, PVID is the default vlan assigned to any non-aware vlan device (vlan 1 in my case) and that when you have a device that can be configured to use vlans, you need to tag them.

As soon as you use VLANs and want to isolate them against each other (not only force traffic through a specific device) you need to tag all Ethernet frames, be it in the server, in the router or in the switch. You can reach every port b/c all ports of the switch are still members of the Default_VLAN 1. However, the UniFi SSID tagged with VLAN 2 is forced to use the router's VLAN 2.

Tagging traffic arriving on VLAN-unaware port(s) in the switch is done by setting their PVID.
Forcing traffic to certain ports is done by adding those port(s) as member to a VLAN.
Isolating traffic to certain ports is done by removing those port(s) from the VLAN.

If you want to isolate ports from Default_VLAN 1, you need the latest firmware for the TL-SG105E published in January 2018. This firmware lets you remove ports from VLAN 1, but you need to use the switch's web UI, not the Easy Configuration Utility.

Also make sure that pfSense does not route between the subnets/VLANs by isolating the subnets against each other (might be default or requires a firewall setup - I don't use pfSense, so you certainly know better how to achieve this in pfSense). Keep in mind that UniFi APs use untagged frames for management, so if you use UBNT's discovery or an AP Controller, you still need to pass untagged frames between the UniFi, the switch and the router.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻

rcmpayne

LV1

2018-04-30 05:43:57

Posts: 10

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2017-10-27

Information

Helpful: 0

Replies: 6

[TL-SG105E] Can you force all traffic connected to this switch to the router?

[TL-SG105E] Can you force all traffic connected to this switch to the router?

Information

Voters 0

Tags