computers can still ping after being included in different VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

computers can still ping after being included in different VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
computers can still ping after being included in different VLAN
computers can still ping after being included in different VLAN
2023-12-29 01:36:12 - last edited 2024-01-02 02:12:58
Model: TL-SG2428P  
Hardware Version: V4
Firmware Version:

switch = TLSG2428P

firmware V4.0.6 build 20230602 Rel 73473

I have 2 computers which I added to 2 different VLANs. I am still able to ping between these computers, meaning, the VLANs somehow are not active.

Any idea what I could be doing wrong or forgetting?

 

I created 2 different VLANs:

L2 FEATURES | VLAN | 802.1q VLAN - VLAN Config

 

VLAN=1  (System-VLAN) Members = 1/0/1-28

VLAN=101  (VL1) Members = 1/0/1-28

VLAN=105  (VL2) Members = 1/0/1-28

 

I left all the default settings in the Port Config screen:

(ingress checking enabled, acceptable frame type=Admit all)

 

 

I added the computers based on their MAC address:

 

 L2 FEATURES | VLAN | MAC VLAN

<mac-computer-1>  VLAN=101

<mac-computer-2>  VLAN=105

 

I selected All the ports.

 

I have no ACL's defined.

 

What needs to be done to "Activate" the VLAn settings?

Am I correct to assume that once the VLAN's are active, I should not be able to ping between these computers anymore

 

 

 

  0      
  0      
#1
Options
4 Reply
Re:computers can still ping after being included in different VLAN
2023-12-29 01:41:18 - last edited 2024-01-02 02:12:36

  In addition:

Each VLAN (101 and 105) has all ports selected as untagged.

I assume I dont need tagged ports because I only have 1 switch and 1 router.

  0  
  0  
#2
Options
Re:computers can still ping after being included in different VLAN
2024-01-02 07:24:25

Hi @viper91701 

Thanks for posting in our business forum.

1. Full network diagram.

2. Does your router support VLAN interface? Are you configuring 802.1Q VLAN or VLAN interface?

3. What is the VLAN ID of the PC you use to ping?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#3
Options
Re:computers can still ping after being included in different VLAN
2024-01-02 22:41:11

diagram:

 

WLAN  -->  router --> Switch 

Switch 

--> Raspberry Pi 4B #1 (VLAN 101, IP = 172.10.20.5)

--> Raspberry Pi 4B #1 (VLAN 105, IP = 172.10.20.6)

same subnet

 

Router = fpSense Community edition 2.0.0-RELEASE (amd64)

 

Switch = TL-SG2428P 4.0 (4.0.6 Build 20230602 Rel.73473)

 

Router specifies 2 interfaces: igb0 for WLAN and igb1 for LAN

all local computers are on the LAN side

 

 

 

>Does your router support VLAN interface?

See the online documentation of pfSense support for VLAN

(I am unable to post the link of the pfSense online documentation - look for "pfSense VLAN) to find out more.

 

I have not used any VLAN configuration on the pfSense router.

I am new to VLAN and I do not understand the releationship between router and switch in relation to VLAN's.

 

 

>Are you configuring 802.1Q VLAN or VLAN interface?

On the Switch, I specify the VLAN's in the Web AGUI from menu "L2 FEATURES" | VLAN | 802.1QVLAN in the "VLAN Config" screen.

 

 

>What is the VLAN ID of the PC you use to ping?

problem occurs in both directions (Raspberry on VLAN 101 pinging Raspberry on VLAN 105 and vice versa)

 

 

What I have done since last email:

 

On the switch, I did enable ALL the ports for both VLAN's. This relulted in Rapsberry computer to be able to ping each other, even when specified to be on different VLAN's.

When I changed this for each VLAN, to only have the port enabled connected to the computer assigned to that VLAN, then pings were blocked.

I assume that is what I was trying to achieve.

 

Question:
Should I only enable the ports belonging to a VLAN or should it be able to enable all ports for all VLAN's and still achieve separation?
 

Question:

Now my next problem is, how can establish connections between specific computers across different VLAN's?

Am I correct to assume this needs to be done through ACL's?

 

1) The Raspberry computers cannot see each others traffic (I assume I achieved that by selecting only the used port for each VLAN as described above)

2) I want a 3rd computer (on VLAN 200) to access each Raspberry seperately via RDP

3) I want each Raspberry to access a NAS drive on a static IP address of which the controller sits in yet another VLAN on the same switch (I.e. the Raspberry computers should NOT ping the HAS controller but should be able to access the files on the NAS drive via the static IP over cifs).

 

All computers (Raspberry, RDP computer and NAS controller) are on the same subnet.

 

The TL-SG2428P specifies ACL's via menu "SECURITY" | ACL.

It can specify "MAC ACL", "IP ACL", "Combined ACL".

"ACL COnfig" can specify multiple rules for each ACL.

ACL Binding can assign a specific set of ACL rules to a specific port with direction "ingress".

 

Question:

I am not sure how to define ACL's to achieve what I want.

 

Regards

  0  
  0  
#4
Options
Re:computers can still ping after being included in different VLAN
2024-01-04 08:46:18

Hi @viper91701 

Thanks for posting in our business forum.

viper91701 wrote

diagram:

 

WLAN  -->  router --> Switch 

Switch 

--> Raspberry Pi 4B #1 (VLAN 101, IP = 172.10.20.5)

--> Raspberry Pi 4B #1 (VLAN 105, IP = 172.10.20.6)

same subnet

 

Router = fpSense Community edition 2.0.0-RELEASE (amd64)

 

Switch = TL-SG2428P 4.0 (4.0.6 Build 20230602 Rel.73473)

 

Router specifies 2 interfaces: igb0 for WLAN and igb1 for LAN

all local computers are on the LAN side

 

 

 

>Does your router support VLAN interface?

See the online documentation of pfSense support for VLAN

(I am unable to post the link of the pfSense online documentation - look for "pfSense VLAN) to find out more.

 

I have not used any VLAN configuration on the pfSense router.

I am new to VLAN and I do not understand the releationship between router and switch in relation to VLAN's.

 

 

>Are you configuring 802.1Q VLAN or VLAN interface?

On the Switch, I specify the VLAN's in the Web AGUI from menu "L2 FEATURES" | VLAN | 802.1QVLAN in the "VLAN Config" screen.

 

 

>What is the VLAN ID of the PC you use to ping?

problem occurs in both directions (Raspberry on VLAN 101 pinging Raspberry on VLAN 105 and vice versa)

 

 

What I have done since last email:

 

On the switch, I did enable ALL the ports for both VLAN's. This relulted in Rapsberry computer to be able to ping each other, even when specified to be on different VLAN's.

When I changed this for each VLAN, to only have the port enabled connected to the computer assigned to that VLAN, then pings were blocked.

I assume that is what I was trying to achieve.

 

Question:
Should I only enable the ports belonging to a VLAN or should it be able to enable all ports for all VLAN's and still achieve separation?
 

Question:

Now my next problem is, how can establish connections between specific computers across different VLAN's?

Am I correct to assume this needs to be done through ACL's?

 

1) The Raspberry computers cannot see each others traffic (I assume I achieved that by selecting only the used port for each VLAN as described above)

2) I want a 3rd computer (on VLAN 200) to access each Raspberry seperately via RDP

3) I want each Raspberry to access a NAS drive on a static IP address of which the controller sits in yet another VLAN on the same switch (I.e. the Raspberry computers should NOT ping the HAS controller but should be able to access the files on the NAS drive via the static IP over cifs).

 

All computers (Raspberry, RDP computer and NAS controller) are on the same subnet.

 

The TL-SG2428P specifies ACL's via menu "SECURITY" | ACL.

It can specify "MAC ACL", "IP ACL", "Combined ACL".

"ACL COnfig" can specify multiple rules for each ACL.

ACL Binding can assign a specific set of ACL rules to a specific port with direction "ingress".

 

Question:

I am not sure how to define ACL's to achieve what I want.

 

Regards

 

OK. One RPI with dual NICs?

From what you described, yes, you are using 802.1Q VLAN as far as I can tell. But I don't know pfsense and don't think it relate now.

 

Can you do a test with a PC and this RPI when they both connect to the switch? Set them up and place them in different VLANs. Will they be able to ping each other?

I suspect that this is because of the dual NIC on the RPI. So let's verify the 802.1Q VLAN on the switch.

If you don't get a ping, then it means the 802.1Q works. It is the problem with the dual NIC on your RPI.

 

802.1Q, supposedly, does not require additional ACLs to block. Since you cannot tell me if it is VLAN interface on your pfsense, simply from the different VLAN IDs but same subnet, it seems to be the 802.1Q.

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options

Information

Helpful: 0

Views: 438

Replies: 4

Related Articles