computers can still ping after being included in different VLAN
switch = TLSG2428P
firmware V4.0.6 build 20230602 Rel 73473
I have 2 computers which I added to 2 different VLANs. I am still able to ping between these computers, meaning, the VLANs somehow are not active.
Any idea what I could be doing wrong or forgetting?
I created 2 different VLANs:
L2 FEATURES | VLAN | 802.1q VLAN - VLAN Config
VLAN=1 (System-VLAN) Members = 1/0/1-28
VLAN=101 (VL1) Members = 1/0/1-28
VLAN=105 (VL2) Members = 1/0/1-28
I left all the default settings in the Port Config screen:
(ingress checking enabled, acceptable frame type=Admit all)
I added the computers based on their MAC address:
L2 FEATURES | VLAN | MAC VLAN
<mac-computer-1> VLAN=101
<mac-computer-2> VLAN=105
I selected All the ports.
I have no ACL's defined.
What needs to be done to "Activate" the VLAn settings?
Am I correct to assume that once the VLAN's are active, I should not be able to ping between these computers anymore
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
In addition:
Each VLAN (101 and 105) has all ports selected as untagged.
I assume I dont need tagged ports because I only have 1 switch and 1 router.
- Copy Link
- Report Inappropriate Content
Hi @viper91701
Thanks for posting in our business forum.
1. Full network diagram.
2. Does your router support VLAN interface? Are you configuring 802.1Q VLAN or VLAN interface?
3. What is the VLAN ID of the PC you use to ping?
- Copy Link
- Report Inappropriate Content
diagram:
WLAN --> router --> Switch
Switch
--> Raspberry Pi 4B #1 (VLAN 101, IP = 172.10.20.5)
--> Raspberry Pi 4B #1 (VLAN 105, IP = 172.10.20.6)
same subnet
Router = fpSense Community edition 2.0.0-RELEASE (amd64)
Switch = TL-SG2428P 4.0 (4.0.6 Build 20230602 Rel.73473)
Router specifies 2 interfaces: igb0 for WLAN and igb1 for LAN
all local computers are on the LAN side
>Does your router support VLAN interface?
See the online documentation of pfSense support for VLAN
(I am unable to post the link of the pfSense online documentation - look for "pfSense VLAN) to find out more.
I have not used any VLAN configuration on the pfSense router.
I am new to VLAN and I do not understand the releationship between router and switch in relation to VLAN's.
>Are you configuring 802.1Q VLAN or VLAN interface?
On the Switch, I specify the VLAN's in the Web AGUI from menu "L2 FEATURES" | VLAN | 802.1QVLAN in the "VLAN Config" screen.
>What is the VLAN ID of the PC you use to ping?
problem occurs in both directions (Raspberry on VLAN 101 pinging Raspberry on VLAN 105 and vice versa)
What I have done since last email:
On the switch, I did enable ALL the ports for both VLAN's. This relulted in Rapsberry computer to be able to ping each other, even when specified to be on different VLAN's.
When I changed this for each VLAN, to only have the port enabled connected to the computer assigned to that VLAN, then pings were blocked.
I assume that is what I was trying to achieve.
Question:
Should I only enable the ports belonging to a VLAN or should it be able to enable all ports for all VLAN's and still achieve separation?
Question:
Now my next problem is, how can establish connections between specific computers across different VLAN's?
Am I correct to assume this needs to be done through ACL's?
1) The Raspberry computers cannot see each others traffic (I assume I achieved that by selecting only the used port for each VLAN as described above)
2) I want a 3rd computer (on VLAN 200) to access each Raspberry seperately via RDP
3) I want each Raspberry to access a NAS drive on a static IP address of which the controller sits in yet another VLAN on the same switch (I.e. the Raspberry computers should NOT ping the HAS controller but should be able to access the files on the NAS drive via the static IP over cifs).
All computers (Raspberry, RDP computer and NAS controller) are on the same subnet.
The TL-SG2428P specifies ACL's via menu "SECURITY" | ACL.
It can specify "MAC ACL", "IP ACL", "Combined ACL".
"ACL COnfig" can specify multiple rules for each ACL.
ACL Binding can assign a specific set of ACL rules to a specific port with direction "ingress".
Question:
I am not sure how to define ACL's to achieve what I want.
Regards
- Copy Link
- Report Inappropriate Content
Hi @viper91701
Thanks for posting in our business forum.
viper91701 wrote
diagram:
WLAN --> router --> Switch
Switch
--> Raspberry Pi 4B #1 (VLAN 101, IP = 172.10.20.5)
--> Raspberry Pi 4B #1 (VLAN 105, IP = 172.10.20.6)
same subnet
Router = fpSense Community edition 2.0.0-RELEASE (amd64)
Switch = TL-SG2428P 4.0 (4.0.6 Build 20230602 Rel.73473)
Router specifies 2 interfaces: igb0 for WLAN and igb1 for LAN
all local computers are on the LAN side
>Does your router support VLAN interface?
See the online documentation of pfSense support for VLAN
(I am unable to post the link of the pfSense online documentation - look for "pfSense VLAN) to find out more.
I have not used any VLAN configuration on the pfSense router.
I am new to VLAN and I do not understand the releationship between router and switch in relation to VLAN's.
>Are you configuring 802.1Q VLAN or VLAN interface?
On the Switch, I specify the VLAN's in the Web AGUI from menu "L2 FEATURES" | VLAN | 802.1QVLAN in the "VLAN Config" screen.
>What is the VLAN ID of the PC you use to ping?
problem occurs in both directions (Raspberry on VLAN 101 pinging Raspberry on VLAN 105 and vice versa)
What I have done since last email:
On the switch, I did enable ALL the ports for both VLAN's. This relulted in Rapsberry computer to be able to ping each other, even when specified to be on different VLAN's.
When I changed this for each VLAN, to only have the port enabled connected to the computer assigned to that VLAN, then pings were blocked.
I assume that is what I was trying to achieve.
Question:
Should I only enable the ports belonging to a VLAN or should it be able to enable all ports for all VLAN's and still achieve separation?
Question:
Now my next problem is, how can establish connections between specific computers across different VLAN's?
Am I correct to assume this needs to be done through ACL's?
1) The Raspberry computers cannot see each others traffic (I assume I achieved that by selecting only the used port for each VLAN as described above)
2) I want a 3rd computer (on VLAN 200) to access each Raspberry seperately via RDP
3) I want each Raspberry to access a NAS drive on a static IP address of which the controller sits in yet another VLAN on the same switch (I.e. the Raspberry computers should NOT ping the HAS controller but should be able to access the files on the NAS drive via the static IP over cifs).
All computers (Raspberry, RDP computer and NAS controller) are on the same subnet.
The TL-SG2428P specifies ACL's via menu "SECURITY" | ACL.
It can specify "MAC ACL", "IP ACL", "Combined ACL".
"ACL COnfig" can specify multiple rules for each ACL.
ACL Binding can assign a specific set of ACL rules to a specific port with direction "ingress".
Question:
I am not sure how to define ACL's to achieve what I want.
Regards
OK. One RPI with dual NICs?
From what you described, yes, you are using 802.1Q VLAN as far as I can tell. But I don't know pfsense and don't think it relate now.
Can you do a test with a PC and this RPI when they both connect to the switch? Set them up and place them in different VLANs. Will they be able to ping each other?
I suspect that this is because of the dual NIC on the RPI. So let's verify the 802.1Q VLAN on the switch.
If you don't get a ping, then it means the 802.1Q works. It is the problem with the dual NIC on your RPI.
802.1Q, supposedly, does not require additional ACLs to block. Since you cannot tell me if it is VLAN interface on your pfsense, simply from the different VLAN IDs but same subnet, it seems to be the 802.1Q.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 461
Replies: 4
Voters 0
No one has voted for it yet.