Solved More of a managed switch question than Linux Networking

[truckerDave]

I have a tp-link TL-SG108E managed switch that I have had working pretty well. I managed to get my vlans set up the way I wanted, etc. The problem is, I can't leave well enough alone and decided to make a change. However, in my infinite wisdom, I failed to make not of my password and had to do a reset on it.

After the reset, I cannot, for the life of me, get vlans working again. I set them up in the switch. Then in pfSense. Exactly how I did it before (I have a cheat sheet that I followed the first time and followed it again this time).

I have reset the switch back to factory and even updated the firmware. Nothing. So, I went in and set pfSense back to factory and started all over with it. Still nothing. I fire up my PC that should be getting an IP on 192.168.20.100 just to see it's on 192.168.1.100. And it doesn't matter which port I plug into. Nothing changes.

So, to keep my sanity, please confirm this is the way to set up a vlan in a managed (tp-link) switch.

-cable from firewall in port 1
-cable to PC in port 2

In vlan screen, set port 1 to tagged and port 2 as untagged.

Correct??????

 

[blunix]

idk much about managed switches but i do now a bit about host security.

i'd recommend you a different approach:

1) forget leaving your entire security to a single box
2) just use a normal switch
3) follow this: each device is responsible for its own security. install a firewall on each device and whitelist which devices it can talk to
4) configure each devices firewall to log dropped packages so you can see which device is breaking the rules

I'm not a fan of managed switches or DMZs as they are kind of always the first sentence in posts about "i got hacked and my single point of failure was my managed switch" or similar.

 

[truckerDave]

idk much about managed switches but i do now a bit about host security.

i'd recommend you a different approach:

1) forget leaving your entire security to a single box
2) just use a normal switch
3) follow this: each device is responsible for its own security. install a firewall on each device and define which device can talk to it and to which device it can talk
4) configure each devices firewall to log dropped packages so you can see which device is breaking the rules

I'm not a fan of managed switches or DMZs as they are kind of always the first sentence in posts about "i got hacked and my single point of failure was my managed switch" or similar.

Thanks for the reply.

 

[APTI]

I work with Juniper and Cisco managed routers. Most managed routers and switches are a pain. Only reason I used them in my own stuff was in the past they were better equipped to handle the traffic I had and I wanted to learn. Now it is no longer necessary to use managed equipment most of the time. If you are using the managed switch to learn then great lets keep learning. If it is because that is what you have then it may be time to replace with unmanaged. An 8 port unmanaged switch is about $20 so it is not a matter of money. Keep in mind that most of the stuff is 10/100 and not 1000 (gigabit). If you can, I would just go ahead and replace with non managed and reclaim all your time. Managed switches are really for more professional areas that require the fine tuned management they provide. If you just use it for your own uses and not having special needs I would suggest discontinue using it and use it for learning only.

 

[truckerDave]

Fellas, I appreciate the advice. I'll put some thought into it and possibly make some changes down the road.

But for now, I'm intent on finding out what I, if anything, am doing wrong with the configuration of the setup I have now.

 

[jpnilson]

I have a tp-link TL-SG108E managed switch that I have had working pretty well. I managed to get my vlans set up the way I wanted, etc. The problem is, I can't leave well enough alone and decided to make a change. However, in my infinite wisdom, I failed to make not of my password and had to do a reset on it.

After the reset, I cannot, for the life of me, get vlans working again. I set them up in the switch. Then in pfSense. Exactly how I did it before (I have a cheat sheet that I followed the first time and followed it again this time).

I have reset the switch back to factory and even updated the firmware. Nothing. So, I went in and set pfSense back to factory and started all over with it. Still nothing. I fire up my PC that should be getting an IP on 192.168.20.100 just to see it's on 192.168.1.100. And it doesn't matter which port I plug into. Nothing changes.

So, to keep my sanity, please confirm this is the way to set up a vlan in a managed (tp-link) switch.

-cable from firewall in port 1
-cable to PC in port 2

In vlan screen, set port 1 to tagged and port 2 as untagged.

Correct??????

Reading through this I believe you probably need to go to the services > dhcp and enable the dhcp server for vlan. Also make sure everything is configured correctly recommend restarting dhcp and the workstation. If that doesn't work make sure trunking and port on switch are assigned correctly. good luck. Attached an article that may help

pfSense - Virtual LAN setup (VLANs) - Mayfield IT Consulting

This very lengthy Step-by-Step tutorial is for flashing your Asus RT-N12 D1 with DD-WRT. The RT-N12 D1 is much different for installing DD-WRT than its predecessors, the B1 and C1. Also keep in mind that DD-WRT is NOT officially supported on the Asus RT-N12 D1 so your mileage may vary.The...

mitky.com

 

[f33dm3bits]

After the reset, I cannot, for the life of me, get vlans working again. I set them up in the switch. Then in pfSense. Exactly how I did it before (I have a cheat sheet that I followed the first time and followed it again this time).

If you reset the switch to factory defaults you need to redo your switch vlan configuration, under L2 Features -> 802.1Q VLAN -> VLAN Config. You will have to redefine which ports have which vlan's assigned to them, then they should work as before on your switch.

 

[truckerDave]

@jpnilson @f33dm3bits

Thanks fellas.

I'm really starting to think there is a problem with this switch. I've set it up precisely like Lawrence Systems does in this video. He goes over his pfSense setup, albeit briefly, about 6:15 in the video. And the switch setup begins around 14:00.

After setting up both, I powered down everything. And then re-powered it all allowing each part to get running starting with the pfSense box. Then the switch. And finally my PC. That should ensure that my PC gets put in the proper VLAN (192.168.30.1) with a proper IP address.

But, nope! I check my PCs IP and it will be 192.168.1.100. Which is the pfSense LAN subnet.

I did some testing and If I set up the the switch with a VLAN on ports 1, 2 & 3, and nothing else changed on the other ports. I plugged in to port 7 with my PC and it got the 192.168.1.100 IP address. Which it should.

However, with the same set up, I went in and changed the LAN DHCP server to assign my PC a static IP of 192.168.1.10. It does that using my PCs MAC address (which I have verified with ARPwatch on pfSense and with my PCs console). Restarted it all. And still have the IP of 192.168.1.100.

I can delete the VLAN from the switch and pfSense and let the LAN DHCP server assign my IP by MAC address and it works just fine.

I've reset the switch numerous times. And just yesterday updated the firmware.

I don't get it. I know it's a cheap switch. But I can't see it losing VLAN functionality and nothing else.

After I get off of my Forced Luxury Vacation, I may get a different switch and try it. If it works, I'll take this one out and give it the 12 gauge treatment.

EDIT:

One other thing I failed to mention. I set the IP of the switch to 192.168.1.2 to avoid conflict with pfSense. In a browser, 1.1 brings up the pfSense console. 1.2 the tp-link console.

That said, if I set up a VLAN on the switch, I immediately lose the ability to access the tp-link console on ANY of the switch's ports. I'll still have access to the web and the pfSense box. Just not to the tp-link GUI. To get back in to it, I have to reset the switch.

 

[f33dm3bits]

One other thing I failed to mention. I set the IP of the switch to 192.168.1.2 to avoid conflict with pfSense. In a browser, 1.1 brings up the pfSense console. 1.2 the tp-link console.

That's similar to what I did with my TP Link switch and OPNSense.

After setting up both, I powered down everything. And then re-powered it all allowing each part to get running starting with the pfSense box. Then the switch. And finally my PC. That should ensure that my PC gets put in the proper VLAN (192.168.30.1) with a proper IP address.

Is 192.168.1.0/24 the default available network on the switch, I forgot since I've been running it for a while? And that you want the 192.168.1.10 as the ip for your pc. I have two comments that you might want to think about if it applies to you.

1. When first configured that switched and powered it off and on again my configuration was gone. I later realized I had forgotten to save my configuration and with a power-cycle of the switch it will be back in factory defaults. At the top op the switch's webinterface to the left of the "Log Out" button you have a button "Save". Did you save you switch's configuration before power-cycling it, if not your switch's config will have reset to factory defaults?

2. DHCP can be both be configured on the switch and on PFsense. Maybe dhcp is active on both devices causing a conflict and therefore giving you an end result which you don't expect? I have dhcp disabled on the switch and active on my OPNsense device, something you might want to look into?

 

[truckerDave]

Is 192.168.1.0/24 the default available network on the switch

The default on mine is 192.168.0.1

Even though pfSense DHCP Leases reports the switch at 192.168.1.2, I tried plugging in to an unused port and setting my PCs addy to a static 192.168.0.10 to access the switch after I setup the VLAN. Neither the 1.2 or 0.1 will let me in.

1. When first configured that switched and powered it off and on again my configuration was gone. I later realized I had forgotten to save my configuration

This model does the saves automatically.

DHCP can be both be configured on the switch and on PFsense.

Could be the step I'm missing .... I'll report back in a few!

 

[f33dm3bits]

This model does the saves automatically.

I would still try saving it manually to see what happens, I do see a save button in the web-interface of your switch.

High RxBadPkt on TL-SG108E - Business Community

Model : TL-SG108E Hardware Version : V1 Firmware Version : 1.1.2 Build 20141017 Rel. 50749 ISP : I'm getting very high RxBadPkt on ports configured as VLAN access port. Setup is Router - Cisco switch - TP-Link01 - TP-Link02. Cisco shows no errors or

community.tp-link.com

 

[truckerDave]

Mine is v6.6. No save button/link anywhere to be found

And after setting the switch to static, nothing has changed.

 

[truckerDave]

What I feel like is happening is that after setting everything up the way "I think" it should be, my PC is not able to connect to the DHCP Server assigned to that interface. But then again, there is that whole "can't access anything" problem that arises too. Best I just walk away for some time. Before things start flying out the window.

 

[truckerDave]

@f33dm3bits

Have you ever struggled with something that you just knew that you were doing correctly. Just to come back to it days later and realize "I'm an idiot". Well, that's me right now. I was forgetting this step:

Yup! I suffer from chronic DA Disease! (Dumb A..)

 

[f33dm3bits]

Have you ever struggled with something that you just knew that you were doing correctly. Just to come back to it days later and realize "I'm an idiot".

Yes I have had those experiences.

Well, that's me right now. I was forgetting this step

Wasn't this what I was referring to in one of my replies?

If you reset the switch to factory defaults you need to redo your switch vlan configuration, under L2 Features -> 802.1Q VLAN -> VLAN Config.

When I mentioned this I meant you needed to reconfigure what you just realized you missed in that screenshot, because there you define which port has which vlan id's.

Glad you figured out what you were missing yourself Best learning experience is when you come to realization what you missed and figured it out yourself.

 

[truckerDave]

Wasn't this what I was referring to in one of my replies?

Yes. Yes, it was. Not sure what happened. I guess my brain didn't register what you were saying.

Just give me the dunce hat and I'll go sit in the corner now.

 

[f33dm3bits]

Yes. Yes, it was. Not sure what happened. I guess my brain didn't register what you were saying.
Just give me the dunce hat and I'll go sit in the corner now.

Nothing to be ashamed for and it can be confusing when you look at something for hours and then just don't see it anymore, also it can be confusing that some interfaces of similar devices have different name for things or are hidden under a different menu location. Even I have experienced these type of things, sometimes stepping a way for a while from something when being stuck on something helps you rethink things when you get back to it.

These are things you will never forgot once it clicks in your thoughts and thinking.

 

[truckerDave]

Nothing to be ashamed fo

I'm not. I've already spent my couple of hours kicking my own butt over it. I'm good now.