Firewalla Purple & Vlan Setup assistance

Comments

9 comments

  • Avatar
    Michael Bierman

    It should be similar to https://help.firewalla.com/hc/en-us/articles/4405807840275-Configuring-Triple-Play-on-Firewalla-Purple

    • Use the 802.1Q VLAN on your switch.
    • Port 1 of your switch will be a trunk carrying both VLANs (10 and 20) with tagged traffic. It will be a member of both VLANs. see attached
    • On Purple, you need to have both VLANs set up on the LAN Port to make it trunked.
    • Port 8 on the switch could be defaulted to the guest VLAN (20), tagged as such, and all traffic would be automatically tagged as Guest traffic. You may need to set the PVID too though I don't think so.
    • Port 8 would not be a member of VLAN 10.

     

     

    0
    Comment actions Permalink
  • Avatar
    W PJ

    Hi Mike, Thanks for assistance..  I took screenshots to so you can see the options available on the Dlink.  There is no "Trunk" option.   Sounds like Port 8 should be set to "Tagged" for Vlan 20.  But.. for the Purple LAN on Port 1 I'm not sure how to "Trunk" it when that's  not an option.  Would you just set it to "Tag" for all the Vlans you want it to handle?   

    I tried settings just ports 1 & 8 to "Tagged" for Vlan 20 but that didn't work.  

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    By default your switch puts all ports into VLAN 1. 
    If you want to use 10 for default, that's fine, you have to make ports a member of that "untagged" 1 is  usually the default for management. There are some best practices you can google on this, but for now let's go with what you said you wanted. 

    A port can be untagged to one VLAN (VID). So port 8 would be tagged as '20'. This means that all traffic on port 8 will be Guest VLAN. 

    Your switch doesn't call it trunked, but that's what port 1 will be. Make it a member of VLANs 10 & 20 with Tagged VLAN ports. This says that traffic from both VLANs can come over and it will use the tags (from Firewalla) to allow traffic to the appropriate ports. So only Guest traffic can go to port 8. 

     

    0
    Comment actions Permalink
  • Avatar
    Rich T.

    I don't know if this will help, but looking at Port 8.

    Will the traffic coming into the port already have a VLAN Tag on it? If so, then you set it to Tagged for VLANID20, This says "Only accept packets that are already tagged with VLANID 20". If packets aren't already going to be tagged, then you set the "default" VLANID for the port to 20 (Click the "PVID Setting" button on your screen shot) , and set Port 8 to untagged. This says, "if you receive packets that are Untagged, add Tag 20 to them"

    For Port 1, you'd VLAN10 and 20 in it, with 10 being the Default for the Port (PVID Setting). VLAN10 would be untagged, VLAN20 as Tagged (because anything getting there will have the Tag added because it came in from Port 8). So this accept anything Tagged with 20, or Untagged but if it's untagged it'll add VLANID10 to it.  

    1
    Comment actions Permalink
  • Avatar
    W PJ

    Oh man...  Rich T. you just nailed it!!!   I've been pulling my hair out over this and what you said is exactly what finally worked.   So much confusion over this... and I'm embarrassed to admit I'm a Network Engineer for 20+ years (although I usually only work with Enterprise gear ;-) .   

    So the trick is that you type have to leave a port set to "Untagged" unless your device is specifying a VLAN ID (which most devices do not).  Also, setting the PVID is key or else it won't work.  

    Thanks again to all who helped on this one.. As many times as this topic comes up I'm sure others will find it useful who search these postings. 

     

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Good job, @Rich. I retired my netgear (very similar) a few years ago and am using Unifi now. How soon I forgot!

    0
    Comment actions Permalink
  • Avatar
    W PJ

    Hi Guys.. One followup question. Let's say I have several of these DLink DGS 1100 switches that I will be connecting together.  I want to make sure the VLANs are passed through the Uplink/Downlink ports. Typically via "Trunking", but in the DLink config options I'm not sure how to do that.  

    Using the same scenario above, I want to connect another switch to Port 2 on the first switch.   So, I'm thinking for Port 2 I'd set VLAN 10 to be Untagged,  then set VLAN 20 (Guest) to be Tagged.    Does that sound correct?

     

    0
    Comment actions Permalink
  • Avatar
    Rich T.

    You could do that and set the port on the other end of the cable to have a default of VLAN10 and Tagged VLAN20, but I think (and I'm no expert) normally you'd want to set port 2 to have Tagged VLAN10 and Tagged VLAN20 in it and then the same on the other end. 

    Since the first switch will be tagging untagged frames to 10, and accept VLAN 20 Frames from port 8, they'll all be tagged and port 2 would pass them to the next switch which would accept tagged VLAN10 and Tagged VLAN 20 frames. If you set it like you have it, it will remove the vlan tag 10 when it leaves switch 1 so it'll arrive untagged on switch 2, and switch 2 will need to add it back.  

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Normally you'd want to set port 2 to have Tagged VLAN10 and Tagged VLAN20 in it and then the same on the other end. 

    This is what I would do. 

    0
    Comment actions Permalink

Please sign in to leave a comment.