VLAN tagged vs.untagged ports with a Firewalla Purple + Netgear switch
I'm running a couple of VLANs via a Firewalla Purple and a Netgear GS724T, a pretty straightforward setup with default (VLAN1) for most things and then Guest, VoIP and IoT VLANs to isolate potential problem devices. However I've run into a problem with VLAN1, I was expecting to make the switch port on which it's connected to the Purple, port 1, a trunk/tagged port, 'T' in Netgear terms, but doing so knocks VLAN1 traffic offline. It's only when I make port 1 an untagged port, 'U' in Netgear terms, that everything works normally.
Just to clarify, in VLAN1 I've got port 1 marked as 'U', in VLAN-Guest, VLAN-VoIP, and VLAN-IoT I've got port 1 marked as 'T'. I assume the issue above occurs because anything not on the Guest, VoIP, and IoT VLANs is untagged and I'd need to explicitly tag it for VLAN1 if VLAN1 port 1 was a 'T' port? Since I've currently got VLAN1 port 1 marked as a 'U' port and things seem to be working as expected, is there any downside to leaving it like this?
-
Check the PVID. That is the default tag for a port. https://help.firewalla.com/hc/en-us/community/posts/360051954114-How-to-configure-Firewalla-Gold-in-Router-mode-with-switch-and-VLANs
-
The way you have is (probably) what you want. The default PVID for the Netgear port is, by default, 1. So the way you have it says "accept packets that are tagged for Guest, VOIP or IoT, and if you get any that are untagged, put them in VLAN1".
If you set VLAN1 to tagged (on the netgear), it'll only allow the packets if they are already tagged. Unless everything else connected to the netgear explicitly tags everything, leaving it as untagged is what you want.
-
Thanks! Yeah, that's what I suspected, you need to make the Firewalla-connected switch port tagged for the non-default VLAN and untagged for the default VLAN.
Perhaps the Firewalla docs could be clarified to address this, for example the https://help.firewalla.com/hc/en-us/articles/4408644783123-Building-Network-Segments documentation says "Set the port connected to Firewalla, port 1, as a Trunk port (or some call it tagged port). That includes the default LAN" but if you do that you'll shut down traffic on the default VLAN, which means losing access to the switch if you're administering it over that.
-
@Dave, the example is correct. I like the way this https://www.ibm.com/docs/en/zvm/7.1?topic=terminology-what-is-trunk-port#:~:text=A%20trunk%20port%20is%20a,set%20(native%20VLAN%20ID).
explains it, but I don’t know it that would help people new to this. How do you think it could be more clear?
-
It depends on whether the behaviour is Netgear-specific or not, but as written now if you follow the instructions on a Netgear switch, and in particular if you've restricted the VLANs (e.g. Guest) to isolate them from other parts of the network, making port 1 a trunk/tagged port will shut down all traffic on your network apart from the isolated VLANs, which are isolated and not much use.
For anyone who gets caught by this, the recovery process is to temporarily move the Firewalla (i.e. the router for the network) off port 1 to any untagged port on the switch and recover from there.
-
While the concepts are the same on all switches, the nomenclature and process is definitely not the same on all switches. Here are Netgear's instructions.
-
I'm familiar with the Netgear config, I'm just not sure whether following the instructions on the page I linked to will cause problems with other managed switches.
I think the text needs to be updated to distinguish between marked a port tagged/trunked on the default VLAN vs. other VLANs. If you do it for the default VLAN, at least with a Netgear switch, you'll end up with a problem.
Please sign in to leave a comment.
Comments
7 comments