VLAN tagged vs.untagged ports with a Firewalla Purple + Netgear switch

Comments

7 comments

  • Avatar
    Michael Bierman

    Check the PVID. That is the default tag for a port. https://help.firewalla.com/hc/en-us/community/posts/360051954114-How-to-configure-Firewalla-Gold-in-Router-mode-with-switch-and-VLANs

    0
    Comment actions Permalink
  • Avatar
    Rich T.

    The way you have is (probably) what you want. The default PVID for the Netgear port is, by default, 1. So the way you have it says "accept packets that are tagged for Guest, VOIP or IoT, and if you get any that are untagged, put them in VLAN1". 

    If you set VLAN1 to tagged (on the netgear), it'll only allow the packets if they are already tagged. Unless everything else connected to the netgear explicitly tags everything, leaving it as untagged is what you want.

    1
    Comment actions Permalink
  • Avatar
    Dave Taylor

    Thanks!  Yeah, that's what I suspected, you need to make the Firewalla-connected switch port tagged for the non-default VLAN and untagged for the default VLAN.

    Perhaps the Firewalla docs could be clarified to address this, for example the https://help.firewalla.com/hc/en-us/articles/4408644783123-Building-Network-Segments documentation says "Set the port connected to Firewalla, port 1, as a Trunk port (or some call it tagged port). That includes the default LAN" but if you do that you'll shut down traffic on the default VLAN, which means losing access to the switch if you're administering it over that.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Dave, the example is correct. I like the way this https://www.ibm.com/docs/en/zvm/7.1?topic=terminology-what-is-trunk-port#:~:text=A%20trunk%20port%20is%20a,set%20(native%20VLAN%20ID).

    explains it, but I don’t know it that would help people new to this. How do you think it could be more clear?

    0
    Comment actions Permalink
  • Avatar
    Dave Taylor

    It depends on whether the behaviour is Netgear-specific or not, but as written now if you follow the instructions on a Netgear switch, and in particular if you've restricted the VLANs (e.g. Guest) to isolate them from other parts of the network, making port 1 a trunk/tagged port will shut down all traffic on your network apart from the isolated VLANs, which are isolated and not much use.

    For anyone who gets caught by this, the recovery process is to temporarily move the Firewalla (i.e. the router for the network) off port 1 to any untagged port on the switch and recover from there.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    While the concepts are the same on all switches, the nomenclature and process is definitely not the same on all switches. Here are Netgear's instructions.

    0
    Comment actions Permalink
  • Avatar
    Dave Taylor

    I'm familiar with the Netgear config, I'm just not sure whether following the instructions on the page I linked to will cause problems with other managed switches.

    I think the text needs to be updated to distinguish between marked a port tagged/trunked on the default VLAN vs. other VLANs.  If you do it for the default VLAN, at least with a Netgear switch, you'll end up with a problem.

    0
    Comment actions Permalink

Please sign in to leave a comment.