GS1920-24v2 VLAN setup help please?
My switch is currently working with a basic VLAN 1 or default setup - as if the switches involved are 'dumb'. I want to add a few VLANs on a LAGG between my GS1920-24v2 and my router, which runs pfsense.
I am very cautious about making any changes to what is working until I feel much clearer on exactly what steps need to be taken to configure the switch correctly and in what order.
Unfortunately I cannot find any tutorials that explain setting up this switch that aren't either years out of date or relate to different Zyxel products using a different GUI or to switches from other manufacturers. The GS1920-24v2 manual refers to specific sections in detail, but does a poor job of explaining how different sections work together and in what order to make changes to the configuration.
I especially don't understand how to retain what is currently working and add to it without messing it all up! I have had to factory reset everything multiple times and wasted countless hours - hence this plea for help!
Existing LAN network and access to management GUI's on router and switches is the typical 192.168.1.0/24. Ideally I would like to change this, but that can come later - right now with the router, two switches and the AP to manage via web gui's on this subnet I daren't make any changes. How to go about making that change might be a future question!
Planned VLANs:
VID 33 - Guest Wifi - GUEST
VID 44 - Security Cameras - CAMS
VID 55 - Audio over IP network - AUDIO
I will set up the VLANs on pfsense so the DHCP server for each VLAN uses the VID as the third octet of the subnet: e.g. VID 33 —→ 192.168.33.0/24 etc.
Home network hardware:
Router running pfsense with Intel four port gigabit NIC (I do not need help with pfsense VLANs configuration - there are plenty of excellent tutorials to follow online):
Router em0 —→ WAN,
Router em1 —→ LAN —→ port 13 on GS1920-24
Router em2 & em3 LAGG —→ ports 17 & 18 on GS1920-24
GS1920 ports 1 to 12 go to various PC's, printers or dumb switches.
Ports 1,3,4,6,8,10,11,12 connect to devices on default VLAN 1 - I think these should be Untagged?
Ports 2,5,7,9 will connect to devices on VLAN 55 AUDIO - There are currently no devices connected. I think these ports should also be Untagged?
Port 13 connects to pfsense em1 as the LAN port (192.168.1.1) with default VLAN 1 - currently neither Tagged nor Untagged. Should this be Tagged? VLAN trunking checked?
Port 16 connects to a 5-port TP-Link PoE switch and from there to a Unifi U6 Access Point (VLAN aware) - I think this should be Tagged as it will carry VLANs 1, 33 (GUEST) and 44 (CAMS) ? VLAN trunking box ticked?
(I will also have to figure out the TP-Link PoE switch's configuration. It has a non-PoE port no. 5 that does data only and which should therefore be Tagged as a trunk port. But I'm not really asking for help on a TP-Link device in a Zyxel forum!)
Ports 17 & 18 are the LAGG connecting to pfsense em2 and em3 - I think these should be Tagged, VLAN trunk box ticked and of course these ports assigned to an LACP LAGG in Zyxel configuration.
N.B. Currently the LAGG cables are disconnected. I'm hoping to configure the router and switches and then connect the cables physically to test.
As I said with everything currently working on the default VLAN 1 on the GS1920-24 connecting to pfsense, and also to my AP via the TP-Link PoE switch - essentially everything is currently working as if the switches involved were 'dumb'. However there is no Guest Wifi and no security cameras or audio devices connected to any ports on any switch.
Sorry this is so long. Hope someone can help. Thanks in advance.
Best Answers
-
Hi @awediohead
For the VLAN configuration, you may proceed with the steps outlined below:
Step 1: Create and configure the Static VLANs at SWITCHING > VLAN > VLAN Setup > Static VLAN, and set up as follows:
- Default VLAN1:
- For the downlink devices which could not read VLAN:
Fixed Port 1,3,4,6,8,10,11,12; untag (uncheck TX tagging) - For the downlink 5-port TP-Link PoE switch:
Fixed Port 16; untag - For the uplink pfsense router em1:
Fixed Port 13; untag
- For the downlink devices which could not read VLAN:
- VLAN33: (Guest)
- For the downlink 5-port TP-Link PoE switch:
For Fixed Port 16; tag(check TX tagging) - For the uplink pfsense router:
Fixed the relevant ports; tag
- For the downlink 5-port TP-Link PoE switch:
- VLAN44: (CAM)
- For the downlink 5-port TP-Link PoE switch:
Fixed Port 16; tag - For the uplink pfsense router:
Fixed the relevant ports; tag
- For the downlink 5-port TP-Link PoE switch:
- VLAN55: (AUDIO)
- For the downlink devices which could not read VLAN:
Fixed P2,5,7,9; untag - For the uplink pfsense router:
Fixed the relevant ports; tag
- For the downlink devices which could not read VLAN:
In your description, I am unsure about the VLAN configuration you would like to set for your switch Ports 17 & 18. Please tag the relevant VLANs on these LAG ports.
Step 2: Then, configure the Port Setup at SWITCHING > VLAN > VLAN Setup > VLAN Port Setup
- PVID=1: Port 1,3,4,6,8,10,11,12,13,16,17,18
- PVID=55: Port 2,5,7,9
For more detailed guidance on VLAN configuration and Link Aggregation on switches with firmware V4.80, please refer to the articles below:
- VLAN configuration:
- Link Aggregation:
Kay
See how you've made an impact in Zyxel Community this year!
1 - Default VLAN1:
-
The TL-SG105PE supports VLAN (I was looking at a non supported VLAN switch) from what I can tell so you need to TAG VLAN out port 5 so they can tag to GS1920-24 port 16
Similarly, I don't see why a port (GS1920 port 13) between switch and router should be untagged? Is this wrong or is it because this connection is only carrying VLAN 1 ?
I thought the broad principle was to Tag ports between VLAN aware devices, such as routers and switches, and to Untag between switches and 'access' devices such as PC's and dumb switches?
Like I said VLAN1 is like any other VLAN but if your pfsense main LAN has no tag then its untagged or Native or you can make a VLAN1 on pfsense as your main LAN with a tag
1 -
Hi @awediohead
I thought the broad principle was to Tag ports between VLAN aware devices, such as routers and switches, and to Untag between switches and 'access' devices such as PC's and dumb switches?
Your understanding is correct. However, in the default VLAN setting of the switch, the PVID is 1, so it assigns VID 1 to incoming untagged packets and forwards them with VID 1. Therefore, both tagging and untagging Port 16 (connected to TP-Link) on the GS1920-24v2 to VLAN1 are acceptable.
Regarding Port 13 connected to the pfsense router, upon reviewing the pfsense router settings, there's no option to configure the VLAN ID for the LAN interface. Therefore, you will need to set your GS1920-24v2 Port 13 with VLAN 1, untag, and the packets will be forwarded as LAN1.
Kay
See how you've made an impact in Zyxel Community this year!
1
Zyxel Employee
Guru Member
All Replies
-
Thing that most don't get is VLAN1 is like any other VLAN and so if you don't use it as part of your network you must change management IP and VLAN to another then forbidden VLAN1 on all ports.
With Router em1 —→ LAN —→ port 13 on GS1920-24
You need VLAN1 untag on ports 1,3,4,6,8,10,11,12, 13 all other ports forbidden with PVID set to 1 on ports 1,3,4,6,8,10,11,12, 13
VLAN55 untag on ports 2,5,7,9 and tag on port 13 all other ports forbidden with PVID set to 55 on ports 2,5,7,9
As for the Port 16 connects to a 5-port TP-Link PoE switch that I think needs to be able to do VLAN too or if you can connect all CAMS to one switch you can make that untag to port 16 and tag to port 13 VLAN 44 then port 17 with to Access Point switch untag to port 17 and tag to port 13 VLAN 33
1 -
Hi @awediohead
For the VLAN configuration, you may proceed with the steps outlined below:
Step 1: Create and configure the Static VLANs at SWITCHING > VLAN > VLAN Setup > Static VLAN, and set up as follows:
- Default VLAN1:
- For the downlink devices which could not read VLAN:
Fixed Port 1,3,4,6,8,10,11,12; untag (uncheck TX tagging) - For the downlink 5-port TP-Link PoE switch:
Fixed Port 16; untag - For the uplink pfsense router em1:
Fixed Port 13; untag
- For the downlink devices which could not read VLAN:
- VLAN33: (Guest)
- For the downlink 5-port TP-Link PoE switch:
For Fixed Port 16; tag(check TX tagging) - For the uplink pfsense router:
Fixed the relevant ports; tag
- For the downlink 5-port TP-Link PoE switch:
- VLAN44: (CAM)
- For the downlink 5-port TP-Link PoE switch:
Fixed Port 16; tag - For the uplink pfsense router:
Fixed the relevant ports; tag
- For the downlink 5-port TP-Link PoE switch:
- VLAN55: (AUDIO)
- For the downlink devices which could not read VLAN:
Fixed P2,5,7,9; untag - For the uplink pfsense router:
Fixed the relevant ports; tag
- For the downlink devices which could not read VLAN:
In your description, I am unsure about the VLAN configuration you would like to set for your switch Ports 17 & 18. Please tag the relevant VLANs on these LAG ports.
Step 2: Then, configure the Port Setup at SWITCHING > VLAN > VLAN Setup > VLAN Port Setup
- PVID=1: Port 1,3,4,6,8,10,11,12,13,16,17,18
- PVID=55: Port 2,5,7,9
For more detailed guidance on VLAN configuration and Link Aggregation on switches with firmware V4.80, please refer to the articles below:
- VLAN configuration:
- Link Aggregation:
Kay
See how you've made an impact in Zyxel Community this year!
1 - Default VLAN1:
-
Thank you both for your replies. I hope to have time this evening to properly read and digest what you've written and I'll get back to you with any questions if that's OK.
Thanks again
0 -
Thank you PeterUK
In the last paragraph of your reply:
"As for the Port 16 connects to a 5-port TP-Link PoE switch that I think
needs to be able to do VLAN too or if you can connect all CAMS to one
switch you can make that untag to port 16 and tag to port 13 VLAN 44
then port 17 with to Access Point switch untag to port 17 and tag to
port 13 VLAN 33"You lost me a bit here, so forgive me if I unpack it a little.
"As for the Port 16 connects to a 5-port TP-Link PoE switch that I think
needs to be able to do VLAN too"Yes - Port 16 on the GS1920 goes to Port 5 on a managed TP-Link TL-SG105PE - this is the 'data link' port without PoE. As such it needs to handle VLANs 1(LAN&WIFI), 33 (GUEST WIFI) and 44 (CAMS)
This is where I'm not sure Zyxel_Kay's advice is correct regarding Port 16?
- Default VLAN1:
- For the downlink devices which could not read VLAN:
Fixed Port 1,3,4,6,8,10,11,12; untag (uncheck TX tagging) - For the downlink 5-port TP-Link PoE switch:
Fixed Port 16; untag ??? - For the uplink pfsense router em1:
Fixed Port 13; untag
- For the downlink devices which could not read VLAN:
Port 16 <—> TP-LINK Port 5 <—> Port 4 <—> Unifi 6 AP (VLANs 1 and 33) <—> Ports 1, 2, 3 <—> Security Cams (VLAN 44)
Similarly, I don't see why a port (GS1920 port 13) between switch and router should be untagged? Is this wrong or is it because this connection is only carrying VLAN 1 ?I thought the broad principle was to Tag ports between VLAN aware devices, such as routers and switches, and to Untag between 'access' devices such as PC's and dumb switches?
Maybe this picture of my spreadsheet plan helps?
N.B. I'm very open to advice or to completely rethink things - I'd rather do that now than dig myself a deeper hole!
0 - Default VLAN1:
-
The TL-SG105PE supports VLAN (I was looking at a non supported VLAN switch) from what I can tell so you need to TAG VLAN out port 5 so they can tag to GS1920-24 port 16
Similarly, I don't see why a port (GS1920 port 13) between switch and router should be untagged? Is this wrong or is it because this connection is only carrying VLAN 1 ?
I thought the broad principle was to Tag ports between VLAN aware devices, such as routers and switches, and to Untag between switches and 'access' devices such as PC's and dumb switches?
Like I said VLAN1 is like any other VLAN but if your pfsense main LAN has no tag then its untagged or Native or you can make a VLAN1 on pfsense as your main LAN with a tag
1 -
Hi @awediohead
I thought the broad principle was to Tag ports between VLAN aware devices, such as routers and switches, and to Untag between switches and 'access' devices such as PC's and dumb switches?
Your understanding is correct. However, in the default VLAN setting of the switch, the PVID is 1, so it assigns VID 1 to incoming untagged packets and forwards them with VID 1. Therefore, both tagging and untagging Port 16 (connected to TP-Link) on the GS1920-24v2 to VLAN1 are acceptable.
Regarding Port 13 connected to the pfsense router, upon reviewing the pfsense router settings, there's no option to configure the VLAN ID for the LAN interface. Therefore, you will need to set your GS1920-24v2 Port 13 with VLAN 1, untag, and the packets will be forwarded as LAN1.
Kay
See how you've made an impact in Zyxel Community this year!
1 -
Thank you both once again for your replies. I'm still trying to wrap my head around it all. Then I have to find a fairly big chunk of free time to get it all set up and troubleshoot. Given ongoing health problems I don't know when that will be but I'm a lot clearer on the basic plan thanks to your support.
Thanks again
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
