VLAN - explain please on how to do it.

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
Hello

i got a managed switch from ubiquity managed switch 150w-8port and edgerouter x. along ofc freenas
on the freenas i got lagg0 (LACP) running. i would like to have the iocage servers on seperate vlan and the VM on same network as my main
in static routes i wrote:
10.0.2.0/24 - 10.0.2.1 LAN and
10.0.40.0/24 - 10.0.40.1 Servers
i can see it tags different tings in the unifi controller just with this set?!? anyway
i then made a vlan on the freenas name vlan40 - parent lagg0 - tag 400
then all the iocage servers died. and i noticed it added the interface to network interfaces..
i then tried changing the network on 1 jail like this

iocage set defaultrouter=10.0.40.1 jailname
iocage set ip4_addr="vnet0|10.0.40.35/24" jailname
iocage restart jailname
no connection from jail at all

without making the vlan in freenas, i can fine ping the 10.0.40.1 route(r)/gateway from jail, but as soon as i create it, i can't from jail but only from host.

used same config as my other vlan for guests wifi only difference is not tagget as guest but as servers.


also tried maka a bridge1 with only vnet:01 (jail vnet) and vlan40 but no connection..
shouldent the vlan40 interface have a connection ? as it hooks on the parent interface lagg0?

This is how it looks like now. and i want freenas iocage jails to go on vlan 400 while haveing VM staying on normal network etc.

freenas ip 10.0.2.20/24 router 10.0.2.1
- iocage jails 10.0.2.x/24 router 10.0.2.1
- VM 10.0.2.x/24 router 10.0.2.1

router edgerouter x
- switch0 10.0.2.1/24 LAN
- switch0.400 (vlan tag 400 10.0.40.1/24) Server
- switch0.500 (vlan tag 500 10.0.20.1/24) guest


Switch unifi 150w 8 ports 10.0.2.4
- network LAN 10.0.2.0/24 gateway 10.0.2.1
- network Server 10.0.40.0/24 gateway 10.0.40.1 vlan 400
- network Guest 10.0.20.0/24 gateway 10.0.20.1 vlan 500
 
Last edited:

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
You want to set the switch ports to untagged VLAN# and in FreeNAS do not set any VLANs. This way the switch will tag all packets not already tagged with the specified VLAN. Setting up VLANS on FreeNAS is fine but then you need to set the ports as tagged for that vlan. That way the switch expects and allows packets that are already tagged. Ignore any and all talk of access ports and trunks as that Cisco terminology and is not industry standard and only serves to confuse.

See Ubiquiti VLANs for more explanation. Also note this is for the edge switch, you have the unifi switch. The method to configure will differ but the idea and terminology should be the same.
 

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
One more note on the "untagged" ports. UNtagged ports will add the specified tag to the incoming (to the port from the FreeNAS NIC) packet and strip it back off on its way out. In your case, you will want to setup the LAGG and VLANS on FreeNAS and on the switch, set the ports as tagged for all of the VLANs being used. This way FreeNS is doing the tagging and the switch will just pass the packets based on the tags it sees and is configured to allow (tagged).

The terminology is a bit tricky but think of it like this:
Tagged - The switch is expecting packets that are tagged and in out list
Untagged - The switch is expecting untagged packets and needs to tag them as we specify
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
One more note on the "untagged" ports. UNtagged ports will add the specified tag to the incoming (to the port from the FreeNAS NIC) packet and strip it back off on its way out. In your case, you will want to setup the LAGG and VLANS on FreeNAS and on the switch, set the ports as tagged for all of the VLANs being used. This way FreeNS is doing the tagging and the switch will just pass the packets based on the tags it sees and is configured to allow (tagged).

The terminology is a bit tricky but think of it like this:
Tagged - The switch is expecting packets that are tagged and in out list
Untagged - The switch is expecting untagged packets and needs to tag them as we specify


erhm in your first respons, you wrote "You want to set the switch ports to untagged VLAN# and in FreeNAS do not set any VLANs" but 2nd responds you want me to set it? i'm soo confused in learning this VLAN...

I posted some images from edgerouter setup and unifi switch, this is how i THINK your meaning.. but still no connection from server. if i then try to make vlan and routes in freenas, should i put the vlan device in same bridge as all of the iocage jails? i tried but then they get mix match taggs (can see them in unifi controller) and they still use the 10.0.2.x segment, if i then try to change there IP and gateway etc. then they lose connection to local and web... soooo where is the "error" in this setup? can't i get different IP segment with vlan ? The GUEST LAN works, i just followed how i set that up.
Thanks for the help so far tho
 

Attachments

  • Skærmbillede 2018-07-03 kl. 07.22.29.png
    Skærmbillede 2018-07-03 kl. 07.22.29.png
    302.3 KB · Views: 1,591
  • Skærmbillede 2018-07-03 kl. 07.23.05.png
    Skærmbillede 2018-07-03 kl. 07.23.05.png
    320.7 KB · Views: 1,315
  • Skærmbillede 2018-07-03 kl. 07.23.25.png
    Skærmbillede 2018-07-03 kl. 07.23.25.png
    318.4 KB · Views: 1,153
  • Skærmbillede 2018-07-03 kl. 07.23.34.png
    Skærmbillede 2018-07-03 kl. 07.23.34.png
    21.7 KB · Views: 1,034
  • Skærmbillede 2018-07-03 kl. 07.26.48.png
    Skærmbillede 2018-07-03 kl. 07.26.48.png
    105.3 KB · Views: 1,185
  • Skærmbillede 2018-07-03 kl. 07.27.04.png
    Skærmbillede 2018-07-03 kl. 07.27.04.png
    42.1 KB · Views: 1,130

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
Sorry for the confusion. The difference is whether your end device is only on one VLAN or if it has "sub interfaces" assigned to various vlans. From what I can tell, you switch is configured correctly. The router looks good but I don't see anything for routing or firewall rules. many modern routers have default deny all on new interfaces. If you can post screenshots of that and your FreeNAS config I think we can get it figured out.
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
Sorry for the confusion. The difference is whether your end device is only on one VLAN or if it has "sub interfaces" assigned to various vlans. From what I can tell, you switch is configured correctly. The router looks good but I don't see anything for routing or firewall rules. many modern routers have default deny all on new interfaces. If you can post screenshots of that and your FreeNAS config I think we can get it figured out.

Sorry for the delay. The router is a ubiquity edgerouter X. So not that standard ;) how ever the routeing should be in place. I'll post pictures tomorrow. Late here now.
Could you perhaps tell me where in the config I should screenshot ? As far as I know there no deny all since it's added to the normal switch


Sent from my iPhone using Tapatalk
 

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
Sorry for the delay. The router is a ubiquity edgerouter X. So not that standard ;) how ever the routeing should be in place. I'll post pictures tomorrow. Late here now.
Could you perhaps tell me where in the config I should screenshot ? As far as I know there no deny all since it's added to the normal switch
Sent from my iPhone using Tapatalk
I have not worked with the ubiquity edgerouters at all. You should double check for firewall rules anyway. Please show me the FreeNAS Interfaces tab and VLANs tab so I may verify that set up as well.
 

short-stack

Explorer
Joined
Feb 28, 2017
Messages
80
Hello
i then made a vlan on the freenas name vlan40 - parent lagg0 - tag 400
then all the iocage servers died. and i noticed it added the interface to network interfaces..
i then tried changing the network on 1 jail like this
Did you create a lagg interface in FreeNAS? On your switch screenshot, it only looks like a small 8 port, and only port 5 is a gbit connection. So if that is your only connection from switch to NAS, there is no need to create a lagg.

The VLAN. config/profile/trunking all looks sane on the ER-X and the Unifi-8 switch, where I think you are having issues is with the VLAN creation on FreeNAS.

Whatever you set the VLANs to on the ER-X is what they have to be on FreeNAS.

So if 10.0.40.0/24 is set as VLAN 400 on the ER-X, in the FreeNAS config you set the virtual interface as vlan400, with a parent interface as lagg0(or ideally just em0 or whatever the lone interface is, if I am correct above), and then set the tag to 400.

The tag has to match the VLAN number, that's the way it works. VLAN traffic gets a tag attached to each packet so switches know where to send the data, so if you tell FreeNAS that VLAN40 will be tagged with 400 it isn't going to work.
 
Last edited:

short-stack

Explorer
Joined
Feb 28, 2017
Messages
80
Once that is fixed, as far as your jails not talking is concerned, are you using iocage or warden to manage the jails?

I would suggest using iocage if you aren't, because warden is on it's way out the door. You need to configure the jail for the VLAN.
For iocage jails, edit the settings and set the
Code:
ip4_addr=vlan400|10.0.2.x/24
and then for your interface
Code:
interfaces=vnet0:bridge0


You can change the settings either in the CLI, or inside of the new GUI.
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
Uhhhhh loving all the help! How I will get back next week and try it. I bent pins on socket in a upgrade that was rushed. Ordered new motherboard so waiting time now. But please I will do it all and
Thanks for the help so far


Sent from my iPhone using Tapatalk
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
Once that is fixed, as far as your jails not talking is concerned, are you using iocage or warden to manage the jails?

I would suggest using iocage if you aren't, because warden is on it's way out the door. You need to configure the jail for the VLAN.
For iocage jails, edit the settings and set the
Code:
ip4_addr=vlan400|10.0.2.x/24
and then for your interface
Code:
interfaces=vnet0:bridge0


You can change the settings either in the CLI, or inside of the new GUI.

All right
Got the new board and up and running again.

The interface changed to emo away from lagg
The interface code shouldn't it be
Code:
interfaces=vlan400:bridge0


?

I do use iocage. But also byhve for VM. How do it tag them ? I think I read somewhere that the basic Lan is tag 0 or 1 in UniFi. So basically create that as well because I want the two to use basic lan. Only the iocage should use the vlan 400


Sent from my iPhone using Tapatalk
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
All right
Got the new board and up and running again.

The interface changed to emo away from lagg
The interface code shouldn't it be
Code:
interfaces=vlan400:bridge0


?

I do use iocage. But also byhve for VM. How do it tag them ? I think I read somewhere that the basic Lan is tag 0 or 1 in UniFi. So basically create that as well because I want the two to use basic lan. Only the iocage should use the vlan 400


Sent from my iPhone using Tapatalk

Also can I just set the correct ip for the vlan tag ?
10.0.40.x ?


Sent from my iPhone using Tapatalk
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
hmm. made the vlan400 and tag 400 in freenas vlan, changed the ip4_addr on 1 iocage, and something is going wrong, it wont make a interface for the jail. if i then remove the vnet function in the new ui in the jail, then it works, but has the same mac_addr as main interface so no controll at all
 

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
Also can I just set the correct IP for the vlan tag ?
10.0.40.x ?
Sent from my iPhone using Tapatalk
Nope. The tag has nothing to do with the IP. You may need to have the root interface (or the lagg0) AND the vlan interface added to the bridge for it to work. I have not tried this and don't know if the options are in the GUI.

While IOcage and FreeBSD allow for extremely versatile and flexible network configurations, the GUI in FreeNAS is limited and there is a lack of how-to guides for the manual configuration in FreeNAS. Your best bet it to research how to setup vlans for iocage jails on FreeBSD and apply this to FreeNAS.
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
Nope. The tag has nothing to do with the IP. You may need to have the root interface (or the lagg0) AND the vlan interface added to the bridge for it to work. I have not tried this and don't know if the options are in the GUI.

While IOcage and FreeBSD allow for extremely versatile and flexible network configurations, the GUI in FreeNAS is limited and there is a lack of how-to guides for the manual configuration in FreeNAS. Your best bet it to research how to setup vlans for iocage jails on FreeBSD and apply this to FreeNAS.


Hmm never the less it doesn't work either way.


Sent from my iPhone using Tapatalk
 
Joined
Dec 29, 2014
Messages
1,135
Nope. The tag has nothing to do with the IP. You may need to have the root interface (or the lagg0) AND the vlan interface added to the bridge for it to work. I have not tried this and don't know if the options are in the GUI.

It matters that both ends of an 802.1Q (multiple VLAN trunk) agree about what the untagged VLAN is on that particular link. As an example, side A thinks VLAN 1 is untagged and side B thinks VLAN 2 is untagged. Both VLAN's would not work correctly as the device on either side would put the untagged traffic into the wrong VLAN. VLAN 3 would work just fine as both side agree as that VLAN 3 is tagged. The short version of that is the lagg interface on the FreeNAS side is the untagged VLAN, and that has to be the VLAN the switch side thinks is the untagged one. Any vlan interfaces configured in FreeNAS attached to that lagg will be passed to the switch with an 802.1Q tag.
 

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
It matters that both ends of an 802.1Q (multiple VLAN trunk) agree about what the untagged VLAN is on that particular link.
Not on the physical side. I may have a physical server that should default to VLAN 2 and another that should default to VLAN 4. Without clients side tagging, I would need different untagged VLANs on the different switch ports. I may still have client tagged interfaces on one server that can communicate with the untagged interfaces on the other server. It's all quite flexible. In this example the switch still needs to know about the VLANs being used on each physical port otherwise it will not forward the frames (Packets are technically at layer 3 and VLANs are layer 2)
 
Joined
Dec 29, 2014
Messages
1,135
Not on the physical side.

Untagged is configured on a per physical link basis. This is primarily speaking from experience with Cisco switches (a lot) and HP switches (some). A VLAN is a VLAN. Which single VLAN is the untagged one is unique to each physical link (or link aggregation). Honestly, I am not trying to be argumentative here.
 
Top