{"id":2273,"date":"2021-07-04T12:23:51","date_gmt":"2021-07-04T16:23:51","guid":{"rendered":"http:\/\/matthannan.net\/blog\/?p=2273"},"modified":"2021-07-04T15:30:20","modified_gmt":"2021-07-04T19:30:20","slug":"tp-link-is-no-cisco-vlan-configuration","status":"publish","type":"post","link":"https:\/\/matthannan.net\/blog\/tp-link-is-no-cisco-vlan-configuration\/","title":{"rendered":"TP-Link is no Cisco: VLAN configuration"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/pfstpluu.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"472\" height=\"83\" data-attachment-id=\"2275\" data-permalink=\"https:\/\/matthannan.net\/blog\/tp-link-is-no-cisco-vlan-configuration\/pfstpluu\/\" data-orig-file=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/pfstpluu.png?fit=472%2C83&amp;ssl=1\" data-orig-size=\"472,83\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pfstpluu\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/pfstpluu.png?fit=472%2C83&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/pfstpluu.png?resize=472%2C83&#038;ssl=1\" alt=\"\" class=\"wp-image-2275\" srcset=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/pfstpluu.png?w=472&amp;ssl=1 472w, https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/pfstpluu.png?resize=300%2C53&amp;ssl=1 300w\" sizes=\"auto, (max-width: 472px) 100vw, 472px\" \/><\/a><\/figure><\/div>\n\n\n\n<p>On the surface, my <a rel=\"noreferrer noopener\" href=\"https:\/\/www.amazon.com\/TP-LINK-T2600G-28TS-24-Port-Pure-Gigabit-Managed\/dp\/B016M1QU5O\" target=\"_blank\">TP-Link T2600G-28TS<\/a> v3 managed switch appears to have everything that I would expect to have for some intermediate networking in the home. Most of my complaints with the device, to date, have been minor, such as the idle time-out having a max of 120 seconds. So annoying. But, for the most part, it has been quietly doing its job, almost without issue, for a couple of years now. <\/p>\n\n\n\n<p> I recently replaced my <a rel=\"noreferrer noopener\" href=\"https:\/\/www.amazon.com\/Verizon-Fios-Updated-Version-Internet\/dp\/B07QM33Y51\" target=\"_blank\">Verizon G1100 FiOS router<\/a> with a <a rel=\"noreferrer noopener\" href=\"https:\/\/www.pfsense.org\/\" target=\"_blank\">pfSense<\/a> router built out of an old PC. The specs are wonderful for a router on a 300Mbps ISP link, but it is so old that the CPU does not support <a rel=\"noreferrer noopener\" href=\"https:\/\/software.intel.com\/content\/www\/us\/en\/develop\/articles\/intel-advanced-encryption-standard-instructions-aes-ni.html\" target=\"_blank\">AES-NI<\/a>. Not a big deal, as I am not planning on building any VPNs any time soon. I was going to use <a rel=\"noreferrer noopener\" href=\"https:\/\/opnsense.org\/\" target=\"_blank\">OPNsense<\/a> for this router, but there are far more resources available on how to configure pfSense, including this awesome video by Tom Lawrence:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/fsdm5uc_LsU?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span>\n<\/div><\/figure>\n\n\n\n<p>Thank you, Tom. I&#8217;ve been watching your videos for years now and you&#8217;ve taught me a ton.<\/p>\n\n\n\n<p class=\"has-text-align-left\">Further, I am loosely following <a rel=\"noreferrer noopener\" href=\"https:\/\/netosec.com\/protect-home-network\/\" target=\"_blank\">this three-part blog post<\/a> on how to segment and secure your home network, with pfSense at the core. I think that seven subnets is probably overkill at this point. I am currently sitting at four:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Management<\/li><li>Trusted<\/li><li>Untrusted\/IoT<\/li><li>Guest<\/li><\/ul>\n\n\n\n<p>Well, three, really. I still need to set up the Management VLAN\/subnet (see end of post). Once Tom walked me through getting my VLANs created on the pfSense, it was time to turn to the TP-Link switch. Up until this point, I had been running a typical flat network, all on a single VLAN, and that VLAN being VLAN1. I now needed to tackle the management-end of this managed switch. Having worked as a Network Engineer for a couple of decades, I was expecting this to be a walk in the park. <br><br><code>switchport mode trunk<\/code><br><code>switchport trunk allowed vlan 10, 25, 68<\/code><br>or<br><code>switchport mode access<\/code><br><code>switchport access vlan 10<\/code><\/p>\n\n\n\n<p>Right? How hard could it be? Sheesh! Turns out, TP-Link is not at all like Cisco. I knew that I wanted <a href=\"http:\/\/www.microhowto.info\/tutorials\/802.1q.html\" target=\"_blank\" rel=\"noreferrer noopener\">802.1q VLANs<\/a>, but what really is the difference between Tagged and Untagged? What the heck is PVID? And a million other questions emerged once I started diving in. <\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p>I managed to get the Unifi APs working. Seems that Tagged is used on &#8220;trunks&#8221;, as there are no trunks on the TP-Link. This is a working configuration for one of the <a href=\"https:\/\/store.ui.com\/products\/unifi-ap-6-lite\" target=\"_blank\" rel=\"noreferrer noopener\">Unifi<\/a> APs:<br><br><code>interface gigabitEthernet 1\/0\/11<br>description \"AP-6\"<br>switchport general allowed vlan 10,25,68 tagged<br>ldp snmp-trap<\/code><\/p>\n<\/div><\/div>\n\n\n\n<p>So, if Tagged is for trunks, how about access ports? Untagged, right?<br>Now, don&#8217;t be hasty, Master Meriadoc.<br> <img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"2276\" data-permalink=\"https:\/\/matthannan.net\/blog\/tp-link-is-no-cisco-vlan-configuration\/treebeard_close_up\/\" data-orig-file=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/Treebeard_close_up-e1625415548817.jpg?fit=285%2C360&amp;ssl=1\" data-orig-size=\"285,360\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Treebeard_close_up\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/Treebeard_close_up-e1625415548817.jpg?fit=285%2C360&amp;ssl=1\" class=\"wp-image-2276\" style=\"width: 285px;\" src=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/Treebeard_close_up.jpg?w=640&#038;ssl=1\" alt=\"\"><\/p>\n\n\n\n<p>It took <a rel=\"noreferrer noopener\" href=\"https:\/\/homenetworkguy.com\/tags\/tp-link\/\" target=\"_blank\">a fair bit of reading<\/a> to get this working, which is why I am documenting it here. This is a working configuration for an access port in the untrusted VLAN:<br><br><code>interface gigabitEthernet<\/code> <code>1\/0\/8<br>description \"NintendoSwitch\"<br>switchport general allowed vlan 25 untagged<br>no switchport check ingress<br>switchport pvid 25<br>no switchport general allowed vlan 1<br>lldp snmp-trap<\/code><\/p>\n\n\n\n<p>Honestly, I am not sure about that ingress business, but this config allowed the Nintendo Switch to get an IP address in the correct subnet, so I am including it. But, based on this, I added a few more devices to the Untrusted\/IoT subnet. WAAHOO!! I&#8217;m learning the computer!<br><img data-recalc-dims=\"1\" decoding=\"async\" data-attachment-id=\"2277\" data-permalink=\"https:\/\/matthannan.net\/blog\/tp-link-is-no-cisco-vlan-configuration\/maxresdefault1\/\" data-orig-file=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/maxresdefault1-e1625415611312.jpg?fit=285%2C160&amp;ssl=1\" data-orig-size=\"285,160\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"maxresdefault[1]\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/maxresdefault1-e1625415611312.jpg?fit=640%2C360&amp;ssl=1\" class=\"wp-image-2277\" style=\"width: 285px;\" src=\"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2021\/07\/maxresdefault1.jpg?w=640&#038;ssl=1\" alt=\"\"><\/p>\n\n\n\n<p>The Rokus (Rokii??) presented their own challenge. My wife and I recently discovered the joys of AirPlay-ing our pictures and videos from our iPhones to the TV screen. I needed to add the <a rel=\"noreferrer noopener\" href=\"https:\/\/avahi.org\/\" target=\"_blank\">Avahi<\/a> add-on service to pfSense. This enables some type of <a rel=\"noreferrer noopener\" href=\"https:\/\/www.shouldiremoveit.com\/Bonjour-5056-program.aspx\" target=\"_blank\">bonjour<\/a>\/<a rel=\"noreferrer noopener\" href=\"https:\/\/stevessmarthomeguide.com\/multicast-dns\/\" target=\"_blank\">mDNS<\/a> black magic to span VLANs. Installing and enabling it was all that it took. Well, along with the firewall rules to allow Trust to access UnTrusted, but not the reverse.<\/p>\n\n\n\n<p>So far, I am taking it in small steps, as things are very, very different than on the Cisco networks I am used to. But, I think that I am getting the hang of it. There are a bunch of other features that I will eventually explore on the pfSense router. One of the first being the <a rel=\"noreferrer noopener\" href=\"https:\/\/protectli.com\/kb\/how-to-setup-pfblockerng\/\" target=\"_blank\">pfBlocker-NG<\/a> add-on service that operates similarly to <a rel=\"noreferrer noopener\" href=\"https:\/\/pi-hole.net\/\" target=\"_blank\">Pi-Hole<\/a>. I have this up and running as of last night, but I am not sure how effective it has been so far. One of the major items I need to tackle is migrating my Trusted subnet from VLAN1 to a new VLAN. Until I had the Rokus and the Nintendo Switch cut over to Untrusted, I was concerned that the whole house would be taken offline when I went to do this, but now I am not so sure. Other than the wife&#8217;s laptop and iPhone, both of which can easily be directed to different SSIDs (like Guest), I think the impact of this move should be fairly straightforward. It may involve a throw-away VLAN&#8230; Always something new to learn.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On the surface, my TP-Link T2600G-28TS v3 managed switch appears to have everything that I would expect to have for some intermediate networking in the home. Most of my complaints with the device, to date, have been minor, such as &hellip; <a href=\"https:\/\/matthannan.net\/blog\/tp-link-is-no-cisco-vlan-configuration\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5],"tags":[72,98,128,281,594,590,592,431,593,595,591],"class_list":["post-2273","post","type-post","status-publish","format-standard","hentry","category-geek","tag-cisco","tag-jenny","tag-networking","tag-pfsense","tag-segmentation","tag-tp-link","tag-treebeard","tag-unifi","tag-video-professor","tag-vlan","tag-working-config"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2NxlE-AF","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":2510,"url":"https:\/\/matthannan.net\/blog\/configuring-vlans-on-proxmox-an-introductory-guide\/","url_meta":{"origin":2273,"position":0},"title":"Configuring VLANs on Proxmox- An Introductory Guide","author":"matthannan","date":"3 December 2022","format":false,"excerpt":"Much easier to implement than I was expecting. I am moving what will be my initial Mastodon server off of my main (Trusted) vlan to the IoT vlan. I need to investigate the best way to implement Proxmox in general. Should I create a Server vlan? Time will tell. An\u2026","rel":"","context":"In &quot;Geek&quot;","block_context":{"text":"Geek","link":"https:\/\/matthannan.net\/blog\/category\/geek\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":178,"url":"https:\/\/matthannan.net\/blog\/802-11n\/","url_meta":{"origin":2273,"position":1},"title":"802.11n","author":"matthannan","date":"3 October 2012","format":false,"excerpt":"I recently (Sept 26) replaced the failed router in the attic with a new Cisco\/Linksys EA2700. Wireless was not the main selling point on this router. If it were, I would have done more research. I needed a wired router replacement ASAP to replace a dead unit, but good freaking\u2026","rel":"","context":"In &quot;Geek&quot;","block_context":{"text":"Geek","link":"https:\/\/matthannan.net\/blog\/category\/geek\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":185,"url":"https:\/\/matthannan.net\/blog\/802-11n-3\/","url_meta":{"origin":2273,"position":2},"title":"802.11n","author":"matthannan","date":"3 October 2012","format":false,"excerpt":"Sept 28: Was asked today about loading DD-WRT or Tomato on the new router. Turns out Cisco decided to turn up their middle fingers towards those projects. They screwed with the NVRAM in a way that the third party Devs cannot work around. Follow on entry: While organizing my wrenches\u2026","rel":"","context":"In &quot;Geek&quot;","block_context":{"text":"Geek","link":"https:\/\/matthannan.net\/blog\/category\/geek\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1124,"url":"https:\/\/matthannan.net\/blog\/how-to-connect-to-cisco-routers-using-minicom-fadils-blog\/","url_meta":{"origin":2273,"position":3},"title":"How to connect to Cisco routers using Minicom \u2013 Fadil&#8217;s blog","author":"matthannan","date":"23 June 2017","format":false,"excerpt":"","rel":"","context":"In &quot;Life&quot;","block_context":{"text":"Life","link":"https:\/\/matthannan.net\/blog\/category\/life\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":195,"url":"https:\/\/matthannan.net\/blog\/ccent-exam-prep\/","url_meta":{"origin":2273,"position":4},"title":"CCENT Exam Prep","author":"matthannan","date":"4 October 2012","format":false,"excerpt":"This has been a long time in the works, but I just made a great break through. I started cobbling together a study lab in the engineering lab room here at work. It is fairly well isolated from the rest of the world. A sandbox, if you will. Well, this\u2026","rel":"","context":"In &quot;Geek&quot;","block_context":{"text":"Geek","link":"https:\/\/matthannan.net\/blog\/category\/geek\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/matthannan.net\/blog\/wp-content\/uploads\/2018\/01\/sandwich.png?fit=360%2C299&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":181,"url":"https:\/\/matthannan.net\/blog\/802-11n-2\/","url_meta":{"origin":2273,"position":5},"title":"802.11n","author":"matthannan","date":"3 October 2012","format":false,"excerpt":"Sept 27: Today I think I will look at WTF I am doing wrong with my new wireless router. I know that wireless was not a buying point, but now that I have it, I want it rocking at the 300Mbps advertised. Anyone have a smoking fast 802.11n setup that\u2026","rel":"","context":"In &quot;Geek&quot;","block_context":{"text":"Geek","link":"https:\/\/matthannan.net\/blog\/category\/geek\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/posts\/2273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/comments?post=2273"}],"version-history":[{"count":8,"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/posts\/2273\/revisions"}],"predecessor-version":[{"id":2286,"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/posts\/2273\/revisions\/2286"}],"wp:attachment":[{"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/media?parent=2273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/categories?post=2273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/matthannan.net\/blog\/wp-json\/wp\/v2\/tags?post=2273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}