First off, thank you all very much for taking the time to read my post, I am hoping for some help!

I was hoping to get some help with getting the configs right for my network switches. I don't believe my issue is directly related to the vlans in my pfSense setup, rather my network switches, but please let me know your thoughts.

To make it simple, I will only use two switches, and once this is working, I can make the same changes for the third switch. I'm pretty sure my issue is that I am not understanding vlan tagging properly, so I was looking for some guidance. The goal is to ultimately segment my network and get the vlans working properly. I have security cameras I would like to put on their own segment, as well as some Access points I would also like to setup guest access for my wireless network. I also have a VLAN setup for IOT devices.

Currently, I am just untagging all ports on all switches on my default vlan, and allowing all traffic through for everything, until I can get things working properly. I have been tinkering with things for awhile now, but can't seem to get it working.

======================================================================

Key information:

Router = pfSense
All network switches = HP Procurve Switches (model 2530) one is a 24port GB switch, the other is 24port PoE.

I have a total of 5 vlans configured on all switches and in the router, the "default_vlan" is not being used (per best practice).

======================================================================

Here is the setup:

I am using a pfSense firewall and I have all vlans configured correctly on the router from what I can tell, the network interface from the firewall appliance is plugged into port 1 on switch01. Port 24 on switch01 is configured as a trunk port and is plugged into port 23 on switch02.

I will post the configs for both switches below, but wanted you to be aware of what the main ports are for. You will see below in the configs, but in my testing I just patched in a laptop to Port 1 on switch02 just to see if I can pull a dhcp address for it (only able to pull an IP from my default vlan). That particular vlan I was tinkering with is titled WIFI, so I just wanted to point out this out so there isn't any confusion, while you're looking at my config.

Here are the current configs for my switches, after I've made some additional changes. I do realize that I don't need to have the IP's listed in there for each vlan, and can remove them to simplify things further, but I wanted to put them in there just to test, and rule that out.

======================================================================
Switch01:
======================================================================
HP-SW-01# show running-config

Running configuration:

; J9776A Configuration Editor; Created on release #YA.15.17.0007
hostname "HP-SW-01"

ip default-gateway 10.10.1.1

snmp-server community "public" unrestricted

vlan 1
 name "DEFAULT_VLAN"
 no untagged 1-28
 ip address dhcp-bootp
 exit

vlan 100
 name "100-DEFAULT"
 untagged 1-28
 ip address dhcp-bootp
 exit

vlan 200
 name "200-CAMERAS"
 tagged 1,24
 ip address 10.10.2.1 255.255.255.0
 ip helper-address 10.10.1.1
 exit

vlan 300
 name "300-GUESTWIFI"
 tagged 1,24
 ip address 10.10.3.1 255.255.255.0
 ip helper-address 10.10.1.1
 exit

vlan 400
 name "400-WIFI"
 tagged 1,24
 ip address 10.10.4.1 255.255.255.0
 ip helper-address 10.10.1.1
 exit

vlan 500
 name "500-IOT"
 tagged 1,24
 ip address 10.10.5.1 255.255.255.0
 ip helper-address 10.10.1.1
 exit
primary-vlan 100


======================================================================
Switch02:
======================================================================
HP-SW-02# show running-config

Running configuration:

; J9773A Configuration Editor; Created on release #YA.15.12.0007
hostname "HP-SW-02"

ip default-gateway 10.10.1.1

snmp-server community "public" unrestricted

vlan 1
 name "DEFAULT_VLAN"
 no untagged 1-28
 no ip address
 exit

vlan 100
 name "100-DEFAULT"
 untagged 2-28
 ip address 10.10.1.6 255.255.255.0
 exit

vlan 200
 name "200-CAMERAS"
 tagged 23
 ip address 10.10.2.1 255.255.255.0
 exit

vlan 300
 name "300-GUESTWIFI"
 tagged 23
 ip address 10.10.3.1 255.255.255.0
 exit

vlan 400
 name "400-WIFI"
 tagged 1,23
 ip address 10.10.4.1 255.255.255.0
 exit

vlan 500
 name "500-IOT"
 tagged 23
 ip address 10.10.5.1 255.255.255.0
 exit

primary-vlan 100

======================================================================
On the pfSense (router) side:
======================================================================
All VLans are configured in the VLANs section using the same VLAN tag, and even the description (although that shouldn't matter). While I do have additional NIC ports on my firewall, I am not physically segmenting this off at the moment, rather I am using the lan port interface for each of the vlans.

======================================================================

Here are a few questions I had, that may help me get a better understanding of what I'm missing:

1. I "presume" that the port that my router plugs into on switch01 should be a trunk port, but do all of the vlans need to be tagged (including the default vlan)? I currently have it setup so that the default vlan is untagged and all other vlans are tagged. I've tried changing this port to have all vlans being tagged (as I thought was the correct way), but then I lose connection to the internet on my main desktop that is plugged into a port on switch01 (not the laptop I'm testing on port1 above).




2. Same question as above for all trunk ports. So port 24 on switch01 that connects to port 23 on switch02 should be my trunk port, do all vlans here need to be tagged, because I currently have the default vlan untagged (this is the only way I can get traffic to pass to the second switch) and all other vlans are configured as just tagged.




3. The laptop that I'm using to test if I can pull a dhcp address on that is plugged into port 1 on switch02, should the default vlan be set to "no" and should I be just tagging that port on the WIFI vlan, or does the default vlan need to remain as untagged, while the WIFI vlan should be set to Tagged? My understanding is that you only want to tag the switch port on the vlan you want it to communicate with.

Apologies for these dumb questions, but I am having a difficult time getting things to work here. I have tried so many scenarios, but can't seem to get anything to work.

Thanks for any assistance on this! I really appreciate any help here!

First you should know that HP and Cisco use the term "trunk" differently. What HP calls a trunk, Cisco calls an Etherchannel (port aggregation).

I'll use the term in the Cisco sense (VLAN trunk) since you seem comfortable with that.

Trunk ports can have up to one untagged VLAN; all others must be tagged. You can, if you prefer, tag all VLANs on a trunk. The tagging configuration must match on both sides of the trunk link.

Devices like PCs, cameras, etc. do not understand VLAN tags. So a port that has a PC on it must have the desired VLAN untagged on that port. For example, if you want your camera on VLAN 200, you would have VLAN 200 untagged on the camera port.

Some devices such as IP phones do understand tags. Typically, the data VLAN is untagged, and the VoIP vlan is tagged.