The money shot!! 16 minute mark As a holder of an expired CCNP I credit you for reorienting my understanding about Tag vs Untag. My assumptions were the reverse After hours of frustration as to why I was not receiving an IP address from my firewall through my Netgear mini switch - and watching multiple videos : YOU were the only presenter to “nail it” Tag ports forward trunked VLAN tags between switches. Untag ports - are Members of the VLAN but strip the tag off because , IE: most people do not set the VLAN ID on their Windows NIC, so the tag would prohibit connectivity. You should do a new video specifically hammering home this point. Because Multi-Vendor VLAN trunking is a humbling experience Thank you sir!!
If you ever need to debug network problems like this, learn to use `tcpdump -e -vvv` and you can use wireshark as the GUI. I had to connect our server to our corporate network and the guy maintaining the switches accidentally had marked our port as untagged (terminology between vendors is practically random) and I was inspecting the outgoing packets to verify that we tagged the traffic correctly so the problem must be at the another end.
In the past 5 years, nobody has made as comprehensive a video to describe the interconnection between these two exact devices. At least I know that I'm doing the same things someone else did, even if they aren't working. Cheers!
And 30 minutes later, I found the part of the video where you specifically talk about PVID settings on the switch AND on the NetGate. You're a pre-covid hero, riding out of the past to heal the networks of admins yet to ride.
You are the best. I've been struggling to set VLANs up for my home network, and you explained it so clear. "Tagged ports are for smart devices, untagged are for dumb devices" What a genius!
Thanks Lawrence for posting these videos, this one help me understand VLAN's, and tagged and untagged. Now I have my WIFI on a different VLAN and my Security system on another VLAN.
Thanks for these guides/tutorials/reviews that do not stop at showing the product but actually show the configuration and how to do stuff with pfsense :)
Tom that ‘odd’ cable test says ‘cable fault’. It is there to tell you the distance to a cable fault = broken cable. Gives you an indication on where to examine your walls/cable trays if you loose connection. Like when someone two rooms away decided to drill a whole right where there is a hidden cable channel. behind the plaster wall.
I bought one of these to start messing with vlans a couple weeks ago and couldnt figure it out haha you are the only person to have made this video in the last 6 years. so thank you
Thanks for this video, and many of your others too. Im a 100% network noob and 6 weeks after buying a protectli vault for pfsense I still can’t get it working properly and am certain my network is still compromised. None of my slow and painful progress would have been possible without your videos, so once again, Thank you
Thank you very much! This was succinct and comprehensive. It was also relevant easy to understand. I have Network Chuck, but I've also been looking to add some other quality channels who discuss networking. I look forward to more videos from you.
Time domain reflectometery. That's what the faulty line test is doing to determine the length of the broken/open cable. Very very cool feature to be included in the switch. Send a pulse down the cable, time the reflected signal and analyse the phase. A shorted cable, would be inverted. An open cable would not be.
It seems that port 7 and 8 are "untagged" for both vlan 1 and 30. That might be the reason you can ping 192.168.1.2. Try to mark port 7 and 8 as "non-member" for vlan 1 to see what will happen.
I have a Zyxel switch and that was my first thought, too. It's the same there, you set your pvid etc. but if you don't want the default net to be able to reach the management, you have to unmember VLAN 1 for these ports. I think this is a universal thing and nothing special or is it? As far as I know, Zyxel even mentions this either in the manual or in one of their youtube videos.
I'm not familiar with this exact switch, but it appears to be very similar to the equivalent Netgear product (the GS108Ev3), and I suspect it may use the same chip. On the Netgear at least, the management interface is available on any untagged port, regardless of the pvid and tagged/untagged setting on VLAN1. This also means that ethernet frames with a VLAN tag of 1 will not be treated as management traffic, which can cause issues if you intend to tag all of your VLANs on a link back to a router and then manage the switch from another VLAN, for example. You end up having to leave VLAN 1 (or whatever is your management vlan) untagged, and every other VLAN tagged. I ended up replacing that with a GS108Tv2, which has support for management on a VLAN, SNMP, 802.1x etc as mentioned in another comment.
It makes no sense to me to be able to have more than one untagged VLAN on a port. However I agree that the Management access 'issue' is linked to this.
I know that you are right, I had the same issue occur on a netgear - if you have multiple untags, it actually bBRIDGES the vlans _ i was super confused until I remembered it wasnt a fully managed switch. where ACCESS/UNTAGGED explicitly means only = 1 vlan on the interface
VLAN1 is your default vlan and is enabled when you first create your vlans on the switch. You cannot delete VLAN1 but you can disable it (for security reasons) Works similar to cisco. If you've worked with cisco switches, its not an odd behavior. What is odd though, is that there's no security settings to access the management port. Good breakdown of the switch and thanks for the demo.
@@DistantComputer Have you tried creating other vlans? For ex: VLAN10 or any other number? Make the new vlan you created the default vlan. Remove vlan1 from any prots. Then it's basically disabled.
I have an 8 port PoE (TL-SG2210P) in my homelab for AP's and VoIP phone and for that it's excellent. It's a little higher end than that one I believe, really like it for home use. Would not put in in a corporate network. Liked the review! Nice overview and very complete. 10/10 for shiny box!
A while back I had the management bleed over problem described and where I had the switch made this a deal breaker. Today, I upgraded the Firmware (I have V3 hardware revision) because I was encouraged by the bug fix text. After wrestling with the .1q VLAN interface, I was able to eliminate access to the MGMT web interface on the non-Default VLAN! The key was assigning the Port as untagged on the new VLAN (add/update button), then removing VLAN 1 from that Port (add/update button) followed by Apply.
Nah, I don't believe that. I got the v5 with latest firmware and still can access management interface from any vlan (even when no ports use default/native vlan1). I just tested it. I checked forums discussing this issue from several years back until now still active (@ netgear forum) and problem is still there for v3 as well. You probably didn't test using same subnet as management, do this and report back. I dare to bet you can still access it.
@@timrobertson8242Thanks for getting back to me so fast. I never heard of the D-link DGS-1100, but I've checked it quickly and it seems this should work from the datasheet and documentation, as you can specify the management interface's vlan under L2 features, so thank you very much for your fast reply, as this managed switch doesn't cost that much more than the tplink and netgear with their security flaws, so I've it on my list to order next (always looking for affordable managed switches that don't break the bank), excellent!
I have a TL-SG108E v4.0 but not using VLANs at all (for the time being) and after seeing this video I also wanted to confirm this Admin webUI "leak". The first thing that crossed my mind is precisely that in the video ou keep Default VLAN1 on ALL ports (1-8). I went to my switch, added port 7 to another VLAN, removed port 7 from Default et voilá. No access to webUI (like supposed to). I have seen this comment being repeated all over youtube (other channels) and I would even consider buying another brand Zyxel if it wasn't the fact of already having this little TL-SG108E and being able to test it on the spot.
Thank you for the clear example with hardware. This is the first video where I had an ah-hah moment with us tagged/tagged options as I have this switch and was going to start to configure for vlan traffic
No kidding 2 weeks ago I set up my first home pfSense box with this switch and my first unifi ap's. You're running about a week behind when i need you lately! Thanks much though, love the videos.
Thank you for the video! You give very good instructions and are easy to understand. I have brain damage and brain cancer and could follow your instructions perfectly. Again, thank you!
FYI. On the cable test. If your plugged in LAN Cable that has any broken strands then it will show up under cable fault. It tells you how far down the cable length you will find the broken aria so you can fix it. That is why it does not show under the cable fault when a working cable is plugged in.
Untagged traffic defaults to VLAN 1. So does all of your layer 2 control traffic. It's defined in the specification and covered on both the CCNA and Net+ certifications.
So this switch is not suitable for connecting PCs to directly ? PCs generally send untagged packets. All untagged packets go to the VLAN1 group, which is every port on the switch ? Or how does that work ?
It is common for switches without "management vlan" option to allow traffic to the management IP on all vlans. It is more of a feature, especially for an office switch. Even when the pvid of 1 is not there .. It could be worse, you could have a Catalyst that forwards any traffic with destination port 179 to the management CPU.. That is fun ..
To my understanding Default VLAN is the one that gives access to Admin WebUI. It sort of makes sense to not be able to removed it but you can configure it and limit which ports have access to WebUI. From the other small business/home switches I have seen so far I would still go with TL-SG108E.
Thanks for the review. It is a very basic looking, but reliable, low power use, bit of gear. I've used it mainly in bedrooms where I just wanted to run a single connection up to the main stack, but have a few drops in a bedroom, one for IOT like a FireTV, another for connecting a printer, another for laptop or other networked stuff. In LATAM, this model plus the unmanaged 24 port GBit switches are pretty popular, with DLink often used for managed switches at 3x the cost. Not ever had a problem, and the firmware has received updates over time. I agree with you that I probably wouldn't put this into a massive network, but for a smaller setup, these things would do the job. As they have no fans and are fairly temperature-robust, they are probably ideal for a small install that needs a VOIP and non-VOIP VLAN, perhaps a wifi for guests. I still have to set up my VLANs at home to do the IOT VLAN with the EdgeRouter Pro I have, but I need to plan that out beforehand. Appreciate you guys making videos and sharing your knowledge.
I personally use this switch. It’s very good for the money, but the only thing that bothers me is that the management page is accessible from every VLAN.
Thanks for this video. I have the 5 port version and was having an impossible time getting it set up to use VLANs. I was even working with their tech support and they weren't able to communicate how to get it working. Followed your video and had it working in 5 minutes.
I have the Netgear GS108Tv2, the hardware is almost identical, it definitly uses the exact same case, but it does offer a LOT more features in the software, a lot of things you will find on an enterprise switch, things like LLDP, SNMP, STP, 802.1x, ACLs, etc., it does cost a little more though, $70 on Amazon, so it's up to you if you want to spend the extra $30 for more features. I do kinda have it running in an enterprise environment, but as an R&D switch and not as the main switch, it's been running reliably for many years now.
Jeff Higgins I use the same switch at home, works a treat when combined with a Ubiquiti wireless access point and a pfSense router (Separate SSID and VLAN’s)
I have two of these, the v1 and v2. Every 3 months, VLANs would stop being tagged which is extremely frustrating. I contacted support and they recommended updating the firmware but seeing as it takes 3 months for the issue to occur again, I cannot be bothered. Maybe I can try updating and set up a test bed but I just need my VLAN tags to work because if I am not home and I am trying to access something remotely to which the bug occurs, it sucks. I have a GS724T though and it's practically flawless.
I’ve had ver2.0 of this switch for years now. It’s work great and has never given me any issues. Only thing I don’t like it the lack of web-based management GUI but unless you’re reconfiguring it often the Windows-based software is fine.
still watching the video, only a minute in just purchased this myself a few days ago. From what I can tell so far is that they seem to have taken your review to heart and the box is no longer shiny
0:56 I like to see plain brown cardboard when I buy something, that tells me I paid for the actual product inside and didn't pay for fancy boxes, carring pouch, and so on. Some people feel special when they buy something with a "premium" feel box, something is wrong with them :)
I agree. I also own a small manufacturing/retail business and our biggest product expense is packaging. Shiny costs $$$. When I'm looking for network gear I want the most plain jane box possible. No need to waste even $1 on a box.
yes, fools are often overly impressed by shiny things... look at a certian "demographic" that like chrome wheels, diamond "teef" gold chains, big asses, blinged out "gats" and double digit iq's simple things entertain simple minds
Many, many great videos, Lawrence. I think the last combination video to do is have this switch work ESXi where the VLANs are configured on the switch and the firewall is giving out IPs from the DHCP server running on it and the VMs getting them. That's going to be the ultimate video **chef's kiss**
Been using these switches for yeeaaaars for small 5 and 8 port switches (Usually just get 8 as they are like 10 bucks more than the 5) and never had an issue ever with them! Probably used a hundred of them.
I would think that if you un-assign ports 7 & 8 from the default VLAN (1) you might not be able to connect to that network with a static IP address from ports 7 & 8. Unless of course your static IP address is on the 30 subnet that last comment does not apply.
I was thinking the same thing. Seems that the ports 7 and 8 are on both untagged vlans. The screen at 16:00 shows ports 7 and 8 as untagged on both vlans.
I use a similar Netgear VLAN capable switch in conjunction with a SINGLE PORT pfSense server. I then use the following VLAN assignment: VLAN1 (native): LAN VLAN2: WAN VLAN3: Private VLAN4: Public (untrusted devices) VLAN5: VOIP (QOS Priority) There will obviously be some bottlenecks, but with my 50mbps WAN connection it's not something worth worrying about and it can save you buying an additional NIC for the server.
This can be a little confusing because terms vary from manufacturer / switch software indeed. Afaik, it's security *gospel* that "VLAN Trunk ports should NEVER be on the native VLAN 1" (by "be on a native VLAN 'x'" we mean their PVID 'x' here), and as a corollary *"Thou shall NOT use native VLAN 1 for anything in prod."* Basically, the underlying idea is that Native VLAN 1 (this means, NO VLAN, it's the default / untagged VLAN) is insecure as an attacker reaching the switch would either reach it untagged or be able to untag itself from any VLAN header. This is why neither data (traffic passing through the switch) nor management (traffic aimed at administrating the switch) should ever be on VLAN 1. Obviously, neither should a trunk port. So take away, compared to Tom's video, where the Trunk to pfSense is Port 1: - PVID for this port should be some VLAN =/= 1, e.g. VLAN 10 named "LAN". - By extension, you'd put all the other used ports PVID to this "base" VLAN 10, and add them as "untagged" for VLAN 10 (do NOT add trunk ports to untagged anything otherwise you "break" the trunk on entry; only tagged traffic goes into trunk ports). This would ensure that all machines connected to the switch are on VLAN 10, never 1. Including pfSense and the Wi-Fi station, which would communicate over VLAN 10, not 1 (for instance if the wifi AP is set to DHCP for its own address, it would get an IP from pfSense's interface on VLAN 10 by default, since port 4 where it's connected, a trunk port, has PVID 10 by default). This means all ARP traffic, DNS, ICMPv6 etc is *always* on some VLAN, 10 by default, another one if specified. ____ You can go 1 step further for security. The management port (should you dedicate one) and IP of the switch itself could be entirely segregated, e.g. port 5 on VLAN 55 (no interference between "data" and "management" traffic, the latter (VLAN 55) never goes into data trunks (VLANs 10, 20, 30, etc). Such a setup is easy and doable with this $40 switch. It's imho the next best thing after "out-of-band" i.e. physically different network for management, using a dedicated VLAN and never sharing ports (you're just "spending" 1 port per switch or router for this. I think it's worth it in terms of security because unprotected switches seem like a low-hanging fruit for hacking bots afaik.
Great video! Really liked your description of tags vs untangled...network engineer myself but its been 15 or so years so I have forgotten a few things :)
18:27 Personally I dont think you found a flaw. You misconfigured your vlans. Ports 7 and 8 are also avliable in vlan 1. Go back to your vlan settings, select vlan 1 and set ports 7 and 8 as 'not member' and save. Problem solved. And i am not even an IT specialist, just a hobbyist who prefers setting things up myself as opposed to hiring so called network specialists who miss these details.
Excellent review...just the right length and content. I was just about ready to purchase until you talked about the security vulnerabilities. This probably is still just fine for my application (home network), for the price, and for the time being.
Your comment near the end about not using $39 switches for Enterprise. COMPLETELY AGREE, this is a good switch for home, a home virtual lab where you use vlans, etc. Or for traveling tech like me, something to throw in the car for an emergency when you need vlans.
Agreed, it can be extremely useful if a client has a single network port and (with permission of their IT staff) you can just match your VLAN on this thing to get yourself on their network without using the guest network to get on VPN to get back into their network to do a job, with the guest network having zero bandwidth as it is at the bottom of the food chain haha. I've also used some variants of mini-router/APs + a dumb switch that you can power off USB. This can be used as a client to a hotel network that has the '1 user' restriction, at least in the room.
DialM4Microcontrollr how do YOU know how much better the expensive stuff is? Are you an electrical or electronic engineer? Have you studied the internals of both expensive and cheap brands?? Have you tested the cheap stuff YOURSELF? Don’t you know that most electronics are made by the SAME Chinese factories?? Don’t you know that longevity of electronics comes down to heat issues or low quality capacitors?? (cheap brand name stuff run cooler and use quality caps!). I know all above and have tested the cheap (but brand name) stuff and NONE (zero) have failed in the last 10 years I have used or deployed them. Neeext fanboi please!
I've got two 16 port GbE switches from TP-Link connecting a few offices 40 feet apart, about $80-$85 each.....; they've been working just great for 3-4 years now..... I suppose I *could* have used $800 Cisco switches, and gotten the same 110 MB/sec transfers from one office to another... What a quandary!
Would love to see you review the DLink DGS-1100-08... It's going for about $35 as of this post, but has quite a few more settings than this does. I picked up one of those for my little home lab and it works GREAT, and the VLAN setup is much more sane.
I'm a little surprised by that - D-Links DGS1100-08 (rev B1) doesn't have https support, but it's very good when it comes to being able to lock out the administration stuff from untrusted sources. I just don't like how limited the D-link is in it's setup (no lag support, but does have trunk aggregation support, but too many limits on configurations like vlans, and some other really confusing things in it's interface if your looking to set up physical port security, etc). It's not bad, but I out grew it extremely fast. Of the budget switches, it's def a step up in price, but honestly for small soho style managed switches for small networks, I find Netgears tiny GS108T (V2) switch to be a real gem. Anyways, thanks for the review!
I believe you're able to ping the management interface (21:10) because you left ports 7 & 8 as members of VLAN ID 1. You can see this at 18:50 where you typed in "1" for the VLAN ID making it editable, you can see that ports 7 & 8 are defined as members of the management interface (VLAN 1). You should have removed ports 7 & 8 by clicking the radio buttons for each in the "Not Member" column thus removing them as members of the management interface (VLAN 1). But maybe the firmware at the time (6 years ago) didn't allow it.
Oh, man, my Netgear ProSafe "Smart Managed" GS116Ev2 has the same issue with the web management. It runs straight HTTP like the TP Link you reviewed; and I was able to connect to the web console from a different VLAN than the one hosting the switch's IP address like you did by just mapping a static IP address in the same range as the switch. Doh. For the moment I guess I'll have to make sure that my admin password (with no user id, BTW), is as complex as I can make it. Thanks for pointing out this deficiency in SOHO VLAN switches!
21:00 I don't think you are right with saying that when you computer is connected to port 8, switch should prevent your computer to get IP from another subnet - if I am not mistaken, switch has nothing to do with your IP - especially if you set it up manually. What swicht did however is: it blocked you from being able to ping from 1.9 to 1.1 when you were connected to VLAN 30 port. Just saying and maybe I am wrong but switch has nothing to say about which IP you set up manually on your end device.
Hi Tom, thanks for this. I'm really strungling with setting up unraid, pfsense vm on unraid and this top link switch. I understand now. Thank you. *subscribed*
The LAGG on this switch is a static LAGG. It sucks but you can't use LACP or anything more advanced. I have two of these same switches at home and I was just forced to run some new cables and decided to drop 4 cables in the conduit instead of the 1 I had before. LAGG works but I am pretty sure it's a dumb round robin kind of thing. as my PC hits the network with traffic, each of the LAGG ports lights up at the same but one LAGG at a time literally rotating one to the other in a row and you can see it doing that by just watching the green light flash. $20 more and they have a model one step up that supports proper vendor independent LAGG implementations so if this is a feature you are wanting, just buy the better one. I haven't tried LAGG right from the pfSense because I would have no idea what to set my pfSense to to try and test it. I am still learning so my understanding is still limited on a lot of things, especially pfSense and anything more advanced than plugging it and it is a switch. Besides, I am out of ports on both right now anyways. :P
The core problem is, that solo many RUclipsrs use screen resolution s beyond 1920x1080 on their notebooks! Makes zero sense when the final stream is 1080p at best.
Seems to be very similar to the Netgear GS108T, although the GS108T seems to have more features. The TP Link SG108E has very similar features and a more simple user-interface compared to the GS108T. The LAG, QOS and VLAN configuration is almost identical - including the VLAN and PVID settings being on two pages - which means it's super easy to lock yourself out of the switch. But the enhancements on the GS108T includes allowing you to set the VLAN that the management interface is on, which is one security issue you found on the SG108E.
I use these switches...they work great for me. But regarding your "VLAN hopping" comment at 24:22...you have the switch misconfigured. Untagged ports should ONLY be in 1x VLAN and under "Untagged Ports" column (and NOT in Tagged Ports column). Tagged ports should ONLY show up in the "Tagged Ports" column (possibly multiple times for each VLAN the trunk is carrying). For "UntaggedPorts", the PVID MUST match the VLAN of that port (There is no ambiguity as untagged ports only should be configured with 1x VLAN). PVID determines what VLAN tag to associate with untagged port traffic. For trunks, the PVID still has to be configured...the reality is no UNTAGGED traffic should exist on a trunk (unless somebody messed up)...but have to put something...in my case, I tag it with an unused/unrouted VLAN. I agree the UI could be improved...but it is what it is. I actually have very similar configuration with pfSense, tp-link switches and unifi-ap...works flawlessly regarding "who can get to what".
Sorry for my ignorance, just a noob trying to digest your statement above - for untagged ports (let's say a hardwired PC) are you saying that it should be defined as untagged on VLAN 1 (system-vlan) only, with the PVID set to the correct VLAN assigned for it? Rather than, like in this video, it being untagged on the VLAN it's assigned to + the PVID set to the VLAN it's assigned to?
The management interface is weird though, you can't set on which VLAN it listens. So if you would have it between your router and modem for VLAN tagging, and have it pull its IP from DHCP, it could actually get a internet routable IP adress from your ISP. Or did I miss something obvious? Either way, I just set it to static. It's reachable without problems over HTTP/S, but the ICMP based monitoring is a bit flakey.. But for 30-40 bucks a no brainer. Works great.
I am generally happy with these but I had gotten the 24-port PoE model for a project and found a couple of disturbing things. There was not anywhere to change management VLAN or default from PVID1 and to top it off the switch would allow access from any VLAN *and* someone had found that ALL MANAGEMENT TRAFFIC WAS BROADCASTED ... in all VLANs (wtf?). Ive yet to verify that one but if securing management interface is important, look at equivalent Zyxel or Netgear switches. Then it would not accept alphanumeric characters into login passwords (I hate it when devices don't allow that)
If you connect this device to router with DHCP, it will use whatever IP the router assigns to it. I think dot-one is perfectly fine for out of box configuration for offline configuration (which is the only safe way to configure things like this anyway).
Yes the naming also said sg1 which means unmanaged the e at the end means easy manage which allow you to see some features web base task but it is not manage switch . Good video anyway
I think the management interface is probably tied to the default vlan of 1 which is probably where your traffic goes since you statically changed the client's IP to a subnet other than what that port's Vlan is supposed to be on. Could be that is a vulnerability of the switch.
Awesome. ive been looking for something managed and very cheap. Great that it has LAGG and VLAN and QOS. I will be buying one of these. To use between my PFSense and FreeNAS boxes and my desktop. That way all 3 can have 2 connections, and still have 2 ports for the rest of my network
Thanks Tom, I have been glued to your channel for the last month as I'm just getting acquainted with pfSense. Are you configuring pfSense handle the vlans and firewall rules? (I'm using the TL-SG2016P Managed PoE Switch). Or should I be using pfsense just for the WAN and LAN firewall, VPN, PFBlocker etc... and using the switch and controller to manage my VLANs and related firewall rules? Thank you!
I think it's labelled as unmanaged as these switches are part of the easy smart series tp link consider this not fully managed more customisable I have a few versions of the same switch and a bigger 24 port version Easy Smart means using a peice of software too manage the switch no Web ui Managed is normally configured using Web ui Tp link recently seem too have implemented a Web ui too manage the easy smart switches One of my 8ports and my 24 port are now configurable using Web ui or the easy smart software My other 8 Port is only easy smart it must be hardware revisions But same as was said in the video I have never had a problem with any of my tplink hardware they are reasonable priced and have a life time warrenty on the SMB Switches
It's good, but I don't see value in buying new. I picked up a very similar 24 port (actually two) for the price of a new one and has waaay more features, 802.3ad trunking, VLAN blocking admin ports and SFP (and tons of other stuff). System refurbish establishments are what I'm sticking to for sure.
Be careful with TP-Link and VLANs. Some switch and access point models don't handle VLANs properly. Multicasts can leak from the main LAN to the VLANs, making it impossible to use IPv6 on the VLANs. I have experience this with an AP and others have with the switches.
Pretty helpful, still kinda confusing the way the GUI is represented. I always thought "Tagged" Vlans are for Vlans you want specific traffic passed through (Vlan30/40/50), whereas "Untagged" is basically any traffic being passed through. ....Guess not. :/ I have 2 of these. 1 connected to my Palo Alto FW and the other in my living room.
Thanks for the great informative video. I have a question, on this switch I noticed that you did not remove port 3 from being a member of the default network, but on another video you did with a the Edge switch, you did. Is it just different for this switch?
Congratulations on the video. In case if I want to make two trunk ports I could? One coming from my pfsense and the other going to another manageable switch?
Going to the way back machine for this one. I have been using your videos to get acquainted with myself pfsense. I was looking for something inexpensive but with updated firmware an got the V.4 16 port version of this switch (TL-SG1016DE). So far does ok just set it up on my laptop with static IP on the same subnet. Plugged it in switched cables from 16 port dumb switch and away we go. Backed up the config before reboot but it held config. I will be doing VLANs next. I have pfsense with 4 port Intel nic with one as WAN from Cable provider and 2nd one to LAN. Any suggestions out there on how to manage the VLANs on this sort of setup? Welcome good advice. I already read all of the replies-comments here to this video so anything new would be great! Thanks Tom for all the informative videos and to the community for their great comments!
the issue with 192.168.1.9 being able to ping the man interface is a feature called untagged management found in a lot of switches.. most only work in the first port.
The money shot!! 16 minute mark
As a holder of an expired CCNP I credit you for reorienting my understanding about Tag vs Untag. My assumptions were the reverse
After hours of frustration as to why I was not receiving an IP address from my firewall through my Netgear mini switch - and watching multiple videos :
YOU were the only presenter to “nail it”
Tag ports forward trunked VLAN tags between switches.
Untag ports - are Members of the VLAN but strip the tag off because , IE: most people do not set the VLAN ID on their Windows NIC, so the tag would prohibit connectivity.
You should do a new video specifically hammering home this point.
Because Multi-Vendor VLAN trunking is a humbling experience
Thank you sir!!
If you ever need to debug network problems like this, learn to use `tcpdump -e -vvv` and you can use wireshark as the GUI. I had to connect our server to our corporate network and the guy maintaining the switches accidentally had marked our port as untagged (terminology between vendors is practically random) and I was inspecting the outgoing packets to verify that we tagged the traffic correctly so the problem must be at the another end.
In the past 5 years, nobody has made as comprehensive a video to describe the interconnection between these two exact devices.
At least I know that I'm doing the same things someone else did, even if they aren't working.
Cheers!
And 30 minutes later, I found the part of the video where you specifically talk about PVID settings on the switch AND on the NetGate. You're a pre-covid hero, riding out of the past to heal the networks of admins yet to ride.
You are the best. I've been struggling to set VLANs up for my home network, and you explained it so clear.
"Tagged ports are for smart devices, untagged are for dumb devices"
What a genius!
Thanks Lawrence for posting these videos, this one help me understand VLAN's, and tagged and untagged. Now I have my WIFI on a different VLAN and my Security system on another VLAN.
Thanks for these guides/tutorials/reviews that do not stop at showing the product but actually show the configuration and how to do stuff with pfsense :)
Tom that ‘odd’ cable test says ‘cable fault’. It is there to tell you the distance to a cable fault = broken cable. Gives you an indication on where to examine your walls/cable trays if you loose connection. Like when someone two rooms away decided to drill a whole right where there is a hidden cable channel. behind the plaster wall.
I bought one of these to start messing with vlans a couple weeks ago and couldnt figure it out haha you are the only person to have made this video in the last 6 years. so thank you
Thanks for this video, and many of your others too. Im a 100% network noob and 6 weeks after buying a protectli vault for pfsense I still can’t get it working properly and am certain my network is still compromised.
None of my slow and painful progress would have been possible without your videos, so once again, Thank you
I use their 8 port non-managed gigabit switch and it has been working extremely well!
i would not even bother with unmanaged switches these days, the cost is about the same but you get so much more out of a managed switch, just saying.
Thank you very much! This was succinct and comprehensive. It was also relevant easy to understand. I have Network Chuck, but I've also been looking to add some other quality channels who discuss networking. I look forward to more videos from you.
Time domain reflectometery. That's what the faulty line test is doing to determine the length of the broken/open cable. Very very cool feature to be included in the switch.
Send a pulse down the cable, time the reflected signal and analyse the phase. A shorted cable, would be inverted. An open cable would not be.
Wow. You're dropping some knowledge here. Sounds like you've worked with low voltage wiring quite a bit.
It seems that port 7 and 8 are "untagged" for both vlan 1 and 30. That might be the reason you can ping 192.168.1.2. Try to mark port 7 and 8 as "non-member" for vlan 1 to see what will happen.
I'd like to know the same thing, or move management to another vlan besides 1.
I have a Zyxel switch and that was my first thought, too. It's the same there, you set your pvid etc. but if you don't want the default net to be able to reach the management, you have to unmember VLAN 1 for these ports. I think this is a universal thing and nothing special or is it? As far as I know, Zyxel even mentions this either in the manual or in one of their youtube videos.
I'm not familiar with this exact switch, but it appears to be very similar to the equivalent Netgear product (the GS108Ev3), and I suspect it may use the same chip. On the Netgear at least, the management interface is available on any untagged port, regardless of the pvid and tagged/untagged setting on VLAN1. This also means that ethernet frames with a VLAN tag of 1 will not be treated as management traffic, which can cause issues if you intend to tag all of your VLANs on a link back to a router and then manage the switch from another VLAN, for example. You end up having to leave VLAN 1 (or whatever is your management vlan) untagged, and every other VLAN tagged.
I ended up replacing that with a GS108Tv2, which has support for management on a VLAN, SNMP, 802.1x etc as mentioned in another comment.
It makes no sense to me to be able to have more than one untagged VLAN on a port. However I agree that the Management access 'issue' is linked to this.
I know that you are right, I had the same issue occur on a netgear - if you have multiple untags, it actually bBRIDGES the vlans _ i was super confused until I remembered it wasnt a fully managed switch. where ACCESS/UNTAGGED explicitly means only = 1 vlan on the interface
VLAN1 is your default vlan and is enabled when you first create your vlans on the switch. You cannot delete VLAN1 but you can disable it (for security reasons) Works similar to cisco. If you've worked with cisco switches, its not an odd behavior.
What is odd though, is that there's no security settings to access the management port.
Good breakdown of the switch and thanks for the demo.
@@DistantComputer Have you tried creating other vlans? For ex: VLAN10 or any other number? Make the new vlan you created the default vlan. Remove vlan1 from any prots. Then it's basically disabled.
@@DistantComputer Glad you found it.
The TL-SG1024PE I had configured did not allow removing vlan1 membership of any ports. When consulted, tplink said this was an antilockout feature.
A and he thought he had discovered America!
Vlan 1 is crucial here
I have an 8 port PoE (TL-SG2210P) in my homelab for AP's and VoIP phone and for that it's excellent. It's a little higher end than that one I believe, really like it for home use. Would not put in in a corporate network. Liked the review! Nice overview and very complete. 10/10 for shiny box!
A while back I had the management bleed over problem described and where I had the switch made this a deal breaker. Today, I upgraded the Firmware (I have V3 hardware revision) because I was encouraged by the bug fix text. After wrestling with the .1q VLAN interface, I was able to eliminate access to the MGMT web interface on the non-Default VLAN! The key was assigning the Port as untagged on the new VLAN (add/update button), then removing VLAN 1 from that Port (add/update button) followed by Apply.
oh. good advice! I will have to try that!
Nah, I don't believe that. I got the v5 with latest firmware and still can access management interface from any vlan (even when no ports use default/native vlan1). I just tested it. I checked forums discussing this issue from several years back until now still active (@ netgear forum) and problem is still there for v3 as well. You probably didn't test using same subnet as management, do this and report back. I dare to bet you can still access it.
I tested again and you appear to be correct. I have replaced my TP-Link with a D-link DGS-1100 that has an explicit lock down of the MGMT.
@@timrobertson8242Thanks for getting back to me so fast. I never heard of the D-link DGS-1100, but I've checked it quickly and it seems this should work from the datasheet and documentation, as you can specify the management interface's vlan under L2 features, so thank you very much for your fast reply, as this managed switch doesn't cost that much more than the tplink and netgear with their security flaws, so I've it on my list to order next (always looking for affordable managed switches that don't break the bank), excellent!
I have a TL-SG108E v4.0 but not using VLANs at all (for the time being) and after seeing this video I also wanted to confirm this Admin webUI "leak". The first thing that crossed my mind is precisely that in the video ou keep Default VLAN1 on ALL ports (1-8). I went to my switch, added port 7 to another VLAN, removed port 7 from Default et voilá. No access to webUI (like supposed to). I have seen this comment being repeated all over youtube (other channels) and I would even consider buying another brand Zyxel if it wasn't the fact of already having this little TL-SG108E and being able to test it on the spot.
Thank you for the clear example with hardware. This is the first video where I had an ah-hah moment with us tagged/tagged options as I have this switch and was going to start to configure for vlan traffic
White glove service, my favorite. Thanks for the break down, I was looking at this device.
No kidding 2 weeks ago I set up my first home pfSense box with this switch and my first unifi ap's. You're running about a week behind when i need you lately! Thanks much though, love the videos.
Love your videos..New to VLANS and your videos give me ahead start...Was able to get my SSID's on different VLANS :)
Thank you for the video! You give very good instructions and are easy to understand. I have brain damage and brain cancer and could follow your instructions perfectly. Again, thank you!
Love how you open the cases. Something I never do but should try sometime.
FYI. On the cable test. If your plugged in LAN Cable that has any broken strands then it will show up under cable fault.
It tells you how far down the cable length you will find the broken aria so you can fix it.
That is why it does not show under the cable fault when a working cable is plugged in.
Finally someone got the logic behind it.
Untagged traffic defaults to VLAN 1. So does all of your layer 2 control traffic. It's defined in the specification and covered on both the CCNA and Net+ certifications.
So this switch is not suitable for connecting PCs to directly ? PCs generally send untagged packets. All untagged packets go to the VLAN1 group, which is every port on the switch ? Or how does that work ?
It is common for switches without "management vlan" option to allow traffic to the management IP on all vlans. It is more of a feature, especially for an office switch. Even when the pvid of 1 is not there .. It could be worse, you could have a Catalyst that forwards any traffic with destination port 179 to the management CPU.. That is fun ..
To my understanding Default VLAN is the one that gives access to Admin WebUI. It sort of makes sense to not be able to removed it but you can configure it and limit which ports have access to WebUI. From the other small business/home switches I have seen so far I would still go with TL-SG108E.
Thanks for the review. It is a very basic looking, but reliable, low power use, bit of gear. I've used it mainly in bedrooms where I just wanted to run a single connection up to the main stack, but have a few drops in a bedroom, one for IOT like a FireTV, another for connecting a printer, another for laptop or other networked stuff. In LATAM, this model plus the unmanaged 24 port GBit switches are pretty popular, with DLink often used for managed switches at 3x the cost. Not ever had a problem, and the firmware has received updates over time. I agree with you that I probably wouldn't put this into a massive network, but for a smaller setup, these things would do the job. As they have no fans and are fairly temperature-robust, they are probably ideal for a small install that needs a VOIP and non-VOIP VLAN, perhaps a wifi for guests. I still have to set up my VLANs at home to do the IOT VLAN with the EdgeRouter Pro I have, but I need to plan that out beforehand. Appreciate you guys making videos and sharing your knowledge.
Thanks, dude! Successfully configured 2 WLAN & LAN for pfsense with just two NICs.
I personally use this switch. It’s very good for the money, but the only thing that bothers me is that the management page is accessible from every VLAN.
that is manage switch? Why the box say Unmanaged ?
@@christinolian4972 because names come from the marketing team and they just don't know anything...
@@sitte24 Thanks
Thanks for an easy to watch quick review, just what I was looking for, a managed switch to play with VLANs at home.
Thanks for this video. I have the 5 port version and was having an impossible time getting it set up to use VLANs. I was even working with their tech support and they weren't able to communicate how to get it working. Followed your video and had it working in 5 minutes.
Thanks L-man! This is exactly what I was looking for to separate my IOT and guest networks from my main lan.
Ya, good features and effective
I have the Netgear GS108Tv2, the hardware is almost identical, it definitly uses the exact same case, but it does offer a LOT more features in the software, a lot of things you will find on an enterprise switch, things like LLDP, SNMP, STP, 802.1x, ACLs, etc., it does cost a little more though, $70 on Amazon, so it's up to you if you want to spend the extra $30 for more features.
I do kinda have it running in an enterprise environment, but as an R&D switch and not as the main switch, it's been running reliably for many years now.
Jeff Higgins I use the same switch at home, works a treat when combined with a Ubiquiti wireless access point and a pfSense router (Separate SSID and VLAN’s)
Jeff Higgins Can you assign a management vlan on it?
I just double checked and yes you can.
I have two of these, the v1 and v2. Every 3 months, VLANs would stop being tagged which is extremely frustrating. I contacted support and they recommended updating the firmware but seeing as it takes 3 months for the issue to occur again, I cannot be bothered. Maybe I can try updating and set up a test bed but I just need my VLAN tags to work because if I am not home and I am trying to access something remotely to which the bug occurs, it sucks.
I have a GS724T though and it's practically flawless.
Moreover, I had Netgear support check the firmware update logs and there's no mention of this issue.
I’ve had ver2.0 of this switch for years now. It’s work great and has never given me any issues. Only thing I don’t like it the lack of web-based management GUI but unless you’re reconfiguring it often the Windows-based software is fine.
What? He uses the web based management gui in this video.
@@megamaser that’s why Jared wrote he owns v2.0 and this review is of version v3.0.
I bought one at Fry's Electronics for just under $20 on sale with my employee discount. They are really cheap switches.
I remember Fry’s
still watching the video, only a minute in just purchased this myself a few days ago. From what I can tell so far is that they seem to have taken your review to heart and the box is no longer shiny
Brilliant video ... you unpicked the weird ui that was confusing the hell out of me.
0:56 I like to see plain brown cardboard when I buy something, that tells me I paid for the actual product inside and didn't pay for fancy boxes, carring pouch, and so on.
Some people feel special when they buy something with a "premium" feel box, something is wrong with them :)
I agree. I also own a small manufacturing/retail business and our biggest product expense is packaging. Shiny costs $$$. When I'm looking for network gear I want the most plain jane box possible. No need to waste even $1 on a box.
yes, fools are often overly impressed by shiny things... look at a certian "demographic" that like chrome wheels, diamond "teef" gold chains, big asses, blinged out "gats" and double digit iq's
simple things entertain simple minds
The NETGEAR GS308E VLAN config works the same way like this. I tried everywhere and could not figure it out. This video was very helpful.
i have the same netgear sw and unable to do vlans, did you find a way?
@@cornellrpgdrums yes I did.
Many, many great videos, Lawrence. I think the last combination video to do is have this switch work ESXi where the VLANs are configured on the switch and the firewall is giving out IPs from the DHCP server running on it and the VMs getting them. That's going to be the ultimate video **chef's kiss**
Been using these switches for yeeaaaars for small 5 and 8 port switches (Usually just get 8 as they are like 10 bucks more than the 5) and never had an issue ever with them! Probably used a hundred of them.
Love that "Rage against the virtual machine" sticker. :)
My 10-year-old Dell 610 whomps on almost every hosted VM I've played with.
I have one and it runs really well and stable. Features I use - VLAN, Static LAGG.
I would think that if you un-assign ports 7 & 8 from the default VLAN (1) you might not be able to connect to that network with a static IP address from ports 7 & 8. Unless of course your static IP address is on the 30 subnet that last comment does not apply.
I was thinking the same thing. Seems that the ports 7 and 8 are on both untagged vlans. The screen at 16:00 shows ports 7 and 8 as untagged on both vlans.
Great video I have been using one of these for a while now so far so good. They also make a poe version that I plan on buying.
I know this is an old video, but I enjoyed watching it. Primo content. Thank you sir.
I use a similar Netgear VLAN capable switch in conjunction with a SINGLE PORT pfSense server. I then use the following VLAN assignment:
VLAN1 (native): LAN
VLAN2: WAN
VLAN3: Private
VLAN4: Public (untrusted devices)
VLAN5: VOIP (QOS Priority)
There will obviously be some bottlenecks, but with my 50mbps WAN connection it's not something worth worrying about and it can save you buying an additional NIC for the server.
Thanks, what's the model number?
it seems that 8021q pvid vlan settings is something cisco refers as "native vlan" = the vlan that will not be tagged in a trunk port
This can be a little confusing because terms vary from manufacturer / switch software indeed. Afaik, it's security *gospel* that "VLAN Trunk ports should NEVER be on the native VLAN 1" (by "be on a native VLAN 'x'" we mean their PVID 'x' here), and as a corollary *"Thou shall NOT use native VLAN 1 for anything in prod."*
Basically, the underlying idea is that Native VLAN 1 (this means, NO VLAN, it's the default / untagged VLAN) is insecure as an attacker reaching the switch would either reach it untagged or be able to untag itself from any VLAN header. This is why neither data (traffic passing through the switch) nor management (traffic aimed at administrating the switch) should ever be on VLAN 1. Obviously, neither should a trunk port.
So take away, compared to Tom's video, where the Trunk to pfSense is Port 1:
- PVID for this port should be some VLAN =/= 1, e.g. VLAN 10 named "LAN".
- By extension, you'd put all the other used ports PVID to this "base" VLAN 10, and add them as "untagged" for VLAN 10 (do NOT add trunk ports to untagged anything otherwise you "break" the trunk on entry; only tagged traffic goes into trunk ports).
This would ensure that all machines connected to the switch are on VLAN 10, never 1. Including pfSense and the Wi-Fi station, which would communicate over VLAN 10, not 1 (for instance if the wifi AP is set to DHCP for its own address, it would get an IP from pfSense's interface on VLAN 10 by default, since port 4 where it's connected, a trunk port, has PVID 10 by default). This means all ARP traffic, DNS, ICMPv6 etc is *always* on some VLAN, 10 by default, another one if specified.
____
You can go 1 step further for security. The management port (should you dedicate one) and IP of the switch itself could be entirely segregated, e.g. port 5 on VLAN 55 (no interference between "data" and "management" traffic, the latter (VLAN 55) never goes into data trunks (VLANs 10, 20, 30, etc).
Such a setup is easy and doable with this $40 switch. It's imho the next best thing after "out-of-band" i.e. physically different network for management, using a dedicated VLAN and never sharing ports (you're just "spending" 1 port per switch or router for this. I think it's worth it in terms of security because unprotected switches seem like a low-hanging fruit for hacking bots afaik.
Great video! Really liked your description of tags vs untangled...network engineer myself but its been 15 or so years so I have forgotten a few things :)
Hamburger helper glove comes to mind.
UH 87
18:27 Personally I dont think you found a flaw. You misconfigured your vlans. Ports 7 and 8 are also avliable in vlan 1. Go back to your vlan settings, select vlan 1 and set ports 7 and 8 as 'not member' and save. Problem solved. And i am not even an IT specialist, just a hobbyist who prefers setting things up myself as opposed to hiring so called network specialists who miss these details.
Oh no, my friend, shiny boxes do MATTER!
Excellent review...just the right length and content. I was just about ready to purchase until you talked about the security vulnerabilities. This probably is still just fine for my application (home network), for the price, and for the time being.
Your comment near the end about not using $39 switches for Enterprise. COMPLETELY AGREE, this is a good switch for home, a home virtual lab where you use vlans, etc. Or for traveling tech like me, something to throw in the car for an emergency when you need vlans.
Agreed, it can be extremely useful if a client has a single network port and (with permission of their IT staff) you can just match your VLAN on this thing to get yourself on their network without using the guest network to get on VPN to get back into their network to do a job, with the guest network having zero bandwidth as it is at the bottom of the food chain haha. I've also used some variants of mini-router/APs + a dumb switch that you can power off USB. This can be used as a client to a hotel network that has the '1 user' restriction, at least in the room.
DialM4Microcontrollr how do YOU know how much better the expensive stuff is?
Are you an electrical or electronic engineer?
Have you studied the internals of both expensive and cheap brands??
Have you tested the cheap stuff YOURSELF?
Don’t you know that most electronics are made by the SAME Chinese factories??
Don’t you know that longevity of electronics comes down to heat issues or low quality capacitors??
(cheap brand name stuff run cooler and use quality caps!).
I know all above and have tested the cheap (but brand name) stuff and NONE (zero) have failed in the last 10 years I have used or deployed them.
Neeext fanboi please!
completely agree PV. I have 4 cheap Gigibit switches about $40 each from Netgear and I've been using them for years without any issue whatsoever!
I've got two 16 port GbE switches from TP-Link connecting a few offices 40 feet apart, about $80-$85 each.....; they've been working just great for 3-4 years now..... I suppose I *could* have used $800 Cisco switches, and gotten the same 110 MB/sec transfers from one office to another... What a quandary!
mdd1963 thank you, I am a realist, not a dumb ass!!
Thanks for this!! Couldn't get an ip assigned because I had the ports tagged wrong. This video helped me get everything working!!
Would love to see you review the DLink DGS-1100-08... It's going for about $35 as of this post, but has quite a few more settings than this does. I picked up one of those for my little home lab and it works GREAT, and the VLAN setup is much more sane.
I'm a little surprised by that - D-Links DGS1100-08 (rev B1) doesn't have https support, but it's very good when it comes to being able to lock out the administration stuff from untrusted sources. I just don't like how limited the D-link is in it's setup (no lag support, but does have trunk aggregation support, but too many limits on configurations like vlans, and some other really confusing things in it's interface if your looking to set up physical port security, etc). It's not bad, but I out grew it extremely fast.
Of the budget switches, it's def a step up in price, but honestly for small soho style managed switches for small networks, I find Netgears tiny GS108T (V2) switch to be a real gem.
Anyways, thanks for the review!
I believe you're able to ping the management interface (21:10) because you left ports 7 & 8 as members of VLAN ID 1. You can see this at 18:50 where you typed in "1" for the VLAN ID making it editable, you can see that ports 7 & 8 are defined as members of the management interface (VLAN 1). You should have removed ports 7 & 8 by clicking the radio buttons for each in the "Not Member" column thus removing them as members of the management interface (VLAN 1). But maybe the firmware at the time (6 years ago) didn't allow it.
Oh, man, my Netgear ProSafe "Smart Managed" GS116Ev2 has the same issue with the web management. It runs straight HTTP like the TP Link you reviewed; and I was able to connect to the web console from a different VLAN than the one hosting the switch's IP address like you did by just mapping a static IP address in the same range as the switch. Doh. For the moment I guess I'll have to make sure that my admin password (with no user id, BTW), is as complex as I can make it. Thanks for pointing out this deficiency in SOHO VLAN switches!
21:00 I don't think you are right with saying that when you computer is connected to port 8, switch should prevent your computer to get IP from another subnet - if I am not mistaken, switch has nothing to do with your IP - especially if you set it up manually. What swicht did however is: it blocked you from being able to ping from 1.9 to 1.1 when you were connected to VLAN 30 port. Just saying and maybe I am wrong but switch has nothing to say about which IP you set up manually on your end device.
Shout out to you from a Solarwinds Engineer! Just noticed your sticker!!
Hello there!
It's my understanding that LAG only reduces congestion by allowing for more simultaneous transmissions. It does not increase speed.
The unmanaged switch seems to have a few things you can manage lol
I have this same switch. It wiped/factory reseted itself entirely a couple of times over the last 2 years.
TP-Link products are really awesome
Hi Tom, thanks for this. I'm really strungling with setting up unraid, pfsense vm on unraid and this top link switch. I understand now. Thank you. *subscribed*
Nice security discovery at the end there. Worrying yes, I guess but it is ok for a home network.
Thanks! If only I would have found this video 8 hours ago...
Please tell me that your next video will be demonstrating and testing LAG between pfSense and FreeNas!
The LAGG on this switch is a static LAGG. It sucks but you can't use LACP or anything more advanced. I have two of these same switches at home and I was just forced to run some new cables and decided to drop 4 cables in the conduit instead of the 1 I had before. LAGG works but I am pretty sure it's a dumb round robin kind of thing. as my PC hits the network with traffic, each of the LAGG ports lights up at the same but one LAGG at a time literally rotating one to the other in a row and you can see it doing that by just watching the green light flash. $20 more and they have a model one step up that supports proper vendor independent LAGG implementations so if this is a feature you are wanting, just buy the better one. I haven't tried LAGG right from the pfSense because I would have no idea what to set my pfSense to to try and test it. I am still learning so my understanding is still limited on a lot of things, especially pfSense and anything more advanced than plugging it and it is a switch. Besides, I am out of ports on both right now anyways. :P
Yes. Its good idea. Showing LAG on Freenas with this switch and later with pfSense
The config page was hard to see. Can you zoom in next time?
Will do
The core problem is, that solo many RUclipsrs use screen resolution s beyond 1920x1080 on their notebooks! Makes zero sense when the final stream is 1080p at best.
Thank you, this really helped me make a decision on what to do in my home network.
Seems to be very similar to the Netgear GS108T, although the GS108T seems to have more features.
The TP Link SG108E has very similar features and a more simple user-interface compared to the GS108T. The LAG, QOS and VLAN configuration is almost identical - including the VLAN and PVID settings being on two pages - which means it's super easy to lock yourself out of the switch. But the enhancements on the GS108T includes allowing you to set the VLAN that the management interface is on, which is one security issue you found on the SG108E.
I use these switches...they work great for me. But regarding your "VLAN hopping" comment at 24:22...you have the switch misconfigured. Untagged ports should ONLY be in 1x VLAN and under "Untagged Ports" column (and NOT in Tagged Ports column). Tagged ports should ONLY show up in the "Tagged Ports" column (possibly multiple times for each VLAN the trunk is carrying). For "UntaggedPorts", the PVID MUST match the VLAN of that port (There is no ambiguity as untagged ports only should be configured with 1x VLAN). PVID determines what VLAN tag to associate with untagged port traffic. For trunks, the PVID still has to be configured...the reality is no UNTAGGED traffic should exist on a trunk (unless somebody messed up)...but have to put something...in my case, I tag it with an unused/unrouted VLAN.
I agree the UI could be improved...but it is what it is.
I actually have very similar configuration with pfSense, tp-link switches and unifi-ap...works flawlessly regarding "who can get to what".
Sorry for my ignorance, just a noob trying to digest your statement above - for untagged ports (let's say a hardwired PC) are you saying that it should be defined as untagged on VLAN 1 (system-vlan) only, with the PVID set to the correct VLAN assigned for it? Rather than, like in this video, it being untagged on the VLAN it's assigned to + the PVID set to the VLAN it's assigned to?
Thanks...this really helped...the PVID part was what I was missing....for home vlans.
The management interface is weird though, you can't set on which VLAN it listens. So if you would have it between your router and modem for VLAN tagging, and have it pull its IP from DHCP, it could actually get a internet routable IP adress from your ISP.
Or did I miss something obvious?
Either way, I just set it to static. It's reachable without problems over HTTP/S, but the ICMP based monitoring is a bit flakey..
But for 30-40 bucks a no brainer. Works great.
I am generally happy with these but I had gotten the 24-port PoE model for a project and found a couple of disturbing things. There was not anywhere to change management VLAN or default from PVID1 and to top it off the switch would allow access from any VLAN *and* someone had found that ALL MANAGEMENT TRAFFIC WAS BROADCASTED ... in all VLANs (wtf?). Ive yet to verify that one but if securing management interface is important, look at equivalent Zyxel or Netgear switches. Then it would not accept alphanumeric characters into login passwords (I hate it when devices don't allow that)
Thanks mate! the video is way less complex than all other out there.
Just picked the 4xPoE version up for a wireless bridge to detached garage with AC LR +2 PoE cameras. Thanks!
I purchased a pre loaded pfsense box and I want to access it Lan port with a laptop. How do I connect
So informative and the explanations were clear. Thank you!
If you connect this device to router with DHCP, it will use whatever IP the router assigns to it. I think dot-one is perfectly fine for out of box configuration for offline configuration (which is the only safe way to configure things like this anyway).
Just to say thanks because you deserve it!
Yes the naming also said sg1 which means unmanaged the e at the end means easy manage which allow you to see some features web base task but it is not manage switch . Good video anyway
I think the management interface is probably tied to the default vlan of 1 which is probably where your traffic goes since you statically changed the client's IP to a subnet other than what that port's Vlan is supposed to be on. Could be that is a vulnerability of the switch.
10:10
Have you tested Link Aggregation with Synology NAS? (DS 918+ etc.) with this switch?
either terminal you use I loved the configuration and Linux which distribution? or how you customized?
ugh! it was that freaking PVID setting that borked it all. THANK YOU!!!
Awesome. ive been looking for something managed and very cheap. Great that it has LAGG and VLAN and QOS. I will be buying one of these. To use between my PFSense and FreeNAS boxes and my desktop. That way all 3 can have 2 connections, and still have 2 ports for the rest of my network
Also, Subbed. Nice to see a fellow networking geek. You really seem to know your stuff
Thanks Tom, I have been glued to your channel for the last month as I'm just getting acquainted with pfSense. Are you configuring pfSense handle the vlans and firewall rules? (I'm using the TL-SG2016P Managed PoE Switch). Or should I be using pfsense just for the WAN and LAN firewall, VPN, PFBlocker etc... and using the switch and controller to manage my VLANs and related firewall rules? Thank you!
Firewall rules in pfsense
Great video as usual Tom..
great video, might pick one up to play around with vlans and get to know them
The box literally says unmanaged though
I think it's labelled as unmanaged as these switches are part of the easy smart series tp link consider this not fully managed more customisable
I have a few versions of the same switch and a bigger 24 port version
Easy Smart means using a peice of software too manage the switch no Web ui
Managed is normally configured using Web ui
Tp link recently seem too have implemented a Web ui too manage the easy smart switches
One of my 8ports and my 24 port are now configurable using Web ui or the easy smart software
My other 8 Port is only easy smart it must be hardware revisions
But same as was said in the video I have never had a problem with any of my tplink hardware they are reasonable priced and have a life time warrenty on the SMB Switches
I have learnt so much from you. Thank you
It's good, but I don't see value in buying new. I picked up a very similar 24 port (actually two) for the price of a new one and has waaay more features, 802.3ad trunking, VLAN blocking admin ports and SFP (and tons of other stuff). System refurbish establishments are what I'm sticking to for sure.
Be careful with TP-Link and VLANs. Some switch and access point models don't handle VLANs properly. Multicasts can leak from the main LAN to the VLANs, making it impossible to use IPv6 on the VLANs. I have experience this with an AP and others have with the switches.
Pretty helpful, still kinda confusing the way the GUI is represented. I always thought "Tagged" Vlans are for Vlans you want specific traffic passed through (Vlan30/40/50), whereas "Untagged" is basically any traffic being passed through. ....Guess not. :/ I have 2 of these. 1 connected to my Palo Alto FW and the other in my living room.
Easy way to remember, tagged means it carries the VLAN ID to the next hop. Untagged means it strips the ID so it's just traffic on the subnet.
Thanks for the great informative video. I have a question, on this switch I noticed that you did not remove port 3 from being a member of the default network, but on another video you did with a the Edge switch, you did. Is it just different for this switch?
Congratulations on the video.
In case if I want to make two trunk ports I could? One coming from my pfsense and the other going to another manageable switch?
Going to the way back machine for this one. I have been using your videos to get acquainted with myself pfsense. I was looking for something inexpensive but with updated firmware an got the V.4 16 port version of this switch (TL-SG1016DE). So far does ok just set it up on my laptop with static IP on the same subnet. Plugged it in switched cables from 16 port dumb switch and away we go. Backed up the config before reboot but it held config. I will be doing VLANs next. I have pfsense with 4 port Intel nic with one as WAN from Cable provider and 2nd one to LAN. Any suggestions out there on how to manage the VLANs on this sort of setup? Welcome good advice. I already read all of the replies-comments here to this video so anything new would be great! Thanks Tom for all the informative videos and to the community for their great comments!
the cable fault distance would help to find broken cable (based on the length where it ended)
the issue with 192.168.1.9 being able to ping the man interface is a feature called untagged management found in a lot of switches.. most only work in the first port.
Great job. Happy New Year.
Stephen Douglas why are you verified