Pfsense to CSS326-24G-2S+ to CSS326-24G-2S+ Vlan problems on 2nd switch

hi i have

2 CSS326-24G-2S+ switchs

it goes

Pfsense that has the Vlans

then goes to First switch.. and the first switch as a goes to the 2nd switch

so

pfsense —> switch 1 —→ switch 2 —> vlans

well the first switch has no issues doing vlans i set the default vlan like 30 and leave it as optional mode no issues on First switch

but the 2nd switch isnt getting the vlans

i have like 10 for cameras 20 for iot 30 for management ports

and they arent being picked up on the 2nd switch

even when i set the 2nd switch a port to

enabled vlan mode 30 vlan id and force the vlan
it will not carry the vlans from first switch to the 2nd switch i just get 169.x.x.x

so i not sure it passes the regular network

so 192.168.0.x it will pass that fine but it wont pass

192.168.10.x

192.168.20.x

192.168.30.x

which are the vlan networks… is there something special i need to setup?

First off, is this the same setup as described in your previous post from 2023?

how do you get 2nd Switch to receive WOL Packets?

I will start with a disclaimer, I don't have a CSS326, but I do have two CSS106-5G-1S switches which use SwOS.

Looking at the screenshots from the old post (by the way, when you post screenshots use the "^" just to the right of the </> to upload if you have a graphic file, or just paste if it is in your clipboard, instead of uploading to imgbb,pastebin,etc.)

In this post you have three links, the third is showing your "forwarding" tab shows "Mirror To" selected, but you only show one port, so we don't know if you are mirroring anything or not. But mirroring isn't what you want. Mirroring is for allowing you to see traffic being sent between other ports (specifically unicast traffic that would normally be sent only to the port that the mac address was learned on). This is useful for debugging with wireshark, or for monitoring traffic (or recording with something like dumpcap). Example see Chris Greer's youtube video BUILD a Packet Capture Appliance for $200! Raspberry Pi

I highly suggest you spend some time reading CRS3xx and CSS3xx series Manual - SwOS - MikroTik Documentation because if you want your switches to be vlan-aware (and allow things like access ports), you shouldn't be using "optional" or "force VLAN id".

At the very least, read the VLAN and VLANs section, which includes a VLAN Configuration Example section. You want the ports going to the pfsense box and between the two CSS326 switches to be either trunk ports or hybrid ports (depending on how your pfsense box is set up, specifically whether your pfsense box sends any untagged traffic to the directly connected switch.) And then you would set up the ports you want to have access to specific vlans as access ports (for devices that know nothing about vlans, like most PC's).

i didnt remember me posting in here but ill have to re look

my 2nd switch was working but stopped working… like you can access cameras if you plug into the 2nd switch and access cameras but if your on switch 1 you can not access cameras

i not at home at the moment but i had deleted my vlan names and re added to see if that fix

so on pfsense it just sends out like 10 20 30 40 50 on the lan cable

port i forget but say #1 is the pfsense on the first switch and port #2 is the cable to the 2nd switch

and like on second switch i have port like #23 to a unmaged camera poe switch so i set it to optional vlan 10 but since things stopped working i tried enable and force vlan 10 but that didnt work

things been working for a few years now just yesterday all of a sudden nothing works my server that i made a managed port on second switch cant get an ip i did try setting vlan 1 to so it would be a member of te vlan 10 20 30 40 but that didnt work

ill read those articles… ya for whatever reason vlan stopped i dunno what i tried to google if there is a tool to test if vlan tags are coming through but didnt help couldnt find something that says the switch is receving vlan traffic 10 20 30 40 as examples

so i figured some glitch might be going on but even rebooting the switchs as they were online for 216 days without a reboot but that didnt solve the problem…

was thinking maybe a factory reset might fix things

but ill read those articles and try whatever when i get home

so like all vlans work from
Pfsense —> switch 1

but

switch 1 —→ switch 2

but all Vlans on Switch 2 have stopped working only Vlan 1 main is the only thing that is passing from Switch 1 to Switch 2

reason i noticed an issue

i have Security cameras on Switch 1 —> poe switch and switch 2 —>poe switch

and all the cameras went down that are on switch 2 all of a sudden

so then i was trial an erroring things like deleting my vlan names etc…

but ill re read up on the info you sent i figure there might a glitched happened i dunno frustrating

can it be a failing network cable from Switch 1 to Switch 2? that its only handling Lan Vlan 1 and nothing higher

as right now thats like a 250 feet run outside underground and cant run a new cable yet but would a failing cable cause this?

If if was a failing cable, it wouldn't be working for vlan 1. Cables have no intelligence, so they have no ability to filter anything.

ah ok is there any tool that can poll the pfsense router for like a vlan 10 and keep polling like a ping and where you trouble shoot till it start shows the vlan is working as i been trying on my server on the 2nd switch the management port i keep toggling port down port up to try to see if the vlan starts working

or is there like a port sniffer for vlans? to verify the certain vlan is coming through
no idea i just throwing an thought out

By vlan 1 I will assume you mean "untagged traffic"?

I am sorry, but your descriptions are hard for me to decipher. Can you draw a sketch of how things are connected and upload (even a photo of a hand drawn sketch would be much better than a bunch of words).

How is the previously unmentioned "unmanaged poe switch" connected?

There is always a reason when things stop working. Determining the reason is sometimes hard. But the first things to check are things that recently changed. You may not think they are related, but they very well could be.

And unfortunately SwOS provides no way to show a compact text based version of the config. And there are many tabs each with their own config, and these can interact in unobvious ways.

The point is, with the information you have provided, all you are going to get are guesses.

sorry my dislexia i sometimes explain it way it sounds to me

vlan 1 as in default

192.168.0.1 LAN whatever you wanna call standard networking 0 vlans i dunno how to explain it just the default network

so both switchs for any Vlan
its

optional 10 vlan id.. and unchecked forced

as for making changes did nothing i was watching security cameras.. and all of a sudden every camera on switch 2 went down….

but i hear ya all guess’s ill get screen shots when i get home… it is frustrating for sure

the unmanaged poe switchs are attached to a port on Switchs 1 and Switch 2 and i set Vlan tag to 10

switch 1 works switch 2 no longer works on Vlan 10… set Vlan 1 to switch 2 port then a single Camera works that is dhcp… any ips static set 192.168.10.x will not show up..

ill get screen shots tommorow of the current setup after i tried to start over

I would look at tools in pfsense. SwOS has no tools, other than the ability to use a mirror port to copy all the traffic between other ports. But then you will need a device to capture the packets and decode them (for instance a raspberry pi or PC running wireshark (linux preferred)

Before changing anything, backup. And I would also restart the switches. It is possible there is a bug where there is a memory leak and eventually something may be overwriting something that causes the switch chip behavior to change.

Often people make a lot of changes trying to "fix" a problem (like your "trial an erroring things like deleting my vlan names etc…"), but end up introducing problems that were not there before. You shouldn't need to restart the switch, but perfect software is rare, and rebooting may solve problems.

Once you have a backup and have restarted the switches, then if the problem still exists, then start making changes, but keep a record of what you change, or when you are done, reload your config that your backed up. Otherwise you may not be troubleshooting the same conditions as you started with.

Also, don't make random changes unless you can explain why or how that change could affect the problem. And change one thing at a time. I won't go into more details here, you can always search for network troubleshooting guides/strategies. https://www.google.com/search?q=network+troubleshooting+steps

What makes less sense to me is your statement that

If that's true, it seems the problem is in the connection from switch 1 to switch 2 (i.e. the configuration of the switch ports that connect to each othter).

But you haven't specified anything about whether the cameras are vlan-aware or not. I will assume not, meaning that it is the responsibility of the switch connected to the cameras to remove the IEEE 802.1Q tags from the ethernet frames before sending to the camera.

Are you sure no-one but you has access to make changes to the switch configs?

What other resources do you have to troubleshoot with? Raspberry pi, spare laptop, a vlan aware router (e.g. hex or hap). The problem there is you will be opening a whole new can of worms, especially if you are not well versed in network troubleshooting.

References:

https://www.google.com/search?q=pfsense+vlan+troubleshooting

ah ok the only thing i can think of yesterday. was we had power out that lasted 10 minutes and not everything is on battery backup

as for the cameras they are all static ips of 192.168.10.x reolink cameras… except for one i left on dhcp and vlan1 (default 1) can be detected on the camera POE switch port from switch 2

and they all are

optional setting, Vlan 10, and not Forced IP

and i was thinking its the cable between the 2 switchs but you said thats not the problem since i can communicate between them even though cable is like 25 years old now and i run at 10 or 100mb not 1g

no one can make changes just i make any changes and last time i did any changes was like 6 months ago i set it and i forget it.. i forget it so much i never remember the password so i gotta check a password list to know it.. all i know is i had power out

only router i have is Pfsense.. i do have raspberry pi on the network off a poe switch off switch2 as it powers my APs, Iot devices, and LAN connections so the POE switch does 1,20,40 Vlans and they seem to be working

so switch2 —→Vlan1 —> Poe Switch (powers APs, IoTs, Lan Connections)

and Vlans 20 Iot Devices work on Switch2 but thats through Switch2–>Poe switch —> Access Point(poe)

so vlans on the switch2 doesnt work… but the vlans that go out the switch2 to a poe switch that goes to an AP those vlans work

and the APS are all on Default Vlan 1… and they dish out the 20,40,50 Vlans wifi

ill read up that trouble shooting too.. and ill get you the screen shots too tommorow when i home.. as i get it i got learning disablility and dislexia and im a visual learner and i dont explain things right.. showing pictures helps explain what i mean sometimes.. its probably something simple

but ya i dont adjust the switch cuz it was working fine till i guess the power out and i run security camera viewing on the desktop in the background and then later i dunno after how long power out i noticed the switch 2 stopped

but ill get pics tommorow cuz ull see something i dont.. i dont play with the switchs i dont use them every day so i not up to date with all those configurations or what to look for.. my IT days were done years ago lol

@Buckeye

so below are the pics of switch 1 and switch 2.. now i had to google and re read the switch manual as with my head i forget alot if i not using this every day…

but what i read is not use vlan 1 its a security problem? change default 1 to like 901 but i dunno if that buggers up other switchs

i also seen root and aleternative in rtsp but i really dont understand that page i think root is your main and alerternative is when root fails i couldnt understand the documentation

also googled about access and trunk ports as on here its tagged untagged on my cisco router i got tagged untagged, my tplink has trunk access.. and i use the trunk for one switch to another with the tplink

so what i re read trunk/tagged are for connecting switchs that handle vlans and that would probably mean AP too and rest would be any or untagged wasnt 100% sure really between untagged and any if the any uses the vlan id tags in pfsense but tagg and untagged uses the vlan id tags that you pre define in the switch..

so i think i need to change

switch to switch 
optional or enabled?      tagged   Vlan 1

switch to switch poe for cameras 
enabled untagged Vlan 10

client comps can leave at any and vlan 1

but i think the main issue is cuz i didnt have switch to switch set to tagged instead its any? does that show thats the problem in the pics below..

Switch 1

switch11794×942 69.2 KB

switch1c1334×831 30.9 KB

switch1b1252×820 38.6 KB

switch1a1791×262 13.8 KB

switch1d1810×963 75.8 KB

switch1i1377×956 47.7 KB

switch1h1892×391 21.7 KB

switch1g1721×916 51.7 KB

switch1f1862×794 61.9 KB

switch1e1901×942 66.1 KB

switchc1809×944 65.7 KB

switch #2

switch21771×943 68.8 KB

switch2h1572×999 101 KB

switch2g1859×322 19.9 KB

switch2e1751×929 52.7 KB

switch2d1840×930 64 KB

switch2b1476×843 30.7 KB

switch2a1163×813 37.6 KB

Your switch1 has a root port going to AP(hydro), and the stp root seems to be switch2.

@vingjfg ya so so figure like the couple switchs and the Access points should all have root?
or they all need to be tagged
i not sure how to fix it?

i tried switch2 “to the house” i set it to tagged vlan1 and i tried optional and enabled but that didnt help

how do i fix whatever is wrong?

and how should it look and how you know if the its stp or rtsp i dont understand that page even trying to read the manual i couldnt undersand what its for

and the AP hydro pole is i have an access point attached to my hydro pole so outside of my property i have different APs to cover my farm property

so like i thought i had the no issues last few years but i guess i didnt have it set up right

so how do i make it proper

the switchs and APs i have trunk so i guess they all get root access so they pass all the vlans properly

on the 2nd switch i use default vlan 1 because poe switch powers APs and vlans so it stays on 1 so that works fine

but i guess i need only tagged? to properly trunk the individual APs and Switchs right?

if you can change my pics so i know what i need to fix as default seemed to work all this time..

It means that the traffic going from switch1 to switch2 goes through ap (hydro). This mesns there is a path from switch2 to ap (hydro). What pory on switch2 is connected to ap (hydro)?

What is ap (hydro)?

AP Hydro is an Wifi Access Point screwed to my hydro pole to give out Wif out on the front of my property

switch 1 connects to switch 2 with old cat5e that i only getting 100m unduplex mode or 10m full duplex mode

i tried changing “any” to “tagged” and using vlan1 and that seemed to lock me out on my network had to go back to any

on switch 2 i have Iot POE it uses Vlan1 cuz i have Vlans and main Lan to power Multiple other Access Points and vlans

i played with the tagged on pfsense connection too to see if it would goto root and all my switches would be alternative that didnt work.. i figured they also all go root. didnt happen

sorry if i need to re explain it clearer i will with my dislexia i explain it how i see it

this is what i got when i set it up this way.. now root moved to my stage rack but really i i think
all Switchs, and APs should be root… or Pfsense be root and all the switchs be alternative?

taggeda1803×929 62.9 KB

taggedb1799×911 53.1 KB

@vingjfg since i have TPlink APs outside and inside would that mean the hydro pole AP is connecting to the other APs but then shouldnt as they supposed to be like a mesh configuration.. i will have to look into not to connect so maybe thats causing it?

update ya seems my wired ap are wireless connected.. not sure how i turn that off they have a feature i guess if you loose network connection it will connect wifi but wont re connect via wireless

i guess ill try to figure that out first before i can continue