Netgear ProSAFE Plus Configuration Page Lockout
What I wanted
As the description reads, I was having an issue accessing the configuration page to my Netgear ProSAFE Plus switch. I just needed to get in there to properly make changes to the VLANs on my network. However, I was locked out due some change I made. I wanted to be able to manage my switch without needing to take my Mac off it’s dedicated VLAN network.
The environment
- Netgear ProSAFE Plus
- Fiber Gateway
- Netgate 6100
- VLAN
- pfSense
The approach
I took this one step at a time. There were a few likely causes to this issue. So I went down the list one by one.
- The switch is not receiving an IP address (because of bridge mode)
- I knew that my Fiber Gateway was in bridge mode. So I decided to check if the switch was stuck with either no IP or a default IP that doesn’t match my Mac’s subnet. My Mac is the direct link to my switch for management purposes.
- I connected the switch behind the router and assigned it a static IP to match the IP address of my Mac.
- While this worked, what I needed was to be able to access the switch while the Mac was still connected to it’s dedicated VLAN. So this wasn’t the solution I wanted.
- My Mac is on a different VLAN
- Because the VLAN on my Mac was different from the switch ports configuration interface, my packets never reached the interface. They were tagged differently. This is the part that was confusing me at first. Tagging.
- So I went back to temporary connecting my Mac to the switch directly on an untagged port. Thus allowing me to be on the same subnet as the switch itself.
- Now all I needed to do was make sure that the VLAN the Mac was on was able to talk to the VLAN the switch’s internal interface was on.
The setup
- I moved the switch behind the firewall
- I ensured that the Mac was on the same subnet as the switch, while also being on the subnet to allow it to talk to the internet
- I manually configured the Mac IP address to match the subnet of the switch on a separate network interface on the Mac; just for safety
- This all worked the way I wanted it to.
What broke or surprised me
Connecting to the configuration interface broke. Looking further into this, I was surprised to learn how powerful true VLAN segregation really is. Just the fact that I wasn’t able to access my configuration page shows why segmentation should be a part of every homelab environment.
What I’d do differently
What I’d change if I was starting today is proper documentation and port assignments. Truly writing down which port belongs to what VLAN ID and deciding which devices will reside on which subnet for mangement purposes.
Where this fits in the system
Being able to manage my switch when I need to fits into my wider setup by allowing me to fine tune where certain devices will leave on my network.