@johnpoz said in Setting up a Vlan for security,:

You should never be suggesting to someone that they can get by with using a dumb switch if they want to start using vlans.

What about my original intention for using a VLAN. I have an access point that supports multiple SSIDs and I was planning on setting up a guest SSID & VLAN. It was the only device on my network, other than pfSense, that would use a VLAN. Was I supposed to toss a perfectly good Cisco unmanaged switch, just because I was running a VLAN to one device?

However, I definitely recommend VLANs for security cameras, VoIP phones, etc.. In some cases, it makes sense to use a managed switch to keep LAN and VLAN separate. In others, maybe not. An example would be a network where most devices are VoIP phones, with computers plugged into the phones. (I've seen networks where there's nothing else other than VoIP phones & computers and the Internet connection) In that situation, what advantage would a managed switch provide? Due to the way switches filter traffic, there would be very few VLAN frame appearing at devices not configured for a VLAN. As always, look at the requirements and be guided accordingly. That said, there's not much reason to not buy a managed switch these days.

BTW, my plan failed because our favorite manufacturer, TP-Link, didn't know how to handle VLANs properly.

Me and jknott bang heads about this all the time.

And you have horns on yours! 😉

That ifconfig indicates LACP isn't even set on that lagg.

Hello,
I'm using version 2.4.4

@derelict Hmmm...I'm not sure there is a way to assign a virtual NIC for a Hyper-V VM to an untagged VLAN. I had added a VLAN during pfSense initial config, to match the virtual NIC and physical switch port configs. The general ease of virtualization lured me into forgetting the requirement for VLAN support at the NIC hardware/driver level. Broadcom docs indicate Netlink 57XX series don't have VLAN support. My onboard NIC is a Broadcom Netlink BCM57780.
I ended up adding a multi-port PCI-E NIC (removed the bracket so it would fit my low profile Optiplex 380), connecting a second port between Hyper-V host and switch (untagged/PVID VLAN 100) for VLAN, and reconfigured switch, virtual NIC and pfSense interfaces accordingly. Success. Though for me it defeats the purpose of a VLAN in the first place. The switch, modem and Hyper-V host (pfSense) are all in close proximity, so I can simply connect the modem to the second port on the Hyper-V host. But I never used a modem connected to a switch port instead of directly to my router, and was curious whether it would work as expected. 🤓
Your response got me thinking in the right direction. Thank you!

@teamits yeah. It should just work. It doesn't tho... And it's really messing up my holiday giving spirit.

I should've just did it all myself. No outside vendor. Sigh.

Then start following the manual: https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html and if this isn't enough capture packets on both sides to see where it fails.

Btw. if you really want to use VLANs get managed switches, unmanaged switches can strip/mess up VLAN tags.

There is a second VLAN id field hidden under the adavnced option for each Wifi network profile. Correcting that allowed me to ping across the waps to the firewall but still no internet. I need to reserach more about the Netgear WAPs tagged/untagged network option and then will retry next year.

Thanks for the suggestions.

If your wanting to do vlans your going to need a vlan capable switch and a vlan capable AP... Or your going to need to run completely different hardware for each network.. Anything else is just completely BORKED!!!

You can pick up a 24 port vlan capable switch off ebay for a like 30$.. Do you really need 24 ports? You an get a 5 or 8 port smart switch to handle the vlans and then use your 24 port switch for all the devices that are going to be on 1 vlan..

@markelder said in Separating VOIP Phones vs Other Network Traffic:

I see an extra Nic port on the pfSense box and thought maybe I should put it to use.

Yes you can do that.

@jknott Figured out the VLAN stuff, all set. Thanks for responding.

Grimson, thank you for your feedback. This just was the little piece of advice I needed. I got it working now thanks!

Topic can be closed.

@telescopedepth I appreciate people's goodwill.
😅
I understand you, also networking's jobs. you can learn enough, trought forum and community, as I do...
If you really want, nothing is impossible! 🐬

Meanwhile I'll reading some nice book like this

Some page for a day, it's easy to follow and full of good pratice, for me.
Regards.

(Indeed pfSense book it is) Finally I need to thank so much pfsense team for this pretty nice gift, I dicovered few days ago, pfsense book for everyone is a must to have. Cool!

If you need more switch ports get a freaking switch!! A 30$ 8 port gig smart switch will way out perform some software bridge..

Also since your here asking if you can - its going to be way more complex...

Get a switch!

Thanks! The switches are HW V4 and the problems related to VLAN 1 were fixed in V3. Is there any other issue they might have?

@dranick said in Strange behavior on LAN:

unmanaged was requested

Why would you ever request that?? And pretty much any managed switch I have ever seen comes out of the box dumb.. With everything in vlan 1... Only thing that might be a problem is the default IP of the switch - but most of then not they will auto grab an IP off dhcp if running, etc..

You should never request a unmanaged switch...

Ah yes @johnpoz that would solve my problem. Thanks

No. If vmx.11 received untagged traffic it will not respond because it is not the correct VLAN.

It is probably just that the lagg isn't set up yet. If the errors do not increase after it's all booted and established I would not sweat it.