@johnpoz said in Is 2 NIC on one LAN on 2 different switch doable?:

Being limited to 100mbps at home would be like being force to go back to dial up internet.

Also, more and more gear now supports Gb, so might as well use it.

Natting your IP to your MAN ip not really the best way to do it to be honest. Both sides should just use the man as transit network. But if the other side not going to create the route then sure you can nat.

How many users will there be? NAT works by exchanging ports for individual addresses. If you have enough users and they're busy enough, you could run out of available ports. Large networks would use more than one public IP to avoid this.

Thanks a lot.
I followed the NordVPN tutorial.
Adding my two VLAN networks worked.

@derelict said in Assign unique MAC to vlan interface?:

As @jknott said all layer 3 traffic on all switch ports will have the same MAC address in general.

Actually, layer 2 traffic too. The MAC address is added when the frame is created in the NIC. Layer 3 is above that.

i wanted to close the loop on this. I ended up starting over and reset the switch and rebuilt the vlans on pfsense. It is working as expected now, so i must have messed something up previously. Thank you all for you help!

Hi,

production environment in our case our office is on 192.168.10.x and then I receive an email that says the subnet we have been provided by the clients network is 10.200.100.x so I have to migrate that stack over to the final destination

Why if I may ask do you do that in the first place? When I was last working in some sort of local computer retailer where we built the client and servers for a company and then integrated them on premise, we got our infos beforehand and set things up from the start. Doesn't make sense to me to configure systems in your network and set up services, IPs, etc. only to reconfigure them again when you finally get the net details from your client?

But besides that, you can do that - run a second IP range on the same LAN as your normal network. But you shouldn't as there are enough things, that are working with auto discovering etc. that would impact your normal LAN, too. I'd completely separate those networks and create a new VLAN (110? 300?) with a "build" or "test" network. There you can define any IP range you like, block access to the LAN and VoIP network but otherwise let traffic flow out normally to e.g. do your installations, setups and updates before completion. And if you have a "test" network like that, it's easy to reconfigure to your clients specifications. We do that all the time with such an extra (VLAN) interface that is only for the usage above. We configure the client's or upstream's IP and set it up as the hardware would see it at the target site.

If you want to use that network on your LAN regardless any other problems that may bring, check for "Virtual IP" and create an alias IP within the network you get from your client, then you can set up the devices accordingly but don't forget to create matching firewall rules, too (LAN net won't cover networks from Alias IPs so you have to match the source or use */any).

Greets

Hello JKnott,

What do you know- I got it working.

It took me about two more passes of this pfSense hangout configuration in this video to realize I what I didn't do.

I was not including port 5 on the VLAN interface. While I had the picture of the internal 5th port in my head, I wasn't adding it as a member to my VLAN.

For anyone else reading this thread, make sure to add port 5 (internal switch port on SG-3100) as a tagged port (5t) to your VLAN interface so it can pass traffic into pfSense. Once I did this and saved the changes, my PC2 device immediately got an IP address and was on the network.

Thanks again for your help JKnott.

To the firewall, an untagged interface and a VLAN interface are the same thing. The both need firewall rules to block or pass traffic into that interface (physical/untagged or virtual/tagged).

@awebster said in VLAN 0 and pfSense:

I doubt that you'll find any support for VLAN 0 in the SG200

The only difference I can see with VLAN 0 is sending it untagged to the default LAN. I don't imagine that would be hard to do. Beyond that, it should be handled the same as any other tagged frame. Again, I'll have to try it some time.

If you're serious about learning the ins and outs networking, get your hands on some used Cisco gear like 2960 series for L2, or 3750G for L3

I do have a Cisco 2600 router, which I used when I was working on my CCNA. Also, years ago, I worked for Adtran's Canadian distributor. I had plenty of access to networking gear then. 😉

It's not a recommendation. It's an example.

When you try to ping something on your house mate's network, does the tagged port LED flash? Since you have a managed switch, have to set up port mirroring so that you can watch the traffic through that port with Wireshark?

I find using Wireshark, with port mirroring, so useful, I bought a cheap 5 port Gb, managed switch just for that purpose.