VLAN question with EnGenius Switch

CreationGuy

Hi, I'm looking at buying a Netgate 2100 to replace a router for someone. They are more of a prosumer and like to tinker with security, routing, etc. They plan on buying a EnGenius EWS7928P switch and EnGenius EWS357AP Access Point.

The basic topology is:
Internet
Netgate 2100
Netgate Port 1 to Switch Port 24
Switch Port 23 to AP

What we were thinking is having 3 or 4 VLANs.

• VLAN1 - Internal Users, access to everything
• VLAN2 - Internet Only / Guest Wifi
• VLAN3 - Security devices, these devices would have no internet access, cannot access other VLANS but can communicate with each other. VLAN1 should have access to these units (but those units can't see/communicate with VLAN1)

I've read/watched guides on basic VLANing with pFSense. My newbie question (thank you for your patience as I learn), is, is this possible? For example, ports 1-10 would be configured as VLAN1, ports 11-15 would be configured as VLAN2 and then ports 16-20 would be configured as VLAN3.

How would the Netgate/pFsense handle this? If the AP is on port 23, what VLAN should that be set up as if it will have both internal wifi and guest?

boumacor

@prtonguy77 Setup pFsense with 5 interfaces :
Wan is to connect upstream to your internet connection
Lan is connected to port 24 of the switch
vlan1 is a setup on Lan interface
vlan2 is alsow setup on the LAN interface
vlan3 is alsow setup on the LAN interface

In the switch you need to program port 24 to alsow accept taged vlan 1, tagged vlan 2, tagged vlan 3. Port 23 (AP) you sould ONLY have vlan 2 setup (untagged) and it shoud be setup als preferred vlan (not sure EnGenius uses this, never used them, but a lot of other switches have this.)

For the other ports you can select vlan1 (untagged again) for normal users and vlan3 (untagged) for the security devices.

This will setup the basis configuration, I woud make one port like port 24 so you can connect your management system to this port and connect to the lan interface of the pfsense setup and the configuration page of the switch.

For rules you need setup vlan2 (block all traffic to the other subnets) and vlan3 (block all ipv4 and ipv6 traffic to anywhere).

Vlan1 will still be able to connect to all the devices on vlan2 and or vlan3.

Did this help you a bit ?

CreationGuy

@boumacor
I'm not sure what "alsow" is. Do you mean allow?

When you say another port to manage, are you talking about managing the switch or pfsense?

boumacor

@prtonguy77 I mean alsow (also, too, as well). Sorry It's my highschool english :)

When you have everything setup you should be aware that the default management page of both the switch and pFsense are in the standard untagged network (so not in vlan 1 where the systems are) If tou need to program something and you can't connect to the switch and or the firewall you could be in trouble.

So thats why I usually leave one port of the switch on the untagged network. So you can plugin your notebook.

CreationGuy

@boumacor
Is it possible to have VLAN1 and 2 have access to Pi-Hole? It's an internal DNS routing tool. I'd want internet only to be controlled by it if possible, but that VLAN should only have access to that device for routing. Is that possible?

johnpoz

@prtonguy77 said in VLAN question with EnGenius Switch:

It's an internal DNS routing tool

Huh? pihole is dns sure - has nothing to do with routing.. But sure you can have some or all of devices on your network use the pihole for their dns.

If the AP is on port 23, what VLAN should that be set up as if it will have both internal wifi and guest?

This port would carry multiple vlans then, if your going to have multiple vlans via wireless. In cisco terms this would be a trunk port..

CreationGuy

@johnpoz said in VLAN question with EnGenius Switch:

@prtonguy77 said in VLAN question with EnGenius Switch:

It's an internal DNS routing tool

Huh? pihole is dns sure - has nothing to do with routing.. But sure you can have some or all of devices on your network use the pihole for their dns.

If the AP is on port 23, what VLAN should that be set up as if it will have both internal wifi and guest?

This port would carry multiple vlans then, if your going to have multiple vlans via wireless. In cisco terms this would be a trunk port..

You're correct, I did not mean to put routing in there.

The switch I linked to says it supports "Port Trunking"; is that what you're referring to?

johnpoz

@prtonguy77 the switch supports vlans, so yes it can carry multiple vlans over port.. Their term trunking is more a lagg or lacp or port channel. They allow you to "bond" multiple ports together.

edit: BTW that AP is poe, and your switch is POE.. So why would it be plugged into a port on the 2100 that is not poe? You would then have to use a injector for power.. So that AP should plug into one of the switch poe ports.

edit2: My bad you are plugging the AP into the switch - doh!

edit3: You could leverage more of the ports on the 2100 for uplinks for different vlans, etc.

CreationGuy

@johnpoz I thought about using the 2100's ports for the different VLANS but there's some cross over and did not want to be under 1Gb for routing.

Just so I can understand, this switch would all the AP to have two VLANs running?

johnpoz

@prtonguy77 yes.. Any switch that can do vlans, and any AP that can do vlans can work together..