LAN + VLAN on same interface
-
Hello,
House wifi is currently sharing the network between trusted devices and IoT, the idea is to split IoT into vlan, unfortunately, the wifi is done via power lines which share a single master connected to a switch which is then connected to a Proxmox server running a pfsense VM. Meaning it's using a single interface.
- Proxmox
- lan
- wan
- vmbr0 (lan bridge vlan aware)
- vmbr1 (wan bridge)
- Pfsense VM
- vnet0 (vmbr0 ip subnet 10.0.0.0/24)
- vnet1 (vmbr1)
Lan is connected to port 1 on switch while the master powerline is connected to port 2 and IPCam port 3.
In PFsense i have the following:
(Gateway on VLAN DHCP has also been specified to 10.0.1.1)The Switch is a GS305E and this is where i have no idea how to set it up as it's my first time setting a VLAN:
I'm seeing dhcpdiscovery from devices to vnet0 (lan) but no activity to vnet0.2(Vlan). I'm not sure if i'm missing something or if it's not the way vlans should work, i read that i shouldn't put vlan and lan on the same port unless strictly necessary which seems to be the case for me.
- Proxmox
-
@terramoto
On the switch you have also to configure the port PVIDs to get incoming packets tagged.In the VLAN Membership you might need to set the VLAN 2 "untagged" on port 2 and 3. That means, the ports are connected to the VLAN, but outgoing packets are not tagged. This might be only desired on port 1, which is connected to pfSense.
Also you might want to remove the port 2 and 3 from VLAN1, which is your LAN, I guess.
-
Upon reviewing the post i did that as it looked more logical to have port 1 T, 2 and 3 U, unfortunately IPs were still not being given to the devices on dhcp.
The problem with port 2 and 3 is that they have both mixed lan and vlan devices.
-
@terramoto said in LAN + VLAN on same interface:
The problem with port 2 and 3 is that they have both mixed lan and vlan devices.
And how is that? So these ports go to another switch? If they plug into some powerline adpater and you want to carry vlans over it.. Not even sure that is supported - its possible they could strip tags? Have never tried to run vlans over a powerline adapter... But if you were you would need something plugged into the other one that understood them, either another smart switch.. Or you would have to configure the Tag on the end device - iot device more than likely would not support that..
A port that carries more than one network. Can only have 1 untagged, the rest have to be tagged or there is no way to tell them apart. Quite often all of the networks would be tagged.
A port that goes to an end device, your pc, a laptop, your tv, etc. would be untagged and only in 1 vlan.
Ports that carry tags would be to other devices that understand tags.. A router, another smart switch, and AP etc..
-
@terramoto said in LAN + VLAN on same interface:
The problem with port 2 and 3 is that they have both mixed lan and vlan devices.
I see. So in this case you would need the ports to be member of VLAN 1 as untagged.
But how should the VLAN work on your IoT devices. I presume, they are not VLAN-capable. So they need untagged packets. But you cannot have two untagged networks on a single switch port, at least, that's not recommended for the sake of security at all.
So are there additional switched connected to ports 2, 3? Then you should consider to get VLAN-capable switches and separate the networks properly.
-
I believe i was just coming to the realization this wouldn't be possible. Power lines are just a mean to access so one can say it's like a ethernet cable with devices in series and i wanted to isolate some of the devices. but without the devices being able to tag vlan packets it the switch won't be able to know what's a vlan packet and what's not.
-
@terramoto you could do this maybe.. Again I don't ever recall trying to run vlans over a power line adapter - its possible they strip them, back in the day some switches would do that. But more than likely you should be able to carry them over the powerline.. You would have to test with yours. I don't currently have any to play with.. I gave the ones I had to my son he is using them to run a connection from the basement to his living room.. for a device that does not support wifi, etc. Working great for that.
This in theory should work unless something powerline doesn't like about vlan tags.
pfsense -- vlanSwitch1 -- powerlineA --- powerlineB -- vlanSwitch2 -- devices..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz said in LAN + VLAN on same interface:
@terramoto you could do this maybe.. Again I don't ever recall trying to run vlans over a power line adapter - its possible they strip them, back in the day some switches would do that. But more than likely you should be able to carry them over the powerline.. You would have to test with yours. I don't currently have any to play with.. I gave the ones I had to my son he is using them to run a connection from the basement to his living room.. for a device that does not support wifi, etc. Working great for that.
This in theory should work unless something powerline doesn't like about vlan tags.
pfsense -- vlanSwitch1 -- powerlineA --- powerlineB -- vlanSwitch2 -- devices..
It works John, I do it, the LLDP neighbours just look a bit odd.
-
Although that would probably work as i've read somewhere powerlinks do keep the tags, i'm afraid it wouldn't allow me to split the traffic of the devices connected via wifi. I'm basically trying to split wifi traffic and i believe i actually need a configurable AP to do that.
I'm guessing this is what i'm dealing with:
The tag, untag would have to be done at each powerline node. Best solution would probably be replacing the powerline with some APs that support vlan.
-
@terramoto If your APs today do not support 802.1Q then you can't have both two networks on the APs that are controlled by pfSense.
Regardless of the Powerline capability, your drawing shows getting both networks on each AP and that requires VLAN-capable APs.
-
@terramoto said in LAN + VLAN on same interface:
The tag, untag would have to be done at each powerline node.
Nope it would be done off a switch the other side of the powerline device.
Like this, just imaging the AP hanging off switch-3:-
Ah the powerline devices are doing the Wi-Fi as well, you need access-points.
