Pfsense with vlans directly to AP?
-
@jknott said in Pfsense with vlans directly to AP?:
All the managed switch does now is keep the VLAN off the other switch ports. With an unmanaged switch, the VLAN will be available on all ports, but will generally be ignored by devices not configured to use it.
Just to piggyback this a bit, if it is the AP/SSID forcing the device onto the VLAN, that device can't get off the VLAN. As opposed to, a wired device (or any device already on a network with an unmanaged switch) can be manually configured to use VLAN 20 or whatever and put itself onto the VLAN.
And, for anyone else finding this, if you find out there is actually a managed switch in the path, in the upstairs closet, that switch will drop the VLAN packets unless it is configured for said VLAN. (um, hypothetically?)
https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html
-
@steveits said in Pfsense with vlans directly to AP?:
Just to piggyback this a bit, if it is the AP/SSID forcing the device onto the VLAN, that device can't get off the VLAN. As opposed to, a wired device (or any device already on a network with an unmanaged switch) can be manually configured to use VLAN 20 or whatever and put itself onto the VLAN.
????
What do you mean by that? PfSense is a router, which can easily route between VLANs. I would assume if you have a managed switch, you'd know enough to configure it or at least ask for help.
I have an access point that supports multiple SSIDs and VLANs. I configured the AP, pfSense and the switch to use the VLAN for my guest WiFi, but originally I didn't have a managed switch.
-
@jknott Sorry, didn't mean to confuse things. Just trying to discuss separation of VLANs without a managed switch, as @yeleek has. In general.
If an office doesn't have a managed switch, and uses VLANs, I can plug in a PC and tell it to be on any given VLAN number. That's not involving the router at all.
If it is a wireless SSID that is a VLAN (e.g. a guest SSID) then although a wired PC can get onto that VLAN, those wireless devices can't get off the VLAN because it is the AP that is tagging the packets.
-
@steveits said in Pfsense with vlans directly to AP?:
, I can plug in a PC and tell it to be on any given VLAN number. That's not involving the router at all.
That is a horrible setup.. You can run tags over a dumb switch ok sure - but the switch doesn't understand them, so any broadcast, multicast is going everywhere.. Be it the devices are tagging their own traffic or not.
You don't have to have a 1k cisco full managed enterprise switch to run an office ;) You can pick up a smart 24 port switch for like 200$ or less - why would an office go through all that nonsense of having to configure every machine to tag their own traffic vs buying a capable switch or switches?
-
@johnpoz I didn't say it was ideal :)
Nor was I suggesting manually configuring each PC actually, the context here was having the AP do it.
-
@steveits said in Pfsense with vlans directly to AP?:
I didn't say it was ideal :)
hahaha - very true, but yeah I could see some ma and pa shop with exactly that setup..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
My old and beloved Asus Router is doing it here and still going strong...
-
Or a home user. However, with the low cost of managed switches these days, why not get one? A few years ago, that wasn't the case. I remember, about 25 years ago, buying an 8 port, 10 Mb hub that was a more expensive than an 8 port, managed, Gb switch today.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
Thank you all
-
@jknott honestly I have no idea why anyone would buy a dumb switch these days. You can for sure get a "smart" switch that can do vlans and many other things users don't normally think about for a few dollars at most more..Shoot there are for sure "smart" switches that are cheaper than some dumb switches with the same port density.
While vlans the prob the most likely feature users want. For those few extra dollars you also normally get rate limiting, can set the speed on a interface if for example you don't want gig be 100.. Or easy check what speed an interface come up as. You can view the mac address table and know exactly what device is plugged into what port by mac address.
You can mirror a port for say sniffing, you can see for example errors on an interface. IGMP snooping,
Sure different switches at different price points will have different feature sets.. But quite often a so called "smart" switch in a 8 port gig model might be 40$ vs 35$ etc..
And while you might say to yourself oh I don't need those features today, save yourself a few bucks. What about 6 months from now? I just can not see why anyone that has made the step up from your typical soho wifi router to pfsense would ever buy a dumb switch.. Even if you don't have any use for any of the features today.. More than likely at some point in the near future your going to say, oh damn wish my switch could do that - should of spent the extra few bucks vs now having to get a whole new switch because I want to do xyz.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Sometimes I have to wonder about your reading comprehension. Did you not see where I said "However, with the low cost of managed switches these days, why not get one?"
-
Pretty sure he was agreeing with you.
-
@johnpoz and I sometimes have a bit of fun with each other.
-
... You can for sure get a "smart" switch that can do vlans and many other things >
I am aware that you hesitate to recommend the TPLink “easy smart” line of switches, and that’s probably understating your negativity somewhat. I am using the 24 and 8 port versions in a basic home setting but I don’t really understand why these switches fall short in your estimation. Could I please ask where you consider these “easy smart” switches fall short?
-
Some of the older 'easy smart' switches failed to handle VLANs correctly. You could not remove ports from VLAN1 meaning broadcasts leaked between VLANs. I have one of those.
I also have a newer, much more expensive, TP-Link switch and it works great, no complaints.
I'm not aware of any particular issues with their current low end switches either.
