Assigning Clients to VLANs
-
Dears
Currently my new flat is being constructed and i already have great (theoretic) plans for my network: pfsense 6100, Ubiquity Switch, etc, several VLANs.
Assume I power up pfsense and the routing equipment for the first time and i do all my setup. Now i connect all my devices and power them up.
Assume I do not restrict VLANs on the ports of my switch, so that all VLANs are broadcasted on all ports
Assume DHCP is enabled per VLAN, but not managing all IP addresses of the range, leaving room for fixed IP assignments.Questions:
- which VLAN will my clients connect to, when they power up for the first time?
- How do I assign my clients to specific VLANs at the time of going live?
- I assume I let them connect to wherever they connect, and manually assign the clients static IP addresses of the required VLAN. Right?
- maybe i get fancy and broadcast only one specific VLAN on a certain switch port. this case is trivial, the connected clients gets an IP of this specific VLAN. correct?
cheers!
-
@hudri said in Assigning Clients to VLANs:
so that all VLANs are broadcasted on all ports
That is not how you do vlans ;)
-
Hey there! You assign VLANS per port on your managed switch. Your setting per port determines at what VLAN the connected device will connect.
From what I am reading what you want, the easiest to set this up is:
- Pfsense : all VLANs ----> lan cable to trunk port on your switch (receives all tagged vlans) --> choose which port on your switch gets which VLAN (untagged). Connect the devices to the port with the vlan you want them to connect.
-
one more question:
assume i have 2 wifi-networks a, b;
would it be possible to plug an access point to a switch port which is broadcasting a and b and have the access point inturn send/broadcast a and b?in other words: if i do not restrict a switch port to a certain VLAN, the client connected to this (trunk?) port could be set manually into any of those VLANS. is this assumption correct?
-
@hudri yes if you have an AP that supports vlans you can use multiple vlans for different SSID. And the port connected to the AP from the switch would need to be set for the vlans you want to use via wireless.
I have 4 different vlans currently running on all of my APs (unifi).. My trusted vlan where I can connect my phone and tablets laptops, etc. then I have another one for all my roku and tvs and such. I have another one for iot devices my alexas, lightbulbs and smart plugs and like my thermostat, etc. And then another one for guests that come over and want to have wifi access.
If you connect to ssid X, your on that vlan, if you connect to ssid Y your on a different vlan. You need a AP that understands vlans - or you need to be using say a wifi router as AP that you can run say 3rd party firmware on that allows for vlans and the underlaying hardware support them.
I don't recall ever seeing ever a typical soho wifi setup, even the very expensive mesh setups like google wifi and eelo or whatever that support vlans. Unifi does, and so do the Omada tplink stuff - which is really a copy of the unifi stuff.
-
@johnpoz hello! thank you, exactly this is my intention.
and my own "admin PC" shall be plugged into a switch port, which broadcasts all my VLANs. this enables me to manually switch to whatever VLAN i want. I assume this is possible too, right? -
@hudri said in Assigning Clients to VLANs:
which broadcasts all my VLANs. this enables me to manually switch to whatever VLAN i want.
That is a really a horrible idea.. Why would you want to do that? Put your pc on a specific vlan and then just allow it via the firewall rules on that network for your pc to talk to what you want it to talk to..
Why would you want to have to switch anything on the PC to talk to your other networks, if its your admin PC, etc..
-
@johnpoz I change what VLAN my PC is on so I can make sure rules are working as I think they should. I do it with more than 1 NIC, but same concept.
-
Usually my pc will be in the office VLAN. for testing purposes, accessing the FW or such, I'd change the IP address manually to the desired VLAN, do my stuff and switch back to an office VLAN. similar to what @AndyRH mentioned above
@johnpoz said in Assigning Clients to VLANs:
@hudri said in Assigning Clients to VLANs:
which broadcasts all my VLANs. this enables me to manually switch to whatever VLAN i want.
That is a really a horrible idea.. Why would you want to do that? Put your pc on a specific vlan and then just allow it via the firewall rules on that network for your pc to talk to what you want it to talk to..
Why would you want to have to switch anything on the PC to talk to your other networks, if its your admin PC, etc..
-
@hudri said in Assigning Clients to VLANs:
I'd change the IP address manually to the desired VLAN
There is more to it than that.. You would have to set the pc to tag the traffic for the vlan you want... If your just running multiple layer 3 (ip ranges) on the same layer 2 network - that is not a vlan..
-
@johnpoz said in Assigning Clients to VLANs:
...You would have to set the pc to tag the traffic for the vlan you want... If your just running multiple layer 3 (ip ranges) on the same layer 2 network - that is not a vlan..
hmm, i thought to do it in a similar way as seen in several youtube videos, where they just manually switched back and forth between the VLANs, testing the FW rules etc.
-
@hudri said in Assigning Clients to VLANs:
where they just manually switched back and forth between the VLANs,
You can - where you set the pc to understand the tag, but again that is not a vlan... That is some user without a clue to networking thinking they have setup a vlan and all they did is run multiple IP schemes on the same network. There is no actual security there, anything can talk to anything, be it you setup a firewall rule or not - broadcast and multicast traffic is going to be seen by every device.
That is not a vlan. A vlan actually isolates traffic at layer 2..
You could move your pc into another vlan that is on that port, by changing the pvid on trunk port so the untagged traffic is now in X vs Y, etc. But just changing on the IP on the pc isn't going to work if you actually have vlans setup.