How to start with VLANs

chris1284

Hi,

I have a PC with pfsense installed and this pc has 3 interfaces
WAN (PPPOE em0.7)
LAN (ue0) 192.168.2.1/24 -> switch01 -> switch02
OPT1 (em0) actually unused

I would like to setup minimum 2 VLANs ( at the end could be 4)

VLAN40 Guest WLAN on Ubiquiti APs that support multiple SSIDs on/and VLANs for Guests and Homeoffice Device
VLAN30 LAN and WLAN for Iot Devices like Webcam, Homematic CCU, Philips HUE, Amazon Devices

optional
VLAN 20 trusted clients
VLAN 10 Server ( like NAS, Server, Backup Server)

as i understood the documentation correctly actually i have a VLAN1 (native default) on my LAN (i see this in the switches, there is VLAN1 default VLAN).
The documentation uses an extra interface for VLANs (10, 20 usw).

In my case i think, i have to setup VLAN 40/30 on the Switch ports untagged which has corresponding devices behind (or full "simple" networks behind with these devices)
The Switchport that are Uplinks to each other and to pfsense LAN (ue0) are trunk ports (tagged ports with VLAN 40/30).
The ports for the Ubiquiti APs has to be untagged 40+30+1.
To the pfsense LAN ue0, i have to assign 2 VLANs 40 -> ue0.40 and 30 -> ue0.30 should be the result.
Next step dhcp to each VLAN "interface" and firewall routes for the needed connection (for example VLAN40 (guest) to WAN and back).

At the end if have all 4 VLANs, the default VLAN1 should only be used for infrastructure (switches). is this correct or did i have mistakes in this thinking?

thx christian

viragomann

@chris1284 said in How to start with VLANs:

LAN (ue0)

I'd start with getting a reliable network card.
USB NICs often make troubles, when configuring VLANs on them.

chris1284

@viragomann said in How to start with VLANs:

@chris1284 said in How to start with VLANs:

LAN (ue0)

I'd start with getting a reliable network card.
USB NICs often make troubles, when configuring VLANs on them.

this is the next step, after I found pfsense completely good. than i will invest in an ipu. actually i am testing on a 50€ HP800g1 (i5-4590S/8GB) and this has only 1 LAN port and USB options.

Patch

@chris1284 said in How to start with VLANs:

i am testing on a 50€ HP800g1 (i5-4590S/8GB) and this has only 1 LAN port

Then you need a programmable switch (at least level 2) to connect a trunk to physical Ethernet ports for WAN and LANs.
See https://docs.netgate.com/pfsense/en/latest/multiwan/single-interface.html

chris1284

@patch said in How to start with VLANs:

@chris1284 said in How to start with VLANs:

i am testing on a 50€ HP800g1 (i5-4590S/8GB) and this has only 1 LAN port

Then you need a programmable switch (at least level 2) to connect a trunk to physical Ethernet ports for WAN and LANs.
See https://docs.netgate.com/pfsense/en/latest/multiwan/single-interface.html

as in the first post descripted, i have 3 Ports one "Real" Lan adapter and 2 USB Lan Adapter.
This post only means that i cannot connect another reliable Network Adapter else the USBs.
So, i will test with VLAN and USB and if it is not stable, then it is ok because the whole installation is a test.

viragomann

@chris1284
Since you have a VLAN-capable switch, as you say, you can configure also all needed network segment on the internal NIC with VLANs.
Simply hook up all VLANs on it and assign the switch port, which is connected to pfSense to all VLANs as tagged and connect the WAN to the switch.

For VLAN1 best practice might be to not use it at all.

chris1284

@viragomann
Ah ok, i think i understand. i will use only one interface (the reliable em0) connected to all VLANs configured switch, where i also connect the modem link on a port with VLAN 7 (needed for T-Com). the usb lan's will not be in use

viragomann

@chris1284 said in How to start with VLANs:

where i also connect the modem link on a port with VLAN 7 (needed for T-Com)

Yes, it's nothing more than a tagged VLAN port, no PVID needed on this port.