Question regarding LAN Ports on Netgate appliances, and on other hardware firewall appliances.
-
Many of the netgate appliances like the 6100 have LAN ports that are unswitched, as do many appliances that are not of the netgate branding, touting 4, 6, even 8 ports on some hardware firewall appliances. If we need to plug our modem into the wan port, or 1 of the ethernet ports on non-netgate hardware, why do we need all those other unswitched lan ports?
Wouldnt 2-ish ports be enough one for WAN and one for LAN to a switch?
Are those other unswitched ports like dedicated LANs instead of having to use VLAN's on a switch?
Is there any downside to using those LAN's as segregators for say a wired network and a wireless network etc? Since they are unswitched, does it affect speed to the modem, to use them as separate networks?Sorry, for the billion questions, my brain is just hurting from trying to find these answers, so I figured I would ask here.
-
@spossis83 said in Question regarding LAN Ports on Netgate appliances, and on other hardware firewall appliances.:
Are those other unswitched ports like dedicated LANs instead of having to use VLAN's on a switch?
Yes. You use them as separate interfaces. They do not share a single link so are not restricted by that. You cannot accidentally strip the tags and end up on the wrong VLAN.
If you connected a wifi AP to one interface and want it to be on the same subnet as one of the other interfaces (like LAN) then you have bridge them and that is best avoided. So unless you need to filter between them it's better to use a switch if you can. In that specific situation.
Steve
-
@stephenw10 Thank you for the response. So if I understand right. It would be a physical Lan1 Lan2 Lan3 etc instead of VLan1 2 3 etc. And they don't split bandwidth even though they are unswitched, they just cannot communicate with each other unless bridged. which like you said is best not to do.
So basically I can run 1 port to a switch for my wired pc's, 1 port to a wireless AP so it's separate from the PC's that do say financial work. and have other ports free for other potential lans that might need segregation?
Does it also work like that if I used a 4 port ethernet card in a personal PFsense build?
-
They still share the available WAN bandwidth obviously but because they don't share single link back to the firewall there isn't a restriction there. Though often that is significantly above the WAN bandwidth anyway.
The interfaces are separate layer 2 segments so broadcast traffic will not go between them but the firewall will still route traffic between them if there are rules to allow it.
Yes a 4 port NIC is also 4 discrete interfaces.
-
@stephenw10 awesome! that's the same as a normal home router though isnt it. anything plugged into the built in switch still shares the available WAN bandwidth as well when it comes to the single link to the modem. I just wanted to ensure nothing was going to behave like a hub, just splitting bandwidth and making a bad experience all around.
-
Yes that still the same. What's different is if you have a switch with a bunch of VLANs and a single 1G trunk connection back to the router/firewall. If, for example, you have some devices pulling huge files between two VLANs that could saturate the trunk causing problems for hosts on other VLANs that might be trying to access external resources. With separate interfaces in that situation you are only limited by the routing capability of the firewall itself, usually well over 1Gbps.
Steve
