Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Keep subnets running on LAN1 and LAN4 separated using VLAN

    Scheduled Pinned Locked Moved
    L2/Switching/VLANs
    2
    4
    125
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BlyB
      Bly
      last edited by

      Hello, I have on a 3100 one network with its subnet attached to port 1 (LAN1), and another network on a different subnet attached to port 4 (LAN4).
      Both networks receive internet from the 3100's wan.
      LAN1 and LAN4 are attached to physical different switches.

      I'd like to make sure the two networks cannot talk each other, is it correct to use the default system VLAN and arranging groups (Interfaces/Switch/VLANs) in this way?
      Port 5 is the wan port, and I suppose port 1 is on its own and cannot talk to port 4. But I'm new to VLAN and if I'm too much naive even pointing me to a good documentation first is very appreciated. Thank you!

      VLAN group Port Members Description Action
      1 1 5 Default System VLAN
      2 2 3,4,5 Default System VLAN
      3 3 2,4,5 Default System VLAN
      4 4 2,3,5 Default System VLAN
      5 5 1,2,3,4 Default System VLAN

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @Bly
        last edited by

        @Bly Netgate has a guide for isolating the ports on the switch:

        https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/configuring-the-switch-ports.html

        The uplink is port 5. WAN is not on the switch.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        BlyB 1 Reply Last reply Reply Quote 1
        • BlyB
          Bly @SteveITS
          last edited by

          @SteveITS Hi sorry for late reply, and thank you for the link!

          I also found out (because the subnets are on different physical ports), that I can achieve the isolation with two firewall rules dropping packets from one subnet to the other.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @Bly
            last edited by

            @Bly On a 3100 the LAN ports are a switch so all the same port from what pfSense sees. You will need to isolate the ports in order to use separate firewall rules. But once you do that, then yes, they are just like separate ports.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post