Single NIC…it works.
-
I previously had 4 NIC's, 3 wired, one wireless (WAN, LAN, VLANS, WIFI). I had 6 interfaces, 3 vlans on one NIC, LAN, WAN, and WIFI on seperate NIC's.
I decided to run everything minus my WIFI (for obvious reasons) in VLANs, WAN included. My WAN connection is PPPoE DSL and I'm using an old Nortel 10/100 managed switch.
I setup a trunked port on my switch to come into the single NIC on the pfsense box. I did this mainly to test the PPPoE thing over a VLAN, I couldn't really think of a reason why it wouldn't, but this way I have a cleaner setup, only one link from my pfsense to my switch. It hasn't affected my net connection at all, I still top out at 4.4mb/s, which is where it was before. I guess it'd be a better idea to invest in a gig NIC and a switch with gig uplinks when the need arises, but for now it seems to be working fairly well.
So, techincally, if you don't have a WIFI card, you can run everything off one NIC, if you have a managed switch. (I know this is old news in the networking world, I'm just happy pfsense does this as well)
-
As a note, everything works just the way it did when I had multiple NICs. I made no changes to my access lists, NAT, etc, etc. The webGUI works from any port except WIFI which I blocked, but it is accessable on the WAN from a remote location (with a permit statement in the NAT and access lists for the SSL port).
I still get about 22Mb/s routing from my WIFI (G) to LAN (VLAN5) network, 43Mb/s routing from my DMZ (VLAN2) to the LAN (VLAN5) network, and 4.4Mb/s routing from any internal network to my WAN (VLAN6), 4.4Mb/s is my max out to the internet anyway, even if a computer is plugged directly into the DSL modem.
I'm using a 3com Etherlink XL 10/100 NIC (xl), p3 Celeron 500MHz with 128MB RAM.
-
Nice work!
-
so out of curiosity, where does the cable that exits your modem plug into?
-
so out of curiosity, where does the cable that exits your modem plug into?
It plugs into my switch. The VLAN that the modem is plugged into is configured with two ports, the port that the modem is plugged into (untagged), and the trunk port that all the VLANs are fed into pfsense with (802.1q tagged).
Traffic between the firewall and the modem can't be seen (sniffed) by any other devices on that switch.
The switch I have is a Nortel 450-24T, appearently you can get them pretty cheap on ebay, under $80
-
The switch I have is a Nortel 450-24T, appearently you can get them pretty cheap on ebay, under $80
Nice reliable switch….i've seen em for less than $60 often enough...sometimes even get free cascade module or fiber module.
-
Nice reliable switch….i've seen em for less than $60 often enough...sometimes even get free cascade module or fiber module.
I'm suprised it's lasted as long as it has, I've had it for a couple years. I removed all 3 fans and run it with the cover off so the heat can radiate up, but not keep me up at night with whirring fans.
-
Could you please do a picture or explain your vlan setup (on the nortel and the pfsense box)?
thanks,
Jim -
Here is a diagram of the phyical layout of my network, there are more then one computer per VLAN (just not in the diagram), with the exception of VLAN 1.
And here is how it's logically laid out.
-
Very nice diagram. Thanks. Okay, let me begin the stupid questions now:
1. This is port based vlans right?
2. Our there other switches hanging off the nortel or do you have lets say four ports in each vlan?
3. If there are no switches hanging off the nortel do the computers nics have to be vlan capable?
4. When you are routing out to the cable modem/dsl are you pointing the rules towards vlan 1?thanks,
Jim -
1. Yes, I have a 24 port switch, mine is setup like this.
Port 1 - trunk (VLAN 1, 2, 3, 4), connected to the pfsense
Port 2 - VLAN 1
Port 3-12 - VLAN 2
Port 13-18 - VLAN 3
Port 19-24 - VLAN 42. I only have one switch, but a few ports assigned per vlan as noted above.
3. The host NIC's don't need to be VLAN capable with the exception of the NIC in the pfSense box. Only the packets running out of port 1 on the switch are tagged with VLAN ID's, so pfSense can figure out which interface they're for.
4. I don't point rules toward "vlan 1". In pfSense each VLAN is assigned toward an interface, so VLAN one is actually the WAN interface. My rules are configured the same as if I had multiple NIC's.
-
Most helpful. Thank you very much. What kind of nic are you using in the pfsense box?
Jim
-
I forgot, one last question. Concerning port one on your switch you mention it is trunked. I understand trunking two switches together using two etc. ports. Can some switches trunk vlans together?
thanks,
Jim -
I'm using some plain desktop 3com 3c905 (xl0) adapter, I've also used a D-Link 530TX with no issues. Neither of which is a server quality NIC, but they're like $10 and get the job done.
What do you mean by trunking two switches together using two ports?
Pretty much any managed switch can handle VLAN's, you just configure the uplink between the switches with more then one 802.1q VLAN ID, or as a trunk, depending on the switch. If you set up more then one trunk between the same two switches, one of the trunks will be blocked by spanning tree (unless etherchannel is enabled, but I think that's a Cisco thing).
-
Let me explain myself better. The trunking I have done has been between two switches where I want more than one gig uplinks. I've trunked together two ports to another two port on the 2nd switch to allow for a total of 2 gigs of flow. I have not done trunking between a switch and a server with dual nics but know this is possible too. What I'm thinking you have done is trunk together the vlans on port one of your switch using the switch software. I did not know you could trunk vlans together. Is this what you did or am I way off? My questions should lead you to believe that I am new to vlans and I am just trying to figure a few things out. Once again you have been very helpful.
thanks,
Jim -
When you trunk two links between two switches, doesn't one link get blocked by spanning tree (to prevent switching loops)? Or are you using per-vlan STP and just setting the like VLAN 1, 3, 5 to one trunk and VLAN 2,4,6 to the second trunk?
I'm not sure how redunadant trunking between a server and the switch would work. I know we use this exact setup on a few of our servers at work though. Again, I'm not sure if the NIC's are bridged in the server, in which case one NIC would be blocked again thanks to STP, and each VLAN would have it's own server IP.
-
I was looking at our servers at work, they're dual gig NIC's. Because each link is going to a different redunandant switch, there is 2Gb transmit and 1Gb recieve, ARP will only return one MAC per given IP.
You can have 2Gb transmit and recieve if both gig links are going to the same switch (which they are in your case) using LACP (802.3ad).
-
Okay, I guess this line has me confused:
"Port 1 - trunk (VLAN 1, 2, 3, 4)"
Is port one just setup with vlan 1, 2, 3 and 4 or is there something special meant by "trunking" these vlans?
I have not trunked between switches for failover or redundancy. It has merely been for bandwidth.
thanks,
Jim -
Trunking is just a term used to describe a link with more then one VLAN, or camputer data and another source (telephone, video).
-
Ok need some help peeps. I have a nortel baystack 450-24t. what I am trying to do is vlan off my WAN so I can do loadbalanceing with the one NIC. I can get the untagged vlans to work great. but when I change the port to Tagged it wont pick anything up. the main reason I need it this way is because I am using a wireless bridge that has multiple ISP's on the other side.
so I have my AP plugged into a dumb switch that then has 2 cables going to the Nortel on port 3 and 5. port 3 is on vlan 10 while 5 is on 11. 10 has 3 untagged and 12 Tagged. 11 has 5 Untagged and 12 Tagged. 12 goes to the PF box that has a 802.1q vlan capable NIC ((LNKN006) Instant Gigabit Network Adapter I even picked this out of the supported hardware list :)) I have one gateway on 192.168.0.1 and the other on 192.168.5.1. I setup Vlan 10 and 11 on the PF box but it cant ping anything on the other side. I untag the Tagged port and put the AP right in port 3 and switch PF back to the interface and it works fine for one.
I might be confused on the setup of the switch. I upgraded the switch to the latest FW and SW. on the individual ports I can assign a Vlan but I want the Trunked to accses multible. do I have to make a Vlan specifically for that one or do I not need to worry about assigning it because it will goto whatever it is tagged with? I am also a little confused with the port based or protocol based Vlan. if I setup a protocol based I can not set a port to it… maybe I need to mess more with it :/ any help would be great :) sorry if I sound a little scattered but I really need to get this to work.