At my wits end with my hardware request advice on new!

cheesyboofs

David,

Have found the 1800-8G for £67.00 fantastic! http://www.stuff-uk.net/?s=ST-J9029A one question before I buy it, If I plug both my cable modems in to say port one and port two on the switch and put them in separate vlans. Which mac will be used to bind to the the modem IP's? See at the moment each modem has its own NIC and there fore will bridge to the MAC of that NIC. But if vlaned will they not share the same physical NIC mac? or does putting it in a separate vlan generate a sudo mac.

Please excuse my misunderstanding if I have overlooked the obvious.

David_W

The problem with 1.2.1-BETA may be part of the VLAN problems that are known with the release at the moment, or it may be a separate issue. It's worth checking the beta forum and adding it to the VLAN thread if necessary.

Getting VLANs working with your 7760 should be well worthwhile. Though the 7760 is quite different in many ways to the 8760 (it's a completely different firmware and user interface), it should be possible to have different VAPs running with different VLANs, also you can have your RADIUS server handing out different VLANs to different users on the same VAP. My wireless networks default to an unprivileged VLAN, but if you authenticate with suitably privileged credentials, you're connected to the main LAN. FreeRADIUS can do the necessary - but I'm not sure whether the pfSense FreeRADIUS package has the necessary functionality.

I'd trust the inexpensive ProCurve switches to do the right thing much more than I would trust some of the cheaper multi-port NICs mentioned in this thread. My personal choice would be the ProCurve 1800-8G and a single port Intel Gigabit server NIC - that will cost you somewhere around £140 (taking your price for the 1800-8G and allowing around £70 for the NIC). However, a less expensive solution is possible - a single port Intel Gigabit desktop NIC costs less than £20 and may be all that you need. If you upgrade to a server NIC later, you've got a good NIC to upgrade a desktop machine with or to keep as a spare.

With these inexpensive 8 port fanless VLAN capable switches available, you can probably see why I'm a fan of using VLANs and increasingly see no point for expensive multi-port NICs in a pfSense box. The muti-port NICs have their place when you need the bandwidth or for redundancy (such as a CARP based setup, where you can have different ports that can do the same job wired to different switches, which gives you diversity).

I believe that VLANs are the more flexible solution when it comes to sorting out your internal networks, not least because you can reprogram them from your computer instead of messing around repatching, which I believe is potentially more error-prone.

The price you've found on the 1800-8G is fantastic indeed - an 8 port Gigabit switch that is VLAN capable for £67 can't be bad.

This should help in understanding how a VLAN setup works:

bge0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
options=1b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging>inet6 fe80::219:b9ff:fefa:2206%bge0 prefixlen 64 scopeid 0x1 
ether 00:19:b9:fa:22:06
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active

vlan3: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
inet 192.168.128.254 netmask 0xffffff00 broadcast 192.168.128.255
inet6 fe80::219:b9ff:fefa:2206%vlan3 prefixlen 64 scopeid 0xa 
ether 00:19:b9:fa:22:06
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
vlan: 1 parent interface: bge0</full-duplex></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging></up,broadcast,running,simplex,multicast>

As you can see, VLANs take the MAC of their parent NIC, so that's what your cable modems will bridge to. You correctly describe the way to deal with WAN links in a VLAN scenario - you give the WAN link a dedicated VLAN. You set the cable modem's switch port to:

• untagged operation on the dedicated VLAN (without needing 802.1x)

• forbidden on all other VLANs

• the PVID set to that of the dedicated VLAN

That's how you set an untagged port to a particular VLAN in general - if necessary I'll read the ProCurve's manual and give you specific instructions. The mention of 802.1x is that on some switches you can require successful authentication by a RADIUS server before the port gets access to the network. That is added complexity that you don't need.

On the switch port of the pfSense NIC you're using for the VLAN, you set the port to operate on the dedicated VLAN with tagging enabled. As has been said already in the thread, it's best not to mix tagged and untagged traffic on the same port. Tag everything on a tagged capable port.

In case you're wondering, the PVID on a switch port only has meaning when there's untagged traffic - it's the VLAN that this untagged traffic should be allocated to (PVID = Primary VLAN ID). Usually, if an untagged port doesn't work when you've allocated it to a VLAN, you've forgotten to set the PVID. So long as you remember the three steps in my bullet points above - however your particular switch handles them - you'll be fine.

It doesn't matter that you have several cable modems bridging to the same MAC, as switching in a VLAN scenario uses the MAC and the VLAN ID. Traffic can only cross from one VLAN to another via something operating at higher than the Level 2 of the sort of switches we are talking about here - such as your pfSense box. Switches with Level 3 features exist, which have some routing functionality, but let's not worry about those here as they're a rather more expensive and specialist piece of kit than you're likely to encounter.

cheesyboofs

Cheers David,

The problem with 1.2.1-BETA may be part of the VLAN problems that are known with the release at the moment, or it may be a separate issue. It's worth checking the beta forum and adding it to the VLAN thread if necessary.

Together with some other issues I have I plan to downgrade at the weekend.

Getting VLANs working with your 7760 should be well worthwhile. Though the 7760 is quite different in many ways to the 8760 (it's a completely different firmware and user interface), it should be possible to have different VAPs running with different VLANs, also you can have your RADIUS server handing out different VLANs to different users on the same VAP. My wireless networks default to an unprivileged VLAN, but if you authenticate with suitably privileged credentials, you're connected to the main LAN. FreeRADIUS can do the necessary - but I'm not sure whether the pfSense FreeRADIUS package has the necessary functionality.

This is exactly what I'm planning to do as I now have a new wireless device that just will not authenticate with WPA so I intend to put it in its own VAP running on the same AP.

if necessary I'll read the ProCurve's manual and give you specific instructions.

RTFM - now that is something I can do when I get mine  ;)

Traffic can only cross from one VLAN to another via something operating at higher than the Level 2 of the sort of switches we are talking about here - such as your pfSense box. Switches with Level 3 features exist, which have some routing functionality, but let's not worry about those here as they're a rather more expensive and specialist piece of kit than you're likely to encounter.

I already have a good working knowledge of how layer 2 and layer 3 devices work. at work we are using 3COM 5500's which as I'm sure you know are layer 3 switches I've just not personally had much real world exposure to vlan'ing. This is why this will be a good exorcise for me.

Cheers for your posts David, your instructions are clear and sound I will take heed of them. I still haven't ruled out a new router m/board more money than sense but with this advice at least I won't be throwing good money after bad.

Cheers

Perry

Yes they will share the same mac. How ISP's uses that information is hard to say imo, is both modem connected to the same ISP?. As it goes for my isp i need to register my nic first.
I directly connect the modem to my pfSense pc, then I use the ubuntu livecd so i can walk though there web page.  
HP1800-8G vlan guide http://pfsense.site88.net/mysetup/index.html

David_W

@cheesyboofs:

if necessary I'll read the ProCurve's manual and give you specific instructions.

RTFM - now that is something I can do when I get mine  ;)

There's no need to buy to get the manuals - the ProCurve 1800 series manuals are here. The VLAN stuff can be found here.

I often download and look through manuals of equipment before buying - it helps a lot to have the documentation available to read. Increasingly, manuals for IT gear are supplied in electronic form only.

cheesyboofs

Hi David, Perry,

I now have my switch (yey) and without going too off topic and rubbing a mod up the wrong way could you offer me some guidance.

I have read the manual and would like some help understanding tagged & untagged / 'All'

VLAN Per Port Configuration

• Port/Trunk – The port number or the ID of a trunk.

• VLAN Aware Enabled – VLAN aware ports are able to use VLAN
tagged frames to determine the destination of the frame. Click to
enable or disable VLAN awareness mode for this port.
(Default: Enabled)

• Ingress Filtering Enabled – If enabled, incoming frames for VLANs
which do not include this ingress port in their member set will be
discarded. (Default: Disabled)

• Packet Type – Users can set the interface to accept all frame types,
or only tagged frames.
If the Packet Type is set to “All,” the port can accept incoming tagged
and untagged packets. Untagged packets will be associated with the
VLAN identified by the PVID. Tagged packets will be dropped unless
the port is a member of the VLAN identified by the VLAN tag in the
packet.
If the Packet Type is set to “Tagged,” the port will only send tagged
packets. (Default: All)

• PVID – From a drop down menu, choose the VLAN ID that will be
assigned to untagged frames received on this port. You cannot choose
“None” for the VLAN ID unless the packet type is set to “Tagged Only.”
Choosing “None” will not assign any VLAN ID to untagged frames
received on this port. It is not possible to remove a port from VLAN
1 unless its PVID has been changed to something other than 1. The
PVID has no effect on ports that have Packet Type set to Tagged.
(Default: 1)

To keep things simple and get my setup working I will use one port on my router configured as LAN (re0) (vlan 1 I think) + two vlans 11 & 22 attached to it.
One modem connected to port 8 on my switch (in vlan 11)
My 7760 connected to port 7 on the swithch (in vlan 22)
And my router connected to port 1 on the switch (in vlan 1, pvid 11 & pvid 22)

Is the physical NIC on the router in vlan 1 by default?
Will the physical interface on the 7760 be in vlan 1 and need access to it of management?
For this reason won't all ports need setting to untagged / all?
what does Ingress Filtering mean?

Its quite clear I have allot of learning to do.

Perry

I don't think explaining all those things to you in a forum would make much sense. A good networking book, google search or taking a course would be better for you IMHO. As you say let's KISS instead ;)

To keep things simple and get my setup working I will use one port on my router configured as LAN (re0) (vlan 1 I think) + two vlans 11 & 22 attached to it.
One modem connected to port 8 on my switch (in vlan 11)
My 7760 connected to port 7 on the swithch (in vlan 22)
And my router connected to port 1 on the switch (in vlan 1, pvid 11 & pvid 22)

Is the physical NIC on the router in vlan 1 by default?
Will the physical interface on the 7760 be in vlan 1 and need access to it of management?
For this reason won't all ports need setting to untagged / all?

As i showed in the wink guide, it's a good idea for first time user of vlan switches to leave vlan 1 and port 1 alone.
Let's assume some things (so it will be more like my guide):
To config the switch connect a pc to port 1
Use port 8 as the only tagged port. This is the port that will be connected to re0 on your pfSense firewall, re0 will be parent of your vlans never a vlan.
So basically follow my guides and learn by doing….....

Latest firmware ftp://ftp.hp.com/pub/networking/software/1800-8G-Software-PA0300.zip

cheesyboofs

Thanks Perry, your setup is very similar to mine and I did check out your wink's. I will take the plunge and give it ago following yours and David's advice.

Oh and I already did the firmware - that's one thing I am confident in doing  :P

cheesyboofs

David, Perry,

I have failed - I have taken what you both told me on board and I have tried to configure my setup like the attached picture as it is a little different to perry's in that I want to have just one NIC interface on my router.

I am 99.999999% sure I have set my procurve up right using perry's wink and David's advice please see attached, but when I come to configure my router it craps out on me.

Am I attaching LAN to re0 or vlan0 if WAN is on vlan1?
Can I have all vlans with no real interfaces under pfsense?

Please see my attached picture and tell me what I'm doing wrong, to keep it simple I tried just getting up the LAN interface and one WAN but failed to get an IP on the WAN and could not ping the LAN.

HELP!

Do you want to set up VLANs now [y|n]?y

WARNING: all existing VLANs will be cleared if you proceed!

Do you want to proceed [y|n]?y

VLAN Capable interfaces:

ste0    00:05:5d:e6:25:4d
ste1    00:05:5d:e6:25:4e
ste2    00:05:5d:e6:25:4f
ste3    00:05:5d:e6:25:50
re0     00:30:18:a2:ea:b5   (up)
re1     00:30:18:a2:ea:b6

Enter the parent interface name for the new VLAN (or nothing if finished): re0
Enter the VLAN tag (1-4094): 1

VLAN Capable interfaces:

ste0    00:05:5d:e6:25:4d
ste1    00:05:5d:e6:25:4e
ste2    00:05:5d:e6:25:4f
ste3    00:05:5d:e6:25:50
re0     00:30:18:a2:ea:b5   (up)
re1     00:30:18:a2:ea:b6

Enter the parent interface name for the new VLAN (or nothing if finished): re0
Enter the VLAN tag (1-4094): 11

VLAN Capable interfaces:

ste0    00:05:5d:e6:25:4d
ste1    00:05:5d:e6:25:4e
ste2    00:05:5d:e6:25:4f
ste3    00:05:5d:e6:25:50
re0     00:30:18:a2:ea:b5   (up)
re1     00:30:18:a2:ea:b6

Enter the parent interface name for the new VLAN (or nothing if finished): re0
Enter the VLAN tag (1-4094): 22

VLAN Capable interfaces:

ste0    00:05:5d:e6:25:4d
ste1    00:05:5d:e6:25:4e
ste2    00:05:5d:e6:25:4f
ste3    00:05:5d:e6:25:50
re0     00:30:18:a2:ea:b5   (up)
re1     00:30:18:a2:ea:b6

Enter the parent interface name for the new VLAN (or nothing if finished): re0
Enter the VLAN tag (1-4094): 33

VLAN Capable interfaces:

ste0    00:05:5d:e6:25:4d
ste1    00:05:5d:e6:25:4e
ste2    00:05:5d:e6:25:4f
ste3    00:05:5d:e6:25:50
re0     00:30:18:a2:ea:b5   (up)
re1     00:30:18:a2:ea:b6

Enter the parent interface name for the new VLAN (or nothing if finished):

VLAN interfaces:

vlan0   VLAN tag 1, interface re0
vlan1   VLAN tag 11, interface re0
vlan2   VLAN tag 22, interface re0
vlan3   VLAN tag 33, interface re0

NOTE  pfSense requires AT LEAST 2 assigned interfaces to function.
        If you do not have two interfaces you CANNOT continue.

If you do not have at least two REAL network interface cards
        or one interface with multiple VLANs then pfSense WILL NOT
        function correctly.

If you do not know the names of your interfaces, you may choose to use
auto-detection. In that case, disconnect all interfaces now before
hitting 'a' to initiate auto detection.

Enter the LAN interface name or 'a' for auto-detection: vlan0

Enter the WAN interface name or 'a' for auto-detection: vlan1

Enter the Optional 1 interface name or 'a' for auto-detection
(or nothing if finished):

The interfaces will be assigned as follows:

LAN  -> vlan0
WAN  -> vlan1

Do you want to proceed [y|n]?y

One moment while we reload the settings…ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
killall: warning: kill -TERM 239: No such process
done!
route: writing to routing socket: No such process

---

Enter the LAN interface name or 'a' for auto-detection: re0

Enter the WAN interface name or 'a' for auto-detection: vlan0

Enter the Optional 1 interface name or 'a' for auto-detection
(or nothing if finished):

The interfaces will be assigned as follows:

LAN  -> re0
WAN  -> vlan0

Do you want to proceed [y|n]?y

One moment while we reload the settings…ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
killall: warning: kill -TERM 97993: No such process
done!
route: writing to routing socket: No such process

Perry

Hmm looks ok. There have been reported some issue with 1.2.1 and vlans so make sure to have the latest version or you could try with 1.2

cheesyboofs

Hehe, I have already downgraded to 1.2 for that reason. If you think it looks ok I will give it another go tonight by booting off the live CD. Unfortunately I can only do this when I get home from work and I'm already shattered but if you think I'm heading up the right direction I'll try again.

I am correct in that I should be creating a vlan0 tag1 and using that for my LAN? (In my proposed setup)

Cheers

Perry

Yes I would surely try with a live cd before doing anything else.

I am correct in that I should be creating a vlan0 tag1 and using that for my LAN? (In my proposed setup)

Yes you can use vlan0 (nic) as lan.

kpa

I would dedicate vlan tag 1 for only configuring the switch and create new vlans for WAN and LAN.

cheesyboofs

Right I booted from the 1.2.1 live CD and WOHOO! I worked out of the box no changes to the switch at all. Ping and DHCP worked but I could not (for love nor money) get the pfsense web interface up.

So I then did a fresh full install of 1.2 and this time everything worked again but the web interface was REALLY slow. I restored the original config rebooted and changed the physical interface mappings of my restored config to the new vlan mappings. All is/was working fantastic and everything feels so much more zippy. with two exceptions!!!!

The pfSense web interface is Sooooo slow from the LAN its barely usable and the same with OpenVPN and I think the problems are related! On most vlan aware kit it gives you the option to set the management vlan (the vlan the management will bind to) this is why my 7760 and procurve web interface don't have an issue but pfsense does. Openvpn doesn't give you the option either to tag the sudo openvpn interface. In fact I'm surprised the two work at all.

What I'm left with is I can ping everything with a <1 ms ping, DHCP works even the openvpn tunnel comes up but the router web interface is slow but usable and I can't map shares or RDP over vpn, ping will work one in 10.

Any help much appreciated as I'm so close and on the whole quite pleased!

EDIT: To add ifconfig dump

# ifconfig
re0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=1b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging>inet6 fe80::230:18ff:fea2:eab5%re0 prefixlen 64 scopeid 0x1
        ether 00:30:18:a2:ea:b5
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
re1: flags=8802 <broadcast,simplex,multicast>mtu 1500
        options=1b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging>ether 00:30:18:a2:ea:b6
        media: Ethernet autoselect (10baseT/UTP)
        status: no carrier
pflog0: flags=100 <promisc>mtu 33208
enc0: flags=0<> mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
pfsync0: flags=41 <up,running>mtu 2020
        pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
vlan0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        inet 192.168.100.254 netmask 0xffffff00 broadcast 192.168.100.255
        inet6 fe80::230:18ff:fea2:eab5%vlan0 prefixlen 64 scopeid 0x7
        ether 00:30:18:a2:ea:b5
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
        vlan: 1 parent interface: re0
vlan1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        inet6 fe80::230:18ff:fea2:eab5%vlan1 prefixlen 64 scopeid 0x8
        inet 82.16.215.154 netmask 0xfffffc00 broadcast 255.255.255.255
        ether 00:30:18:a2:ea:b5
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
        vlan: 11 parent interface: re0
vlan2: flags=8842 <broadcast,running,simplex,multicast>mtu 1500
        ether 00:30:18:a2:ea:b5
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
        vlan: 22 parent interface: re0
vlan3: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        inet 192.168.101.254 netmask 0xffffff00 broadcast 192.168.101.255
        inet6 fe80::230:18ff:fea2:eab5%vlan3 prefixlen 64 scopeid 0xa
        ether 00:30:18:a2:ea:b5
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
        vlan: 33 parent interface: re0
tun0: flags=8051 <up,pointopoint,running,multicast>mtu 1500
        inet6 fe80::230:18ff:fea2:eab5%tun0 prefixlen 64 scopeid 0xb
        inet 192.168.102.1 --> 192.168.102.2 netmask 0xffffffff
        Opened by PID 414
#</up,pointopoint,running,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></up,running></up,loopback,running,multicast></promisc></rxcsum,txcsum,vlan_mtu,vlan_hwtagging></broadcast,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging></up,broadcast,running,simplex,multicast> 

cheesyboofs

Scratch That!!!

For shits and giggle I remotely upgraded to 1.2.1 due to this post http://forum.pfsense.org/index.php/topic,12200.0.html that said vlan's had been fixed in 1.2.1. Following the reboot I lost OpenVPN altogether but everything else seemed to be up.

When I got home I confirmed the fault and made these changes - I removed all references to vlan1 and changed it to vlan77 both on the router and the switch. I disabled both realtek NIC's and installed 1 Intel pro/1000XT and following a reboot EVERYTHING is working fantastic and I am so chuffed. The modem works at full speed, the web interface to the router is responsive and all vlans are working great.

Things I learnt (the hard way)
1. A vlan switch is far better than a bunch of NIC's, there are no IRQ issues and it is what it was designed to do.
2. An Intel 1000 base NIC is far more stable under freebsd.
3. You can use a 64Bit PCI card in a 32Bit slot  :P
4. There are some people on this forum who really know their beans.
5. DON'T USE VLAN1 FOR ANYTHING its just not worth the grief.

A BIG, BIG thank you to David and Perry for helping me get this sorted.

Perry

You're Welcome

Things I learnt (the hard way)

;D IHTSITYSBITYS  ;D
I Hate To Say I Told You So But I Told You So

atamido

@cheesyboofs:

Thanks for the info. Yeh I understand that architecture is more important than speed or head room. A Cisco router may not have the fastest CPU or the most amount of RAM but thanks to its proprietary hardware architecture and IOS tailored for known hardware they are where they are.

I just had to reboot a Cisco 1841 router at work.  It's set up as a basic NAT router for public internet, and the DNS and/or DHCP services on it keep crapping out.  The $2500+ Foundry switches are a little more reliable, but not much more.  And considering the number of command structures that change between minor changes, I don't have much positive to say regarding them.

Of course, the routers that cost $100k+ are a different story.  ;)

David_W

This has been a good thread for many reasons.

Firstly - thank you for thanking me; it means a lot to have that acknowledgement. I'll always try to offer an intelligent answer when I can.

I agree wholeheartedly with your conclusions - and hopefully this thread will help to encourage others to take the same route of VLANs and quality NICs rather than wasting time and money on NICs that tend to be troublesome on FreeBSD and pfSense.

You are much better off without cheap NICs - Intel Gigabit is the way to go if you're buying a NIC, though my experience is that Broadcom Gigabit server NICs (as used on many Dell server motherboards) are also fine. A server NIC is best; if you are using a PCI based system that probably means a PCI-X (64 bit) card. So long as you have enough room for the longer PCI-X card in your case, it will work fine in a 32 bit PCI slot (this is not necessarily true, but it does hold for the major brands of NIC in all but the most ancient PCI motherboards). PCI Express is the way ahead, and tends to be so much simpler in use, but it will take a long while for PCI Express to become ubiquitous.

Clearly you've bought an Intel Gigabit Server NIC, which is the best choice.

VLANs are also the way ahead - as you say, they're designed for what many people try to use a bunch of NICs for. With the HP Procurve 1800-8G available so cheaply, there's little reason not to use VLANs.

You can do so much with VLANs - for example, I can pass all my networks from switch to switch using a single link and tagging, rather than a bunch of cables (in fact, I use multiple connections trunked together for bandwidth reasons, but the principle still holds). With VLANs, you can use a single port NIC on your firewall rather than needing multi port NICs, with the associated IRQ issues and the high expense of a quality multi port NIC (a quad port Intel Gigabit Server NIC costs serious money…).

With VLANs you can easily switch a port from one network to another from your browser - also you can use the advanced features of your 3Com 7760 access point where different Virtual Access Points are on different VLANs, and, if you set up a RADIUS server, you can allocate a VLAN depending on the credentials used to authenticate to the RADIUS server with. Indeed, I recommend setting up a RADIUS server if at all possible; the security is better than with PSKs and you have much more control over the system. I do maintain the FreeBSD port of FreeRADIUS, but not the pfSense FreeRADIUS package, so I'm not sure exactly what the package can and can't do.

Now that you've set up your VLAN based system, you will probably find yourself understanding the answers to the more complex VLAN features you were asking about earlier. You can experiment with them - though make sure that you have a way to get the switch back to its working state first. At the very least, take a copy of your pfSense configuration and, if you can save it to your computer, your switch's configuration before experimenting - also make sure that you have a way of returning the switch to that configuration.

It's also worth making yourself a few notes about the purposes of each VLAN, and the addressing structure used on each one, so that future changes are easy to get right.

cheesyboofs

Clearly you've bought an Intel Gigabit Server NIC, which is the best choice.

I didn't even have to buy it, that's the irony. When I looked hard I had three spare Intel Server pro/1000XT NIC's lying around at work in an old F840 Netapp filer. Once I checked that the card would work fine in a 32Bit slot there was no stopping me.

It's also worth making yourself a few notes about the purposes of each VLAN, and the addressing structure used on each one, so that future changes are easy to get right.

That's why I do my pretty pictures so that I can keep track of it all, but looks cool too. The whole setup is much more professional and if you look at my picture it looks like the switch is 'in-front' of the router (although logically its not), its mind boggling.

Vlaning is definitely the way forward and I'm definitely converted.