• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Setting up a pfSense box with only 1 nic, utilizing VLANs

Scheduled Pinned Locked Moved General pfSense Questions
8 Posts 5 Posters 5.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    Slackmaster
    last edited by Aug 16, 2009, 7:33 PM

    Has anyone here setup a pfsense box using only 1 nic, but utilizing VLANs? I want to tag 5 VLANs to a port on an HP switch, and plug that into a single port on a pfsense box. The VLANS will be LAN, 3xWAN, and a DMZ. Are they any considerations besides bandwidth that I need to think about? It will be a 10/100/1000 fxp or rl NIC.

    1 Reply Last reply Reply Quote 0
    • G Offline
      GruensFroeschli
      last edited by Aug 17, 2009, 7:23 AM

      Yes i did such a setup once.
      Just make sure that you use VLANs only, and dont assign the "real" interface as well.

      Avoid realtek NICs if you want to save yourself a lot of headaches.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • C Offline
        cheesyboofs
        last edited by Aug 17, 2009, 11:24 AM

        Yes, I can only echo GruensFroeschli's comments. I have this setup and it works very well. The best bit is being able to redesign the network without even unplugging any cables, you just change the VLAN allocation. You can see my implementation in the link of my sig.

        Cheers

        Author of pfSense themes:

        DARK-ORANGE

        CODE-RED

        1 Reply Last reply Reply Quote 0
        • S Offline
          Slackmaster
          last edited by Aug 17, 2009, 12:59 PM

          Thanks for the replies guys.

          What type of throughput are you guys getting, or what type/speed connections?

          Here is what I'll have:

          LAN: 10/100/1000
          WAN1: 88m
          WAN2: 50m
          WAN3: 88m
          DMZ: 10/100

          I'm thinking that I'll use one NIC just for LAN, and the other for the other four connections/VLANs. Do you think one NIC will be sufficient to handle these four?

          1 Reply Last reply Reply Quote 0
          • B Offline
            Briantist
            last edited by Aug 18, 2009, 7:24 PM

            @GruensFroeschli:

            Yes i did such a setup once.
            Just make sure that you use VLANs only, and dont assign the "real" interface as well.

            Why is this? I have done this and it seemed to work okay. Is there some particular problem with it?

            1 Reply Last reply Reply Quote 0
            • S Offline
              Supermule Banned
              last edited by Aug 18, 2009, 7:26 PM

              The link doesnt work in IE8…. On my 6 machines at the office :)

              @cheesyboofs:

              Yes, I can only echo GruensFroeschli's comments. I have this setup and it works very well. The best bit is being able to redesign the network without even unplugging any cables, you just change the VLAN allocation. You can see my implementation in the link of my sig.

              Cheers

              1 Reply Last reply Reply Quote 0
              • G Offline
                GruensFroeschli
                last edited by Aug 19, 2009, 10:48 AM Aug 18, 2009, 8:30 PM

                @Briantist:

                Why is this? I have done this and it seemed to work okay. Is there some particular problem with it?

                Usually it works.
                But there are cases where it can go horribly wrong.
                The one setup where i encountered such a case was:

                Client in subnet_A on VLAN_A.
                Server in subnet_B in no_VLAN –> untagged and communicating with the pfSense directly over the assigned parent interface.

                The client made an ARP request which should not have reached the server. But since it was on the same switch on the untagged interface (and on the same collision domain as the client) it was able to respond to it.
                (This is also due to the bad thing of mixing multiple subnets on the same wire).
                Now the client added an ARP entry into it's table pointing to an IP which is not directly reachable because in a different subnet.

                I dont remember anymore what exactly went wrong, since the VLAN-capable switch should have made sure that these two devices cannot talk on layer2 to each other, but the bottom line is:
                If the two devices where on separate VLANs it would not have happened.

                Another thing is that there seem to be VLAN-capable switches that treat untagged traffic internally as VLAN1(default) tagged traffic.
                If you dont make sure that VLAN1 isnt allowed to all other ports (which it usually is) you could break the intent of separating traffic. (At least in one direction).

                edit: this thread also shows problems with mixing tagged and untagged
                http://forum.pfsense.org/index.php/topic,17620.msg95010.html#msg95010
                also what ktims describes.

                @Supermule:

                The link doesnt work in IE8…. On my 6 machines at the office :)

                Works here with FF 3.5.2

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • C Offline
                  cheesyboofs
                  last edited by Aug 19, 2009, 11:48 AM Aug 19, 2009, 11:42 AM

                  @Supermule:

                  The link doesnt work in IE8…. On my 6 machines at the office :)

                  @cheesyboofs:

                  Yes, I can only echo GruensFroeschli's comments. I have this setup and it works very well. The best bit is being able to redesign the network without even unplugging any cables, you just change the VLAN allocation. You can see my implementation in the link of my sig.

                  Cheers

                  You have to wait a bit (under ie) as it is a M$ Visio Web doofa (its a bit fat) alternat link (quicker)
                  http://wan2.cheesyboofs.co.uk/home.htm

                  Author of pfSense themes:

                  DARK-ORANGE

                  CODE-RED

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received