Switch-like VLAN capabilities
-
@G.D.:
For a particular physical interface I recommend to go all tagged or all untagged. Otherwise your untagged interface can spy on your tagged packets, which may be a security risk.
That doesn't make sense; any device that's physically connected to a link can see both untagged traffic and tagged traffic for any VLAN going over that link. It is entirely the receiver's choice which of these types of traffic it wants to accept.
-
Not sure why everyone's confused: this is VLAN 101 on any L2 switch. Think VoIP phones with a "LAN" port on them for the computer: the phone is usually tagging VoIP ethernet frames, whilst the computer ("LAN") traffic is untagged, and usually placed on a default local VLAN on the switch.
Same thing with access points: you typically tag management traffic (or it remains untagged; seen both implementations, and some where the management interface is configurable as either) and frames belonging to various SSIDs configured on the AP are tagged differently.
From the GUI of pfSense, it doesn't really indicate whether or not untagged traffic that arrives on the OPT1 interface is discarded or not. I could do some packet captures I guess, but I figured this would be a fairly standard configuration and be well-documented by now.
-
Not sure what exactly you're asking for here… You can obviously create any number of VLANs on OPT1, but without bridging of some sort, incoming untagged traffic is only going to appear on the parent (physical) interface. Maybe bridge the physical interface to the desired VLAN interface?
I think what I need to do is bridge OPT1 to the LAN interface (I really don't care if the AP in question's management traffic and the "staff" SSID traffic are on the same logical network) and then create a VLAN 20, along with VLAN 20 interface, onto the bridge interface; that way the tagged "guest" VLAN 20 traffic should be placed onto the VLAN 20 network where I can enable DHCP, etc.
Not quite sure how that would play out with the GUI though.
Create bridge of OPT1 and LAN.
Create VLAN 20
Go back to interfaces and assign VLAN 20 interface from the drop-down to OPT1? It's the VLAN to interface assignment that seems a little daft within the pfSense GUI.
-
where is the ip interface that belongs to the untagged traffic? is it the parent interface where the tagged vlan wireless traffic is coming from? if its not, youre going to have a hard time with this.
-
Why would you think you need to bridge anything???
Why do you think you need to see untagged traffic on a tagged interface?
You have your native untagged traffic hitting opt1, you have vlans 10 and 20 connected to opt1 on different network segments and tagged. Not sure why do you think you need to take the native traffic and bridge it to a vlan tagged interface? If your trying to get to tagged vlan from untagged network - this would be routed.
-
Why would you think you need to bridge anything???
Why do you think you need to see untagged traffic on a tagged interface?
You have your native untagged traffic hitting opt1, you have vlans 10 and 20 connected to opt1 on different network segments and tagged. Not sure why do you think you need to take the native traffic and bridge it to a vlan tagged interface? If your trying to get to tagged vlan from untagged network - this would be routed.
Are you familiar with how a typical access point or a VoIP phone is configured with a managed switch?
In Cisco parlance, you setup a trunk port and assign a default port VLAN ID (native VLAN ID) to the trunk port, and all untagged traffic gets assigned to that native VLAN; tagged traffic gets assigned to the VLAN that corresponds with the tag. This is pretty much the same (although sometimes different terms/labels are used) on any managed switch.
At a high level, this is what I'm trying to do on the pfSense: have a physical port function like a trunk port as described above and avoid buying a managed switch.
[AP] ===== untagged/tagged VLAN 20 frames ==== [ vr2 "OPT1"| ALIX ]
I want to place untagged traffic arriving from the access point in the same layer 2 network as the LAN interface (vr0); I was only going with a bridge as that was suggested above and I thought if I bridged the two interfaces (OPT1 and LAN), that would be a workaround for not being able to assign untagged traffic to a default VLAN, that the pfSense would see the untagged traffic and still forward it to the LAN interface as part of the bridge.
The tagged traffic arriving from the access point is not difficult to setup: create a VLAN 20 on parent interface OPT1 (vr2), configure it as a static interface as usual, enable DHCP, DNS on this interface, and the guest network works as expected because all the wireless clients associated with SSID "Guest" are tagged on egress as VLAN 20 when they leave the AP's physical interface.
It's getting the untagged traffic arriving on vr2 to be on the same broadcast domain as the LAN interface that's not clear to me as being possible.
For starters, I don't see how you can assign a "default VLAN" (if pfSense even recognizes that) and associate an interface (LAN) with that. I could create a VLAN 1, 2, whatever, add vr0/LAN as the parent, but that seems to do nothing to help with frames arriving untagged on OPT1/vr2.
That's where I was going with the bridge, to mimic that managed switch trunk port behaviour, because the layer 2 bridge should forward all the frames between the two segments regardless, so unless the pfSense is discarding those untagged frames that are ingress on OPT1/vr2, we should be in business.*
If there's another way to do this, I'm all ears (and why I'm on here in the first place).
- caveat being that the bridge would forward everything, so VLAN 20 tagged frames would also be seen by the LAN interface/segment, which would mean that the guest traffic is indeed being seen on the LAN. I don't know if the LAN interface, if not configured with a VLAN, discards all tagged frames by default or not. If so, that would eliminate the issue.
-
I know exactly how a vlan and native vlan works - which is why I am asking you why you think you need this. Since it is not needed.. The vlans of the SSIDs will be tagged, the native or management vlan that the AP managment IP is on would not be tagged, ie native.
A you don't have to assign a native vlan.. You assign a network to the OPT1 interface as I stated before 192.168.0/24 and example.. You then create a vlan interface on OPT1 with 192.168.1/24 TAGGED as 10, and another vlan interface of 192.168.2/0 again TAGGED at say 20. Both using opt1 as their physical interface.
OPT1 will see any traffic that the port is connected to presents as untagged.. pfsense is not going to care if the vlan is 1, 100 or 30, etc. Its is untagged traffic - if to its mac and on the network its on it will see it. Trunk your port and use whatever native vlan you want that is the network that opt1 is on.
Your untagged traffic is seen by the OPT1 interface, the tagged traffic will be seen by the vlan 10 and vlan 20 interfaces - what do you not get here?
-
I know exactly how a vlan and native vlan works - which is why I am asking you why you think you need this. Since it is not needed.. The vlans of the SSIDs will be tagged, the native or management vlan that the AP managment IP is on would not be tagged, ie native.
A you don't have to assign a native vlan.. You assign a network to the OPT1 interface as I stated before 192.168.0/24 and example.. You then create a vlan interface on OPT1 with 192.168.1/24 TAGGED as 10, and another vlan interface of 192.168.2/0 again TAGGED at say 20. Both using opt1 as their physical interface.
OPT1 will see any traffic that the port is connected to presents as untagged.. pfsense is not going to care if the vlan is 1, 100 or 30, etc. Its is untagged traffic - if to its mac and on the network its on it will see it. Trunk your port and use whatever native vlan you want that is the network that opt1 is on.
Your untagged traffic is seen by the OPT1 interface, the tagged traffic will be seen by the vlan 10 and vlan 20 interfaces - what do you not get here?
It's not clear that this is how the behaviour of pfSense would operate when reading through the documentation nor is there any indication of that in the GUI itself. This is why I'm on here and asking, so while I appreciate the response, the tone and aggression is really not called for.
Having said that, you're clearly not following what I'm asking: I don't want to create a new logical/L3 network for OPT1: I want OPT1 to be bridged to the LAN interface and thus on the same L2 broadcast domain as the LAN interface; I don't want to have three logical networks (LAN, OPT1, and GUEST), but two (LAN and GUEST).
I really don't know how much clearer I can get here.
Perhaps taking the opportunity to actual read through the request before responding with a hostile tone and we'd be that much farther ahead.
-
Perhaps taking the opportunity to actual read through the request before responding with a hostile tone and we'd be that much farther ahead.
That works both ways; your initial description wasn't exactly crystal clear.
In any case, the way VLANs work in FreeBSD (and hence, pfSense) is that you have a parent virtual interface that will receive all untagged traffic (and only that), and then a separate child interface for each VLAN.
In your scenario, you'd have vr2 as the physical parent interface; this will be your OPT1. This parent interface sends/receives untagged traffic only. You'd then create a child VLAN interface on vr2 (via interfaces -> assign -> vlan) for VLAN 20; this will create a new vr2_vlan20 network device that sends/receives only traffic with that particular tag. You will than have to create an OPT2 interface for this network device via interfaces -> assign -> interface assignments (the newly created VLAN interface should show up in the drop-down list) and set up DHCP, etc. as you want.
If you want your LAN and OPT1 ports (i.e., untagged traffic on vr2) to be on the same L2 domain, you'll have to bridge them (interfaces -> assign -> bridge); in theory, you should be able to either create vr2_vlan20 and then bridge vr0 and vr2, or to create the bridge first and then create the VLAN with the bridge device as the parent; I'm not sure if the pfSense GUI will actually let you do the latter, but the former should work for your particular use case.
-
" want OPT1 to be bridged to the LAN interface and thus on the same L2 broadcast domain as the LAN interface"
Read your other posts dude - no where did you state that.. Until now.
Sure you can bridge lan to opt1 - but again why? pfsense interfaces are not a switch. If you want to be on the same L2 as lan, then do that on your switch and connect your vlans to the lan physical interface.
Are you plugging in your AP directly in to opt1, you don't have a switch you can connect it to that lan is already connected to? It would make more sense to get another switch if you are out of ports vs trying to use pfsense interfaces as switch ports via a bridge.
As to "the tone and aggression is really not called for. "
All I can say is WHAT?? Sorry your reading tone into simple facts and questions.. That is on you, not me - nowhere in my posts was I hostile or aggressive..
-
" want OPT1 to be bridged to the LAN interface and thus on the same L2 broadcast domain as the LAN interface"
Read your other posts dude - no where did you state that.. Until now.
Sure you can bridge lan to opt1 - but again why? pfsense interfaces are not a switch. If you want to be on the same L2 as lan, then do that on your switch and connect your vlans to the lan physical interface.
Absolutely said it, several times, in reply #9 above.
And again… in several posts above, I stated I wanted to avoid buying a managed switch; this was the whole point of this post. If you're not going to actually read the posts, but cherry-pick to rant-reply, why bother?
-
Perhaps taking the opportunity to actual read through the request before responding with a hostile tone and we'd be that much farther ahead.
That works both ways; your initial description wasn't exactly crystal clear.
In any case, the way VLANs work in FreeBSD (and hence, pfSense) is that you have a parent virtual interface that will receive all untagged traffic (and only that), and then a separate child interface for each VLAN.
In your scenario, you'd have vr2 as the physical parent interface; this will be your OPT1. This parent interface sends/receives untagged traffic only. You'd then create a child VLAN interface on vr2 (via interfaces -> assign -> vlan) for VLAN 20; this will create a new vr2_vlan20 network device that sends/receives only traffic with that particular tag. You will than have to create an OPT2 interface for this network device via interfaces -> assign -> interface assignments (the newly created VLAN interface should show up in the drop-down list) and set up DHCP, etc. as you want.
If you want your LAN and OPT1 ports (i.e., untagged traffic on vr2) to be on the same L2 domain, you'll have to bridge them (interfaces -> assign -> bridge); in theory, you should be able to either create vr2_vlan20 and then bridge vr0 and vr2, or to create the bridge first and then create the VLAN with the bridge device as the parent; I'm not sure if the pfSense GUI will actually let you do the latter, but the former should work for your particular use case.
Yes, I realized that I wasn't clear, which is why I clarified that in reply #9.
I believe I'll need to do the latter, and thank you for replying (and actually reading the post!).