Why don't people use lan port as VLAN parent interface

strangegopher

I am wondering why some tutorials and official config in pfsense book uses interface other than lan interface to setup VLAN. Is there a security reason for this?

kpa

Any interface is fine as the VLAN parent interface but those examples are probably from use cases where the LAN interface is left as the management interface and the additional interfaces are where the real traffic goes.

johnpoz

And what tutorials might these be?  Its impossible to say why.. Could be like kpa mentioned, or could be they just didn't want to mess wither their lan interface while putting together a tutorial, etc.  Because that was the interface they were using to access pfsense and take the screenshots, etc.

As kpa correctly states any interface can be parent for vlans.

GruensFroeschli

Rule of thumb: Don't mix tagged vlan traffic with untagged traffic on the same cable!

Yes it will work if you mix them.
However you will produce strange behaviour and near impossible to debug situations.

If you have a VLAN capable switch (why else would you configure vlans on a port), use one port to connect to the pfSense and tag everything on this port.
Decide on the switch if you want to tag or untag a specific port.
If throughput is a problem, put a second cable and split the vlans over different ports.

bwanajag

Regarding your comment "If throughput is a problem, put a second cable and split the plans over different ports." Would another option be to create a LAGG with 2 cables from pfsense box to switch?

johnpoz

"However you will produce strange behaviour and near impossible to debug situations."

What???  That is just plain nonsense.. It is quite common and very simple to set a native vlan that is not tagged on interface..  If your talking about running multiple vlans that are untagged on the same wire - then no that is not a good idea at all that for sure is borked.  But running 1 network/vlan as untagged and then others that are tagged is very common practice sure and the hell does not cause any strange behavior..

To be honest running a native untagged vlan is quite often required to work with such devices that do not allow you tag the management interface.. The unifi AP are like this you can not tag the management vlan.  You can for sure put it in your management vlan - but its untagged..

Creating a lag while it would give you more total bandwidth, does not allow you to know which vlan would go over which cable..

Again!!!  Let me be clear there is NOTHING WRONG with running an untagged vlan ie your lan, and then tagged vlans on top of that interface… This is very very very common practice..  But then again some like to only have tagged traffic..  So this is easy enough to accomplish as well.  Just use only vlans on pfsense on the parent interface and tag the traffic to it.  You don't have to tag this traffic as it goes to the end device port..

In a home network there is really very few reasons to create a lagg, other than you could its not going to buy you much and just complex up the config.  There seems to be a common misconception that lagg = 1 +1 =2.. This is not really the case, when a lag you gert 1 + 1, but it does not equal 2.. Any mac talking to another mac on the other side of the lag will only ever use 1 of the connections..  No matter how many sessions it creates..  Now device 2 might use the other connection, or it might use the same as the first.

If you want to be sure your not hair pinning traffic for intervlan traffic then use multiple uplinks to different interfaces for those vlans.

NogBadTheBad

@johnpoz:

To be honest running a native untagged vlan is quite often required to work with such devices that do not allow you tag the management interface.. The unifi AP are like this you can not tag the management vlan.  You can for sure put it in your management vlan - but its untagged..

I have to use an untagged vlan as I use a few ethernet to power Devolo 1200 adaptors to provide networking round the house, you can't manage them unless the device you run up the management software from is in an untagged vlan as well as the devices.

Also as John mentions most access-points need their management interfaces in an untagged vlan.

dotdash

@NogBadTheBad:

Also as John mentions most access-points need their management interfaces in an untagged vlan.

For most situations (such as UniFi) you can have everything tagged on the firewall and just set your ports native on the lan-vlan and tagged on the wifi-vlans. Only exception I have seen is some crappy switches that can only be managed from vlan 1. It is also sometimes needed when you don't have the luxury of re-programming the entire site. That being said, my early Cisco training stressed that it was bad practice to use vlan 1 as a production vlan, and I avoid it when possible. Your mileage and OCD may vary.