Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN basic

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 7 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bilbo
      last edited by

      Thanks for the tips.

      With the managed switch would the pfsense setup be the same as above, and the specific port on the switch the client  is connected to be set as vlan 101 ?

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        I would:
        untag 100 and tag 101 and get a client connected to the web gui and the switch on VLAN 101.

        Then I would tag 100 to pfSense, create VLAN 100 on pfSense, and assign LAN to that.

        That would leave you with:

        LAN assigned to eth0_vlan100
        OPT1 assigned to eth0_vlan101
        eth0 unassigned to anything

        That way all your traffic to the switch is untagged tagged.

        Keep that realtek software in your pocket because if you ever need to bypass the switch and connect directly you will need to tag vlan 100 or 101 there.

        You could just leave eth0_vlan101 assigned to OPT1 and eth0 assigned to LAN.

        In that case you would tag VLAN101 to pfSense and set the port's PVID to 100. That's another option.

        Then set the other switch ports to untagged/PVID 100 or 101 depending on what network you want them to be on.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • N Offline
          NOYB
          last edited by

          @mikeisfly:

          Probably not a good idea to put both tagged and untagged traffic on the same interface for security purposes.

          On what do you base this?  The op does not include any security related details or requirements.  The environment may not be security sensitive to combining vlans on same physical layer.  And even it is what does being untagged have to do with it.

          1 Reply Last reply Reply Quote 0
          • V Offline
            va176thunderbolt
            last edited by

            "On what do you base this?  The op does not include any security related details or requirements.  The environment may not be security sensitive to combining vlans on same physical layer.  And even it is what does being untagged have to do with it."

            I've done this before, and it works - mostly. Keep in mind that the vlan's are layer2 boundaries, so if the "clients" rely on broadcasted traffic (say bootp or dhcp) before the native os is fully initialized and can tag it's own traffic, it can end up on the untagged vlan instead of the tagged vlan.

            If it's just a lab, sure - try it out and play with it. It'll make for some interesting packet captures to review, but may give you enough functionality to do your lab testing.

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              "The environment may not be security sensitive to combining vlans on same physical layer. "

              Doesn't matter if they security sensitive or not.. Suggesting someone run multiple layer 3 networks on the same layer 2 is just F'ing Borked!!!

              A smart switch is $30 these days.. If he wants to play with vlans in his "lab" then get a switch that supports vlans!!

              As to running 1 native or untagged vlan and then tagged vlans on an interface, this is not security issue nor a problem..  This is done all the time.  Some device require it even if you can not tag the say the management interface.  But you do not put multiple untagged vlans together on the same wire.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • N Offline
                NOYB
                last edited by

                @johnpoz:

                "The environment may not be security sensitive to combining vlans on same physical layer. "

                Doesn't matter if they security sensitive or not.. Suggesting someone run multiple layer 3 networks on the same layer 2 is just F'ing Borked!!!

                Where did I suggest that?

                @johnpoz:

                As to running 1 native or untagged vlan and then tagged vlans on an interface, this is not security issue nor a problem..

                Exactly.  That is the point of response to the statement that was made indicating that somehow combining untagged and tagged is a security issue.

                @johnpoz:

                But you do not put multiple untagged vlans together on the same wire.

                Would that even be possible?  i.e. Strictly technically speaking once untagged they are no longer different vlans.

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Oh NOYB It was more geared to "And even it is what does being untagged have to do with it." by va176thunderbolt

                  I am with you if its tagged traffic then its not actually the same layer 2.. But you would be amazed at how often you see people running multiple layer 3 networks on the same layer 2..

                  Yes it is possible.. Many of the so called "smart" switches do not stop you from adding untagged vlans to the same port.  And you see it all the time just using a dumb switch and putting machines on say 192.168.0/24 and others on 192.168.1 and then thinking they are isolated from each other.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    mikeisfly
                    last edited by

                    That was my point,  saying you probably shouldn't do it. Plus it looks like this person is learning, so why not start off with a good foundation before they start dealing with native vlan mismatches. I've also seen in previous versions of pfsense the captive portal doesn't play well with tagged and untagged traffic on the same interface. Not sure if this is still the case today.

                    1 Reply Last reply Reply Quote 0
                    • B Offline
                      bilbo
                      last edited by

                      Thanks again. I am just learning really, at home.

                      I do have an old asus merlin router which I believe can tag a port so might try that.

                      It would be  client > asus in switch mode vlan tag > dumb switch > pfsense  or would the dumb switch bork it?

                      Also my pfsense runs on vmware workstation and I have a sneaking suspicion that could be interfering?

                      1 Reply Last reply Reply Quote 0
                      • ? This user is from outside of this forum
                        Guest
                        last edited by

                        Also my pfsense runs on vmware workstation and I have a sneaking suspicion that could be interfering?

                        Internet –- pfSense --- Switch --- Merlin router in WALN AP mode
                        That would be my set up to learn about VLANs and with two SSIDs (WLAN private and guests) you might be needing tagged VLANs and
                        if you set up only one SSID (private WLAN) you may only need a untagged VLAN. Would be nearly comming to real situations also at home.

                        Forget the dump Switch please, for ~$25 you may get a small Netgear GS105E that will be non configured working or acting as a
                        dump Switch and it supports VLANs if you configure it over the webgui.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.