VLAN basic
-
Thanks for the tips.
With the managed switch would the pfsense setup be the same as above, and the specific port on the switch the client is connected to be set as vlan 101 ?
-
I would:
untag 100 and tag 101 and get a client connected to the web gui and the switch on VLAN 101.Then I would tag 100 to pfSense, create VLAN 100 on pfSense, and assign LAN to that.
That would leave you with:
LAN assigned to eth0_vlan100
OPT1 assigned to eth0_vlan101
eth0 unassigned to anythingThat way all your traffic to the switch is
untaggedtagged.Keep that realtek software in your pocket because if you ever need to bypass the switch and connect directly you will need to tag vlan 100 or 101 there.
You could just leave eth0_vlan101 assigned to OPT1 and eth0 assigned to LAN.
In that case you would tag VLAN101 to pfSense and set the port's PVID to 100. That's another option.
Then set the other switch ports to untagged/PVID 100 or 101 depending on what network you want them to be on.
-
Probably not a good idea to put both tagged and untagged traffic on the same interface for security purposes.
On what do you base this? The op does not include any security related details or requirements. The environment may not be security sensitive to combining vlans on same physical layer. And even it is what does being untagged have to do with it.
-
"On what do you base this? The op does not include any security related details or requirements. The environment may not be security sensitive to combining vlans on same physical layer. And even it is what does being untagged have to do with it."
I've done this before, and it works - mostly. Keep in mind that the vlan's are layer2 boundaries, so if the "clients" rely on broadcasted traffic (say bootp or dhcp) before the native os is fully initialized and can tag it's own traffic, it can end up on the untagged vlan instead of the tagged vlan.
If it's just a lab, sure - try it out and play with it. It'll make for some interesting packet captures to review, but may give you enough functionality to do your lab testing.
-
"The environment may not be security sensitive to combining vlans on same physical layer. "
Doesn't matter if they security sensitive or not.. Suggesting someone run multiple layer 3 networks on the same layer 2 is just F'ing Borked!!!
A smart switch is $30 these days.. If he wants to play with vlans in his "lab" then get a switch that supports vlans!!
As to running 1 native or untagged vlan and then tagged vlans on an interface, this is not security issue nor a problem.. This is done all the time. Some device require it even if you can not tag the say the management interface. But you do not put multiple untagged vlans together on the same wire.
-
"The environment may not be security sensitive to combining vlans on same physical layer. "
Doesn't matter if they security sensitive or not.. Suggesting someone run multiple layer 3 networks on the same layer 2 is just F'ing Borked!!!
Where did I suggest that?
As to running 1 native or untagged vlan and then tagged vlans on an interface, this is not security issue nor a problem..
Exactly. That is the point of response to the statement that was made indicating that somehow combining untagged and tagged is a security issue.
But you do not put multiple untagged vlans together on the same wire.
Would that even be possible? i.e. Strictly technically speaking once untagged they are no longer different vlans.
-
Oh NOYB It was more geared to "And even it is what does being untagged have to do with it." by va176thunderbolt
I am with you if its tagged traffic then its not actually the same layer 2.. But you would be amazed at how often you see people running multiple layer 3 networks on the same layer 2..
Yes it is possible.. Many of the so called "smart" switches do not stop you from adding untagged vlans to the same port. And you see it all the time just using a dumb switch and putting machines on say 192.168.0/24 and others on 192.168.1 and then thinking they are isolated from each other.
-
That was my point, saying you probably shouldn't do it. Plus it looks like this person is learning, so why not start off with a good foundation before they start dealing with native vlan mismatches. I've also seen in previous versions of pfsense the captive portal doesn't play well with tagged and untagged traffic on the same interface. Not sure if this is still the case today.
-
Thanks again. I am just learning really, at home.
I do have an old asus merlin router which I believe can tag a port so might try that.
It would be client > asus in switch mode vlan tag > dumb switch > pfsense or would the dumb switch bork it?
Also my pfsense runs on vmware workstation and I have a sneaking suspicion that could be interfering?
-
Also my pfsense runs on vmware workstation and I have a sneaking suspicion that could be interfering?
Internet –- pfSense --- Switch --- Merlin router in WALN AP mode
That would be my set up to learn about VLANs and with two SSIDs (WLAN private and guests) you might be needing tagged VLANs and
if you set up only one SSID (private WLAN) you may only need a untagged VLAN. Would be nearly comming to real situations also at home.Forget the dump Switch please, for ~$25 you may get a small Netgear GS105E that will be non configured working or acting as a
dump Switch and it supports VLANs if you configure it over the webgui.
