Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Do I really need a LAN interface or can I use all VLANS

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 5 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      No. You can leave, say, igb0 unassigned and just reassign LAN to VLAN X on igb0. All of its configuration (rules, DHCP, etc) will move with it but it will be tagged to/from the switch after you make the change.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        Currently WAN, LAN, MGT + 4 OPTs & 2nd WAN
        I am converting the overgrown network into a number of VLANs

        Why not using at this multi-wan set up load balancing and PBR (policy based routing) together with some fail over rules?
        WAN + 2 WAN are we are talking now over three WAN interfaces? (Sorry this was not clear to me from your opening post)
        Setting up all in VLANs will be a fine thing, but putting all what is often connected to the Internet such as servers (web, ftp, mail),
        or some snitching IoT devices inside of a dmz will be also nice.

        Currently I have the usual WAN on interface 1, the LAN on interface 2, I want a Management (V)LAN on MGT and have a 2nd WAN Interface.

        If this is a Supermicro board, often the IPMI port is also acting as the or a fall back WAN port and this might be causing in
        some situations trouble then, I would suggest to disable that function inside of the BIOS.

        My aim is to move everything from the overgrown LAN interface into specific VLANs with a DMZ on 1, then various others divided between them.

        If you have a small pfSense appliance and a really strong and powerful Layer3 switch, you may be think about to let the switch
        route the entire VLAN traffic with wire speed. With that you may free horse power at the entire pfSense box and you will perhaps
        be able to install other packets and turning on additional services if wanted.

        I also want the pfSense box to only be accessible from 192.168.200.8 for example with other its IPMI and other IPMI interfaces using the 192.168.200.0 /23 VLAN subnet tagged as 200.

        Set the IPMI only to use as IPMI port and not as the fall back WAN port please and then connect or integrate this IPMI port
        only to the VLAN1, that is often the default VLANs and all devices are members inside there, ease to admit for you.

        I want the DMZ VLAN accessible only from the 2nd WAN and certain other VLANs but only to not from.
        I want a Guest VLAN that will accept WiFi (specific SSID) or Wired that can access the system VLAN to use printers (thought of having a VLAN just for those and a file server)
        I want a VLANs for the system devices such as the servers, printers, switches etc…
        I want a VLAN for the security system, cameras and other sensors.
        I want a VLAN for the development labs.
        I want a VLAN for Media which will have WAN 2 as its WAN, everything else will use WAN 1

        Placing all servers inside of a real DMZ will be the best way in my eyes (only my opinion) this are
        all devices that are connecting permanently or periodical the internet over opened and forwarded ports.
        So one Interface should be then for the DMZ with let us say the 172.xxx IP range.

        And all other devices could be put inside of the LAN grouped into their own VLANs.
        VLAN1 - management - 192.168.3.0/24 (255.255.255.0)
        IPMI port
        VLAN10 - home lab    - 192.168.4.0/24 (255.255.255.0)
        As it is
        VLAN20 - computers    - 192.168.5.0/24 (255.255.255.0)
        Secured over the OpenLDAP
        VLAN30 - wireless devices (private) - 192.168.6.0/24 (255.255.255.0)
        Secured over the FreeRadius Server with certificates
        VLAN40 - wireless devices (guests)  - 192.168.7.0/24 (255.255.255.0)
        Secured over the Captive Portal with voucher system and activated client isolation
        VLAN50 - printers - 192.168.8.0/24 (255.255.255.0)
        As they are
        VLAN60 - servers  - 192.168.9.0/24 (255.255.255.0)
        As they are
        VLAN70 - multimedia (IoT) - 192.168.10.0/24 (255.255.255.0)
        As they are

        I am slowly getting there, I will use a NetGear M4100-26G or a NetGear XS752TS as the managed switch fed by the pfSense box.

        Please take the time and compare prices for switches! A Netgear M4100-26G is able to get here for ~550 Euros
        and a Cisco SG350-26 or a Cisco SG500-28 too. So you might be thinking of going with that layer3 switches
        SG350 or SG500 more then a layer2 switch for the same money.

        1 Reply Last reply Reply Quote 0
        • B Offline
          britesc
          last edited by

          Hi,
          Echt es ganz toll, danke.
          Sehr schon.
          Brilliant response thanks, no only 2 WANs, you read 2nd WAN as 2 WAN, 
          I will try and digest this today, if I have any problems I hope I can bounce back to you?
          I already have the switches etc…
          Vielen dank.

          jB
          (Haven't used my German for a few years now!!!!)

          1 Reply Last reply Reply Quote 0
          • T Offline
            tsmalmbe
            last edited by

            @Derelict:

            No. You can leave, say, igb0 unassigned and just reassign LAN to VLAN X on igb0. All of its configuration (rules, DHCP, etc) will move with it but it will be tagged to/from the switch after you make the change.

            Could you explain step-by-step how to do this reassigning?

            Security Consultant at Mint Security Ltd - www.mintsecurity.fi

            1 Reply Last reply Reply Quote 0
            • B Offline
              britesc
              last edited by

              Could you explain step-by-step how to do this reassigning?

              +1 please.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Make the VLAN, Interfaces > Assign, Change LAN to be assigned to "VLAN X on ethX", change the switch port from untagged to tagged for VLAN X.

                Do all this logged into the firewall from another interface else you will lock yourself out. Another tagged VLAN on the same physical interface should be OK.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T Offline
                  tsmalmbe
                  last edited by

                  Is there a way to do this from the CLI? Or would the easiest way be to simply use a 3G/4G connection and OpenVPN to do this change - that would qualify as another interface - correct?

                  Security Consultant at Mint Security Ltd - www.mintsecurity.fi

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Just any other interface. Anything except the LAN you are messing with layer 2 on.

                    Yes, you might be able to do it from the CLI but those scripts are really geared to configuring from nothing, not making small changes to an existing config.

                    If you have access to the switch from the inside, set pfSense to tagged and apply, then connect to the switch and set the port to tagged you should be fine.

                    Not rocket science here.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • bingo600B Offline
                      bingo600
                      last edited by

                      @BlueKobold:

                      If you have a small pfSense appliance and a really strong and powerful Layer3 switch, you may be think about to let the switch
                      route the entire VLAN traffic with wire speed. With that you may free horse power at the entire pfSense box and you will perhaps
                      be able to install other packets and turning on additional services if wanted.

                      Wouldn't multi-vlan L3 routing enable packets to switch from one vlan to another within the same L3 switch , defeating the purpose of the fw ?

                      /Bingo

                      If you find my answer useful - Please give the post a 👍 - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        Yes. You can do both, however. Some routes across a transit network tagged to the L3 switch and a VLAN tagged to the same switch but no L3 there.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.