Using VLANs and VLAN tagging aware switch to add more LAN ports?
-
I believe I am just smart enough to say something completely stupid. Apologies in advance if I'm not even that smart. :)
I'm a home user that recently bought an SG-2200. It has a single LAN port. I host a couple of hobby websites and want to isolate them on a separate LAN. The SG-2200 has a single LAN port. If I were to buy a small VLAN tagging aware managed switch and setup the VLANs in pfSense and add them as interface adaptors, will everything else in pfSense work seamlessly as if I had bought a larger unit with multiple LAN ports? I don't need the horsepower of a larger unit, just one or two more LAN ports for LAN separation.
-
yes, if you manage to get the switch configured correctly
-
Is there some devil in doing so that I am oversimplifying in my head? If I understand it, you setup the VLANs and the tags in pfSesne. On the switch I map the VLAN tags to the ports, and that's pretty much it, right?
-
In fact, yes, but traffic flow depending also on your switch.
I put the trunk port in the OPT of pfsense, and the gateways-routers on the VLANs tagged ports.
I am attaching 2 screens from a pfsense with VLANs.
Best regards
Kostas
-
"On the switch I map the VLAN tags to the ports, and that's pretty much it, right?"
Yup that is pretty much it… But seems users have a devil of a time of it... Check out this thread for example.. Poor guy just doesn't get it ;)
https://forum.pfsense.org/index.php?topic=132002.0Try as we might.. Like trying to teach a goldfish how to ride a bike ;)
-
In fact, yes, but traffic flow depending also on your switch.
I put the trunk port in the OPT of pfsense, and the gateways-routers on the VLANs tagged ports.
I am attaching 2 screens from a pfsense with VLANs.
Best regards
Kostas
Can you explain "trunk port" and "OPT of pfSense" a bit? Thanks!
-
"On the switch I map the VLAN tags to the ports, and that's pretty much it, right?"
Yup that is pretty much it… But seems users have a devil of a time of it... Check out this thread for example.. Poor guy just doesn't get it ;)
https://forum.pfsense.org/index.php?topic=132002.0Try as we might.. Like trying to teach a goldfish how to ride a bike ;)
Thanks for the link. I skimmed it. I already understand the network stuff enough to not be that confused about my objectives. (Hehe.. famous last words.) That link might be enough to help me do what I'm looking for.
Right now I use two physical residential "routers" with two physically separate LANs with one behind the other. I forget the technical name for this arrangement. Dual trusted host or something like that? I'm thinking of switching from a LAN behind a LAN that requires two NAT'ing firewalls, to a single NAT'ing firewall (pfSense) and two truly separate LANs (via a VLAN tagging aware switch).
BTW.. after an initial learning curve I am loving pfSense and very happy that I purchased the Netgate SG-2200.
-
A trunk port is more of a cisco term for a connection that carries tagged vlans is all. You can also setup a native vlan on it that is not tagged.
An opt interface is just another interface you add to pfsense, could be a physical interface or a vlan riding on a physical interface which will be the case in your sg2220 setup since it only has 2, one for wan and other for your lan side.
So you would create your vlan in pfsense, then assign this to an opt interface (which you can then name anything you want). This opt interface will be the actual interface for pfsense where you setup rules, dhcp server, etc.
So you would create vlan interfaces how ever many you need, then create the opt interface and assign your vlan to it. Then setup its IP and enable or not dhcp server on it, etc. See attached interfaces of my pfsense as example. See the wlan interface (opt1) in my case and then all the vlan interfaces that sit on top of the physical interface em2 in my case (opt1) I have just renamed them. See the add button bottom right that will allow you to add opt interfaces.
Any more questions just ask!
-
Ah. That makes perfect sense. You want to keep all VLAN tagged traffic physically separated for security purposes. Thanks!
