VLAN + Firewall-Rules vs Firewall-Rules only
-
"I tagged vlans 72 and 73 on port 4 because these are ssids on the AP."
What is on port 4?? An AP??? You say 1 device - and your AP are being listed as being on port 7… So why do you have all those untagged ports?? How come you list so many Port 7 columns?
-
-
Sorry, but I do not get it.
I do not know how to do all of this … that is why I am asking you ... If you just ask me, why I tagged or untagged some ports and why I have so many Port 7 colums and so on .. it do not help me understanding vlan tagging and/or how to configure my netgear switch. I explained what I want to do. So thats why I have so many vlans on Port 7 ... its because there are different ssids with devices whcih should not communicate to each other.I described what I want to do in one of my posts and I ask you for a short explanation of this very easy example in a later post, to get the logic.
But now you tell me, that I do the segmentation on layer 3 with firewall rules ... I do not understand you, since I ask exectly this and you said:A firewall, in most cases, regulates traffic at layer 3.
If all your hosts are on the same layer 2 network they can communicate directly without any regulation or interference by the firewall.So …. and why I have so many tagged vlans/ports is a result of this:
You would never in any sort of normal setup have more than 1 untagged vlan on any switch port.
Since now I know, that Unifi AP needs an UNTAGGED management vlan … I can change this ...
But I think this wont help me .. and is just time consuming without great benefits to all of us ...I try to get help elsewhere.
Thanks a lot for your time, support and trying to help me with my network segmentation.
-
Please close .. unresolved
-
Scale your project down on the bench.
One controller, one AP, and one or two tagged vlans for SSIDs.
Figure that out first then add more. I think you started a bit too ambitiously.
-
This makes ZERO sense in your spreadsheet
What exactly is connected to port 4,5 and 6? You list 1 device.. Why would you have tagged an untagged vlans to 1 device. 1 Device would be in only 1 vlan.. Unless this is another switch or some vm host? Something that would identify the tags.. Guess it could be a PC, with vlan tagging on its nic - but why would you be putting a pc in more than 1 network at the same time?
Why do you have so many port 7 listed? There is only 1 port 7 on your switch.. If so which one of those is correct for the tag and untagged vlans?
-
Ok … perhaps it would help to focus on a little example....
I have 6 devices:
- PC 1
- PC 2
- Printer
- Server
- Switch (managed)
- Router (is able to handle vlans)
Purpose is, that only these devices can communicate with each other, where it is necessary.
PC 1 need to communicate with:
- Printer
- Server
- Switch
- Router
PC 2 need to communicate with:
- Printer
- Server
- Switch
- Router
The printer need to communicate with:
- PC 1
- PC 2
- Switch
- Router
The Server need to communicate with:
- PC 1
- PC 2
How would you do this tagging and untagging of vlans here?
I could imagine, that there is the need, that one device is part of more than one vlan. -
Edge devices (PCs, servers, printers) are generally not members of more than one VLAN.
You really have two choices:
Put the PCs on different firewall segments (VLANs) with probably a different segment for the printer and server. Use firewall rules to determine what can talk with what.
Use your switch. Put the PCs on protected ports and put the firewall/printer/server on unprotected ports on that VLAN.
-
"I could imagine, that there is the need, that one device is part of more than one vlan."
I think this is what is confusing you..
Lets do it this way
PC - vlan 100, 192.168.1.0/24
Printer vlan 200 192.168.2.0/24
Server vlan 300 192.168.3.0/24So these ports would be UNtagged in those vlans on your switch for the ports connected to those devices.
Now the port connected to pfsense could either have 1 of those vlans untagged and to the naked interface. Or you could tag all 3 and run vlans on top of your naked interface. I do believe Derelict is the fan of tagging in such a case where your naked interface would not have any network on it. Your 3 vlans would just sit on the naked interface. Lets call it em2 on pfsense..
So you would create 3 vlans that sit on pfsense em2, vlan 100, 200 and 300.
vlan 100 - 192.168.1.254
vlan 200 - 192.168.2.254
vlan 300 - 192.168.3.254Now your port on your switch that connects to em2 would be tagged 100,200,300
If PC wants to talk to printer, he sends traffic to pfsense IP on vlan 100 (his gateway 192.168.1.254) Pfsense would route that traffic if allowed by firewall rules out vlan 200 interface to the printer. Printer would send his answer back to pfsense vlan 200 IP 192.168.2.254
Does that make more sense for your simple example? Or you could do it this way
pfsense em2 naked with 192.168.1.0/24 on it (vlan 100) in our example
vlan 200 and 300 would be vlans that sit on em2Now your port connected to pfsense would have vlan 100 untagged (same as your PC) and vlans 200,300 would be tagged.
I think your confusing that devices need to be in same vlan to talk to each other.. No that is what the router/firewall does it routes the traffic between your vlans. If your just going to put all the devices in the same vlans.. Might as well just be 1 vlan then..
-
Hi johnpoz,
Thank you very much for these explanaitions. I will try this.
Thanks to Derelict as well.
