Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Would it be better to use VLan or just another interface? Noob needs Advice.

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 6 Posters 703 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      timmiet
      last edited by

      So.
      I haven't really used VLANS much.

      I want 3 main networks.

      1. General (UnTagged)(192.168.11.x)
      2. Accounting (VLAN or new Nic?  2016 Server Essentials runs from Hyper-v)(192.168.10.x)
      3. Ubiquiti  (VLAN10 on HyperV)(192.168.100.x)

      I would like to setup so
      General can access Ubiquiti and net.
      Accounting can access General, and net.
      Ubiquiti (VLAN10)can only access the net.
      This seems ok with my current setup.

      I have a PF Sense router with 3 nics  Wan, Lan and Opt(only 10/100 and not currently used).  The lan goes to 24 port managed switch via Trunk.  Connected to the switch via another trunk line I have a Hyper-V core server.  On my Hyper-v server I have 4 untagged servers running and one VLAN10 running for a Linux based Ubiquiti Server(For APs).  Also connected to  the switch is a very very old sonicwall router(192.168.10.x) for our accounting pc's.  I would like to remove the sonicwall and only have one router.

      As is, I have 2 24 port Managed switches and a handful of unmanaged switches.  I have unmanaged switches behind the sonicwall and behind the managed switches.

      I'm thinking it might be better to just use another nic in the router and also in the hyper-v server, then I could use all the other existing equipment other than the sonicwall.

      If anyone makes it this far thanks for the help.
      As a side note I tried to setup another VLan for my server2016 on the hyper-v and when I enabled dhcp on the VLan it stopped my untagged DHCP server from working.  Is it bad form to have tagged and untagged on the same virtual switch?

      1 Reply Last reply Reply Quote 0
      • A
        alanbaker
        last edited by

        I have a similar setup by where my vdsl modem is in the house and in the garden man cave the server running hyper v had pfsense and several other windows server vm's running, with two managed switches in-between.

        So
                                                  Lan
        Modem==                            /
                      house              Cabin
                      Switch======Switch======Server (Hyper V, Pfsense, Windows VMguests).
        Lan====            Trunk              Trunk
                                                          to the server NIC

        Now the trick is the configure the windows server host to accept tagged packets.

        This can only be achieved through powershell and should be run on the hyper V host, to query the nic run```
        get-vmnetworkadaptervlan

        
Then the command I ran for my network was```
Get-VMNetworkAdapter -VMName "PFSense" | Where-Object -Property MacAddress -eq "00155d0061f" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "1-10" -NativeVlanId 99

        Hope this helps.

        Any more help let me know.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          " Is it bad form to have tagged and untagged on the same virtual switch?"

          As long as there is never more than 1 untagged vlan on port then its not a problem.  This is just considered a native vlan on say a trunk port that carries tagged.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • T
            timmiet
            last edited by

            "Get-VMNetworkAdapter -VMName "PFSense" | Where-Object -Property MacAddress -eq "00155d0061f" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "1-10" -NativeVlanId 99"
            is this different from setting VLAN ID in the Hyper-v VM Network GUI?

            "As long as there is never more than 1 untagged vlan on port then its not a problem.  This is just considered a native vlan on say a trunk port that carries tagged. "
            So many VLANs as well as 1 Untagged on 1 Port and the switch and 1 Port on hyper-v server is ok?

            When I tried to setup this way it killed my dhcp server on my untagged network( stopped working ).  (maybe just need to isolate with firewall rules)
            Thank you both for the help, and sorry for the late response.

            1 Reply Last reply Reply Quote 0
            • M
              moikerz
              last edited by

              The only real downside is that if you're using traffic graphs, the interface will show the total of untagged+tagged; there is no way to show untagged only. Purely a graphical consequence. Otherwise, everything else works as desired.

              1 Reply Last reply Reply Quote 0
              • SammyWooS
                SammyWoo
                last edited by

                Unless u are running an embedded box and it's hard to add another NIC, they are relatively inexpensive, why go into the complication of doing VLAN if u don't have to I say. Plus ur 1 gig NIC is gonna share bandwidth between the VLANs.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Well, you have no choice but to VLAN from something to get the Wireless AP behavior you desire. But that does not have to be done on pfSense. A switch could do it. pfSense would have two physical interfaces to two untagged ports on the different VLANs in that case. But why not just VLAN it?

                  If you don't want to mix tagged and untagged traffic on a physical interface, don't. Just leave the untagged interface unassigned.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.