Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trunking VLANs on interfaces

    Scheduled Pinned Locked Moved General pfSense Questions
    48 Posts 6 Posters 8.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hugovsky
      last edited by

      I must say that I usually don't feed the trolls but… If you know what and how to do it, why the hell are you asking for help?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        But my God, trunking multiple vlans on a single interface from a router to switch is verboten to Hero Members, we dare not talk about that…

        Nope. We all do exactly that. All over the place. Everywhere. Every day. No days off.

        If that is what you are trying to do, your descriptions do not match the project requirements.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Yes tagging your vlans to isolate them when they have to run over the same wire is exactly the correct way to do it… The whole point of 802.1q or any of the other older protocols VTP, ISL, DTP...  MVRP, GRVP etc. etc.. etc..

          There are whole standards and protocols on how to keep your layer 2 isolated from other layer 2 when they run over the same wire..

          Thought you said you been doing this for 40 years?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            See. We all use VLAN tags to our Layer 2. That is what they are for.

            What you do NOT see here is VLAN 10 on three different interfaces because that is just, well, horrible design, and, in that case, everything on VLAN10 will not be in the same broadcast domain so the stated goals I have (possibly incorrectly) deciphered will not work.

            Tag VLAN 10 to your switching infrastructure ONCE. Use the switching infrastructure to create/propagate that broadcast domain to the switches that require it.

            ![Screen Shot 2018-05-10 at 12.16.01 PM.png](/public/imported_attachments/1/Screen Shot 2018-05-10 at 12.16.01 PM.png)
            ![Screen Shot 2018-05-10 at 12.16.01 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-05-10 at 12.16.01 PM.png_thumb)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              BlankMan
              last edited by

              First I want to say thanks everyone for a more civil tone in your recent responses.

              Hugovsky: Who are you referring to as trolls? Did you read this complete thread from the OP? Did you miss the part regarding me not knowing how to do it in pfSense? I know how to do it on Cisco switches but did not know how to do it in pfSense. After 3 days of trying every configuration I could think of I finally started to see the results I needed sometime between 00:00 and 03:00 today. Because there is no way to do it complete in pfSense's GUI. For one thing it requires a custom startup script for bridge configuration.

              Derelict: Thanks, I didn't think I was doing something that outlandish. Yes that's all I was trying to accomplish, trunking a tagged VLAN to two other subnets/VLANs/segments that are untagged. In order for the Cisco managed switches with addresses on subnet 10 VLAN10 on subnet 20 VLAN20 and subnet 30 VLAN30 to be reachable for administration purpose. I apologize if I did not express that clearly enough.

              johnpoz: Yes that's all I was trying to do was 1q tagging. Been doing computer mainframe management starting out in the IBM and DEC days for approaching 40 years. And all the ancillary things like database management before DBA's were a hot item. And networking Ethernet wise in the era of the thick coaxial backbone and thinnet days. Before the proliferation of routers and switches and CAT anything. Networking has never been my forte after that, I know enough to do what I need and learn it if I don't and more then ever be dangerous. I ask questions and I listen. Except to it can't be done. I will find a way.

              Derelict: Once again that is your opinion. As with everything there are many ways to do things. I learned a long time ago my way is not the right way, it is only one way to do something. When you say it's bad and others say it's acceptable, who is right? (That's a rhetorical question.)

              Dare to think and do outside the conventional box…

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Bullshit. You are wrong. ONE layer 3 interface to VLAN 10. Period. It is up to your layer 2 to get where that needs to go. This is not opinion. This is fact.

                if that is not the case then you actually have three different broadcast domains on three different layer 2s all tagged with vlan 10 and they cannot communicate with each other unless you do something retarded like bridge all those vlans on the different interfaces together at the firewall. Yes, "retarded."

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • B
                  BlankMan
                  last edited by

                  So much for civilities. That didn't last long…

                  Here is my working config. Is it really breaking any rules and not just opinions?

                  em0 is wan, em1 and em5 are unused.

                  em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                          options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:e0:67:05:ab:06
                          hwaddr 00:e0:67:05:ab:06
                          inet6 fe80::2e0:67ff:fe05:ab06%em0 prefixlen 64 scopeid 0x1
                          inet6 2602:306:3b6f:6460:2e0:67ff:fe05:ab06 prefixlen 64 autoconf
                          inet 75.56.236.145 netmask 0xfffffff8 broadcast 75.56.236.151
                          nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
                          status: active
                  em1: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500
                          options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:e0:67:05:ab:07
                          hwaddr 00:e0:67:05:ab:07
                          nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect
                          status: no carrier
                  em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
                          options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:e0:67:05:ab:08
                          hwaddr 00:e0:67:05:ab:08
                          inet6 fe80::2e0:67ff:fe05:ab08%em2 prefixlen 64 scopeid 0x3
                          nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
                          status: active
                  em3: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
                          options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:09
                          hwaddr 00:e0:67:05:ab:09
                          inet6 fe80::2e0:67ff:fe05:ab09%em3 prefixlen 64 scopeid 0x4
                          inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
                          nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
                          status: active
                  em4: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
                          options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:0a
                          hwaddr 00:e0:67:05:ab:0a
                          inet6 fe80::2e0:67ff:fe05:ab0a%em4 prefixlen 64 scopeid 0x5
                          inet 192.168.30.1 netmask 0xffffff00 broadcast 192.168.30.255
                          nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
                          status: active
                  em5: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500
                          options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:e0:67:05:ab:0b
                          hwaddr 00:e0:67:05:ab:0b
                          nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect
                          status: no carrier
                  lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
                          options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet6 ::1 prefixlen 128
                          inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
                          inet 127.0.0.1 netmask 0xff000000
                          nd6 options=21 <performnud,auto_linklocal>groups: lo
                  enc0: flags=0<> metric 0 mtu 1536
                          nd6 options=21 <performnud,auto_linklocal>groups: enc
                  pflog0: flags=100 <promisc>metric 0 mtu 33160
                          groups: pflog
                  pfsync0: flags=0<> metric 0 mtu 1500
                          groups: pfsync
                          syncpeer: 224.0.0.240 maxupd: 128 defer: on
                          syncok: 1
                  em3.10: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
                          options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:09
                          inet6 fe80::2e0:67ff:fe05:ab09%em3.10 prefixlen 64 scopeid 0xb
                          nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
                          status: active
                          vlan: 10 vlanpcp: 0 parent interface: em3
                          groups: vlan
                  em4.10: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
                          options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:0a
                          inet6 fe80::2e0:67ff:fe05:ab0a%em4.10 prefixlen 64 scopeid 0xc
                          nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
                          status: active
                          vlan: 10 vlanpcp: 0 parent interface: em4
                          groups: vlan
                  bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                          ether 02:ba:df:b4:35:00
                          inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
                          nd6 options=1 <performnud>groups: bridge
                          id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
                          maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
                          root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
                          member: em4.10 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 12 priority 128 path cost 20000
                          member: em3.10 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 20000
                          member: em2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 2000000
                  ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
                          options=80000 <linkstate>inet6 fe80::2e0:67ff:fe05:ab06%ovpns1 prefixlen 64 scopeid 0xe
                          inet 10.168.24.1 --> 10.168.24.2  netmask 0xffffff00
                          nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn
                          Opened by PID 18039</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></performnud></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></promisc></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></broadcast,oactive,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></broadcast,oactive,simplex,multicast></full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>

                  Dare to think and do outside the conventional box…

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Yeah. You had to bridge. That is just plain stupid compared to simply tagging that across the switching infrastructure.

                    But congratulations. You made a stupid design work.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • B
                      BlankMan
                      last edited by

                      You are entitled to your opinion. Is everything in the world you don't agree with just plain stupid too?

                      Dare to think and do outside the conventional box…

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        No, just idiotic network design.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.