Quick VLAN Question
-
Depending on your Internet modem, you may be able to set up separate "guest" WiFi on it. My cable modem supports that in gateway mode.
Thanks for the reply. The issue is that it is not just wifi devices I'm trying to separate. It's both wifi and ethernet connected devices. I have unfi AP Pro that will be on each VLAN.
-
If you run your layer 3 switch as layer 3 and route on it - you would still be creating multiple layer 2 networks.. Its just the switch(router) would then route between these networks for you. With limited "firewall" capabilities depending on the switch in question.
Yes a sg300 can prevent specific access between the networks it will route between but much more difficult then letting pfsense do it. If it was going to be doing the routing between downstream networks then pfsense would never see these vlans and only connection should be through a transit network.
I would suggest you just create your vlans on your sg300 as layer 2, then connect those layer 2 networks to pfsense be it via different uplinks that are native an untagged or tagged where pfsense will route and firewall between these networks. This gives you the most control and ease of setup..
I have a sg300-28 and a sg300-10 in my network both just doing layer 2 (but in layer 3 mode) with unifi APs.. I have both wired and wireless vlans some native uplink to pfsense and some tagged vlans as well into pfsense interfaces. Happy to show you how to config..
Do you only have 1 physical interface to work with on pfsense or multiple? How much intervlan traffic do you expect? Keep in mind that when you put vlans on the same physical interface via tags that intervlan traffic between these vlans will have a hairpin and your overall bandwidth will be /2 of the full physical interface speed.
Vlans on a physical connection share that physical connections bandwidth.
-
If you run your layer 3 switch as layer 3 and route on it - you would still be creating multiple layer 2 networks.. Its just the switch(router) would then route between these networks for you. With limited "firewall" capabilities depending on the switch in question.
Yes a sg300 can prevent specific access between the networks it will route between but much more difficult then letting pfsense do it. If it was going to be doing the routing between downstream networks then pfsense would never see these vlans and only connection should be through a transit network.
I would suggest you just create your vlans on your sg300 as layer 2, then connect those layer 2 networks to pfsense be it via different uplinks that are native an untagged or tagged where pfsense will route and firewall between these networks. This gives you the most control and ease of setup..
I have a sg300-28 and a sg300-10 in my network both just doing layer 2 (but in layer 3 mode) with unifi APs.. I have both wired and wireless vlans some native uplink to pfsense and some tagged vlans as well into pfsense interfaces. Happy to show you how to config..
Do you only have 1 physical interface to work with on pfsense or multiple? How much intervlan traffic do you expect? Keep in mind that when you put vlans on the same physical interface via tags that intervlan traffic between these vlans will have a hairpin and your overall bandwidth will be /2 of the full physical interface speed.
Vlans on a physical connection share that physical connections bandwidth.
Yes, I only have 1 interface to work with for the LAN port on my unit. My primary VLAN is really going to use most of the traffic. The secondary VLAN is going to be for guest, friends and family. So it's not going to see heavy continual usage.
Sorry for not completely understand, but when you have a hairpin LAN connection, you mentioned that the bandwith would be half it's intended full speed. Is that a constant, or does it adjust on the fly when the other VLAN needs bandwidth?
https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/
This was one of the links I was reading about setting up VLANs on pfsense. Then creating the Trunk on the Cisco, making identical Vlans and then assigning the ports to those vlans. That's the short and sweet version. If I'm missing something or if someone has better ideas, I'm all ears! -
No it would be constant, minus whatever other traffic was on the physical interface at the time. The best you could hope for would be half for intervlan traffic.
That has to transverse the same physical path.But only if the traffic is hairpinned.. If you can only carry 1gig, and you have to go over the same road twice ie up and then down, its /2
If traffic is only 1 direction then it would just be shared.. If its hairpin then its /2 minus other traffic on the wire. Keep in mind the /2 is just a approximation.
If you have to travel the same physical path twice then yeah you get a /2… This is the same with wifi.. Since it is shared bandwidth.. If wireless to wireless /2 if on the same band, if wireless to wired then you can get full bandwidth.
-
No it would be constant, minus whatever other traffic was on the physical interface at the time. The best you could hope for would be half for intervlan traffic.
That has to transverse the same physical path.But only if the traffic is hairpinned.. If you can only carry 1gig, and you have to go over the same road twice ie up and then down, its /2
If traffic is only 1 direction then it would just be shared.. If its hairpin then its /2 minus other traffic on the wire. Keep in mind the /2 is just a approximation.
If you have to travel the same physical path twice then yeah you get a /2… This is the same with wifi.. Since it is shared bandwidth.. If wireless to wireless /2 if on the same band, if wireless to wired then you can get full bandwidth.
That makes perfect sense and is how I would expect it to perform. Appreciate all the help.
Did my plan to roll this out sound like the ideal way to do it?
-
You mean that link to some site from 2014?
You can tag everything you want, or you could leave lan as untagged.. There are multiple ways to skin the cat.. If you only have the 1 physical interface adding tagged vlans to it and leaving lan as untagged does allow you to do it all from the lan side and not some other interface - like the wan in that link. Since you won't kick yourself off, etc.
That is clearly an older version of pfsense - but overall how you do vlans has not really changed. Some people like all tagged if doing tagged, I am open to native and tagged on the same interface.. Nothing wrong with either way. If your all tagged then sure you could lock yourself out if traffic is not tagged. Which is why I like to leave a native network on the interface.
-
So my question is, are VLANs inherently private?
They're private because a device configured for one VLAN cannot see traffic on another, even if both are on the same wire.
That is misleading. Yes, the device can see the traffic - it is just selectively-filtered by the local host using the VLAN tag.
However, if you were to run Wireshark, you could see both. The VLAN traffic will have VLAN tags on the Ethernet frames.
You sort of get to it there.
The VLAN traffic will have VLAN tags on the Ethernet frames. Another use would be for guest WiFi, which connects only to the Internet, while internal WiFi has access to the local network. Many access points support multiple VLANs and SSIDs for this purpose.
If you want to use VLANs for security, use a managed switch and only put the VLANs on specific ports that you want the connected device to see.
-
Yes, I know it's not new, but it seemed like a few sites used the same method.
How do you go about the untagged method? Have a link or care to share a quick overview? Seems there are several ways to achieve this and each have different pro/cons. lol
Derelict - I am using a managed Cisco switch I just purchased. As mentioned, the man was to use a trunk port and then create the same VLANs that the pfsense has. Then assign the ports to each VLAN. So that would be the secure method?
-
Yes, I know it's not new, but it seemed like a few sites used the same method.
How do you go about the untagged method? Have a link or care to share a quick overview? Seems there are several ways to achieve this and each have different pro/cons. lol
If the pfSense interface is assigned to, say, igb0 then traffic to the connected device for that interface will be untagged.
If the pfSense interface is assigned to, say, VLAN 100 on igb0 (igb0.100) then traffic to the connected device for that interface will be tagged with VLAN 100.
Derelict - I am using a managed Cisco switch I just purchased. As mentioned, the man was to use a trunk port and then create the same VLANs that the pfsense has. Then assign the ports to each VLAN. So that would be the secure method?
Sounds good.
-
So for example… Here is uplink to my igb2 interface on my sg300 switch
interface gigabitethernet5
description "sg4860 WLan and vlans"
switchport trunk allowed vlan add 3-7
switchport trunk native vlan 2vlan 2 native there is the untagged vlan 2 on my switch which is my "wlan" network. My AP and controller on are on this vlan on the switch... unifi until recently did not allow for tagged management vlans so your IP on your AP had to be untagged. They have recently allowed for tagged management vlan but have not moved over to it yet. And not sure if will since this works just fine in my environment.
-
Right. But if you were to tag VLAN 2 between pfSense and the switch it does not mean it can't be untagged from the switch to the APs if that is what they require.
interface gigabitethernet5
description "sg4860 WLan and vlans"
switchport trunk allowed vlan add 2-7interface gigabitethernet6
description "Unifi AP"
switchport trunk allowed vlan add 3-7
switchport trunk native vlan 2 -
You sort of get to it there.
Hi Derelict.
I was just giving a general idea. We can certainly get into a lot deeper discussion, if you wish.
-
You sort of get to it there.
Hi Derelict.
I was just giving a general idea. We can certainly get into a lot deeper discussion, if you wish.
The question was about isolation and privacy between VLANs. I just want to be sure OP understood that if the VLAN traffic is sent to a device but that device is only configured to grab the traffic for one VLAN it is not in ANY way considered secure since the other traffic is still being sent to that device and it is a simple configuration change on the edge device to see that traffic.
-
Thanks to both of you. I'm going to take a stab at this when I get home and I'll let you know if I have any further questions. Fingers crossed I can get it to work without too many issues (there's always a few) :D
-
"Right. But if you were to tag VLAN 2"
Very very true! And good point to bring up.. I could tag it to pfsense sure - I just keep in the same across the network is all. I know that vlan 2 is a native vlan.. Only place its tagged is on uplink to other switch.
Many ways to skin the cat to be sure.
-
You sort of get to it there.
Hi Derelict.
I was just giving a general idea. We can certainly get into a lot deeper discussion, if you wish.
The question was about isolation and privacy between VLANs. I just want to be sure OP understood that if the VLAN traffic is sent to a device but that device is only configured to grab the traffic for one VLAN it is not in ANY way considered secure since the other traffic is still being sent to that device and it is a simple configuration change on the edge device to see that traffic.
I'm a little loss. So how to I make the VLAN secure so it can't access computers/devices on a separate VLAN? Sorry, all new to this :D
-
Derelicts point was that if you tag say vlan 10,20,30 to port and you connect device to that port then it can see traffic for any of those vlans.
You normally do not trunk or tag multiple vlans to a port where a single device will be connected. So lets say port 10 on your switch where your PC will be connected and you want it only to be in vlan 20. Then you would set that port as untagged vlan 20..
The only traffic a device on that port would be capable of seeing would be vlan 20… if it wants to send traffic to say vlan 30 then it would have to go through your router.
A trunk port with multiple vlans on it would normally only be sent to a device that will understand the tags and keep the traffic isolated, say a router or a switch.
So on your switch say port 1, connected to pfsense you tag 10,20 and 30.
On port 2, you have a device in 10, on port 3 you have vlan 20, on port 4 of this switch you have vlan 30..
On port say 5 you have vlan 10, port 6 vlan 20, port 7 vlan 30..
The only traffic those devices will see are traffic in those specific vlans. For them to talk to other vlans they would have to route through pfsense.
So 2 and 5 can talk, 3 and 6 and ports 4 and 7... if port 2 wanted to talk to port 3 it would have to route through pfsense and pfsense firewall.
-
OOOOH, OK. No, that is not my intent. My intent is to create VLAN 1 and set Cisco to set ports 1-5 to that same Pfsense VLAN #. Then VLAN 2 and set Cisco ports 6-10 to the same VLAN #. That way only those ports are in the same VLAN. I don't care if ports 6-10 see each other, but I don't want them to see 1-5. Will that work as intended?
-
The point is to enforce what VLANs are sent to a device in the switch, not in the edge device.
Just because the device is only looking at one VLAN, it can capture any traffic on any VLAN on the port it is connected to.
Cisco refers to the type of ports you might connect a single edge device to as access ports. They only send traffic for one VLAN and they send and receive frames untagged.
-
The point is to enforce what VLANs are sent to a device in the switch, not in the edge device.
Just because the device is only looking at one VLAN, it can capture any traffic on any VLAN on the port it is connected to.
Cisco refers to the type of ports you might connect a single edge device to as access ports. They only send traffic for one VLAN and they send and receive frames untagged.
EDIT: johnpoz edited his comment to make it clear. It sounds like what I'm trying to achieve and how I understand it. Sorry for the confusion.
I think things will be a bit clearer when I have the Cisco up and running tonight. But It sounds like there will be something in the port/vlan configuration of the Cisco to ensure this. Trunk port accepts all VLANs data and then sends it to the access ports. Those access ports then need to be configured to only accept data that is tagged for it, in a certain VLAN #. Am I close? lol