Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Quick VLAN Question

    Scheduled Pinned Locked Moved General pfSense Questions
    31 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      @likelinus:

      Yes, I know it's not new, but it seemed like a few sites used the same method.

      How do you go about the untagged method? Have a link or care to share a quick overview? Seems there are several ways to achieve this and each have different pro/cons. lol

      If the pfSense interface is assigned to, say, igb0 then traffic to the connected device for that interface will be untagged.

      If the pfSense interface is assigned to, say, VLAN 100 on igb0 (igb0.100) then traffic to the connected device for that interface will be tagged with VLAN 100.

      Derelict - I am using a managed Cisco switch I just purchased. As mentioned, the man was to use a trunk port and then create the same VLANs that the pfsense has. Then assign the ports to each VLAN. So that would be the secure method?

      Sounds good.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        So for example… Here is uplink to my igb2 interface on my sg300 switch

        interface gigabitethernet5
        description "sg4860 WLan and vlans"
        switchport trunk allowed vlan add 3-7
        switchport trunk native vlan 2

        vlan 2 native there is the untagged vlan 2 on my switch which is my "wlan" network.  My AP and controller on are on this vlan on the switch... unifi until recently did not allow for tagged management vlans so your IP on your AP had to be untagged.  They have recently allowed for tagged management vlan but have not moved over to it yet. And not sure if will since this works just fine in my environment.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          Right. But if you were to tag VLAN 2 between pfSense and the switch it does not mean it can't be untagged from the switch to the APs if that is what they require.

          interface gigabitethernet5
          description "sg4860 WLan and vlans"
          switchport trunk allowed vlan add 2-7

          interface gigabitethernet6
          description "Unifi AP"
          switchport trunk allowed vlan add 3-7
          switchport trunk native vlan 2

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott
            last edited by

            You sort of get to it there.

            Hi Derelict.

            I was just giving a general idea.  We can certainly get into a lot deeper discussion, if you wish.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              @JKnott:

              You sort of get to it there.

              Hi Derelict.

              I was just giving a general idea.  We can certainly get into a lot deeper discussion, if you wish.

              The question was about isolation and privacy between VLANs. I just want to be sure OP understood that if the VLAN traffic is sent to a device but that device is only configured to grab the traffic for one VLAN it is not in ANY way considered secure since the other traffic is still being sent to that device and it is a simple configuration change on the edge device to see that traffic.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • L Offline
                likelinus
                last edited by

                Thanks to both of you. I'm going to take a stab at this when I get home and I'll let you know if I have any further questions. Fingers crossed I can get it to work without too many issues (there's always a few)  :D

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "Right. But if you were to tag VLAN 2"

                  Very very true!  And good point to bring up..  I could tag it to pfsense sure - I just keep in the same across the network is all.  I know that vlan 2 is a native vlan.. Only place its tagged is on uplink to other switch.

                  Many ways to skin the cat to be sure.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 0
                  • L Offline
                    likelinus
                    last edited by

                    @Derelict:

                    @JKnott:

                    You sort of get to it there.

                    Hi Derelict.

                    I was just giving a general idea.  We can certainly get into a lot deeper discussion, if you wish.

                    The question was about isolation and privacy between VLANs. I just want to be sure OP understood that if the VLAN traffic is sent to a device but that device is only configured to grab the traffic for one VLAN it is not in ANY way considered secure since the other traffic is still being sent to that device and it is a simple configuration change on the edge device to see that traffic.

                    I'm a little loss. So how to I make the VLAN secure so it can't access computers/devices on a separate VLAN? Sorry, all new to this :D

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Derelicts point was that if you tag say vlan 10,20,30 to port and you connect device to that port then it can see traffic for any of those vlans.

                      You normally do not trunk or tag multiple vlans to a port where a single device will be connected.  So lets say port 10 on your switch where your PC will be connected and you want it only to be in vlan 20.  Then you would set that port as untagged vlan 20..

                      The only traffic a device on that port would be capable of seeing would be vlan 20… if it wants to send traffic to say vlan 30 then it would have to go through your router.

                      A trunk port with multiple vlans on it would normally only be sent to a device that will understand the tags and keep the traffic isolated, say a router or a switch.

                      So on your switch say port 1, connected to pfsense you tag 10,20 and 30.

                      On port 2, you have a device in 10, on port 3 you have vlan 20, on port 4 of this switch you have vlan 30..

                      On port say 5 you have vlan 10, port 6 vlan 20, port 7 vlan 30..

                      The only traffic those devices will see are traffic in those specific vlans.  For them to talk to other vlans they would have to route through pfsense.

                      So 2 and 5 can talk, 3 and 6 and ports 4 and 7... if port 2 wanted to talk to port 3 it would have to route through pfsense and pfsense firewall.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • L Offline
                        likelinus
                        last edited by

                        OOOOH, OK. No, that is not my intent. My intent is to create VLAN 1 and set Cisco to set ports 1-5 to that same Pfsense VLAN #. Then VLAN 2 and set Cisco ports 6-10 to the same VLAN #. That way only those ports are in the same VLAN. I don't care if ports 6-10 see each other, but I don't want them to see 1-5. Will that work as intended?

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          The point is to enforce what VLANs are sent to a device in the switch, not in the edge device.

                          Just because the device is only looking at one VLAN, it can capture any traffic on any VLAN on the port it is connected to.

                          Cisco refers to the type of ports you might connect a single edge device to as access ports. They only send traffic for one VLAN and they send and receive frames untagged.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • L Offline
                            likelinus
                            last edited by

                            @Derelict:

                            The point is to enforce what VLANs are sent to a device in the switch, not in the edge device.

                            Just because the device is only looking at one VLAN, it can capture any traffic on any VLAN on the port it is connected to.

                            Cisco refers to the type of ports you might connect a single edge device to as access ports. They only send traffic for one VLAN and they send and receive frames untagged.

                            EDIT: johnpoz edited his comment to make it clear. It sounds like what I'm trying to achieve and how I understand it. Sorry for the confusion.

                            I think things will be a bit clearer when I have the Cisco up and running tonight. But It sounds like there will be something in the port/vlan configuration of the Cisco to ensure this. Trunk port accepts all VLANs data and then sends it to the access ports. Those access ports then need to be configured to only accept data that is tagged for it, in a certain VLAN #. Am I close? lol

                            1 Reply Last reply Reply Quote 0
                            • DerelictD Offline
                              Derelict LAYER 8 Netgate
                              last edited by

                              The devices on the access ports don't need to know anything about VLANs. To them it looks like they are connected to any port on any switch - managed or unmanaged. They will only see other devices on the same VLAN.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ Offline
                                JKnott
                                last edited by

                                I'm a little loss. So how to I make the VLAN secure so it can't access computers/devices on a separate VLAN? Sorry, all new to this :D

                                Normally, a device on a network will only see the LAN or VLAN it's configured for and many devices don't even support them at all.  This means that while there may be multiple VLANs on the wire, as is the case with a trunk port, a computer will normally be configured to access one.  There is, however, one very big exception.  It's called promiscuous mode, which enables the computer to receive everything on the wire.  PfSense uses this to provide VLANs through 1 interface.  Another common use is a network monitoring app called Wireshark, which can see just about everything that can be carried over a network cable.  It can even see things like spanning tree, which are normally ignored by network devices.

                                For security, you'd use managed switches, with access ports configured only for the VLAN you want them to be on.  This way, a computer connected to that port will only see traffic for that VLAN and none other.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • DerelictD Offline
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Actually, promiscuous mode is more about getting frames off the wire that have been sent to other, non-broadcast MAC addresses regardless of VLAN… The connected switch will already be filtering most of this in normal circumstances unlike when hubs were a thing and you could see everything.

                                  Promiscuous mode need not be enabled for a pfSense interface to "trunk" VLANs.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.