Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    vlan question

    Scheduled Pinned Locked Moved Routing and Multi WAN
    12 Posts 6 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ravegen
      last edited by

      do i need to have a manage switch if i do vlan on pfsense?

      jahonixJ 1 Reply Last reply Reply Quote 0
      • jahonixJ
        jahonix @ravegen
        last edited by

        @ravegen
        Depends on what you wanna do on which hardware.
        If you're talking about the latest pfSense hardware with built-in Marvel switch then maybe not.
        If you're talking about an external switch then yes, absolutely.

        1 Reply Last reply Reply Quote 0
        • R
          ravegen
          last edited by

          I mean, can I do vlan without any managed switch, just thru pfsense and unmanaged switches.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            Not really.

            Why sweat it? Switch ports are pretty cheap. How many switch ports are you talking about?

            What problem do you expect VLANs to solve for you?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              You could use dumb switches if your going to physical isolate your networks.. Ie different dumb switch into different interfaces on your pfsense router that are not tagged.

              Here is the thing if your going to do vlans, then you need vlan capable switch(es).. You can if you need to connect dumb switches downstream of a smart switch if everything on that dumb switch is going to be in the same vlan you setup on that vlan capable switches port its connected to.

              If your going to connect a device that does vlans directly to a pfsense interface you can get by without a switch. For example a esxi host or something where you can setup the vswitch with vlan port groups... Or say an AP that will put vlans on its different SSIDs

              But yes if you want to use vlans in your network as Derelict already stated you need a vlan capable switch. They are not expensive these days. You do not need a 1K dollar enterprise fully managed layer 3 cisco nexus for example... Any of typical home switch players.. dlink, netgear make entry level smart switches that can do vlans. Shoot I have seen the 8 port gig models for less than their dumb models sometimes.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by

                VLANs without a VLAN aware switch are hard to use because then all of your client system have to be aware of the VLAN tags in the ethernet packets directed to them. Depending on the systems you have this might be very inconvinient.

                Don't go cheap, get a VLAN capable switch, they are not so expensive anymore at entry level.

                1 Reply Last reply Reply Quote 0
                • R
                  ravegen
                  last edited by

                  i dont need much managed switch functionalities. i just need them to be logically separated. i tried it but i have no network traffic even ping.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @ravegen
                    last edited by johnpoz

                    @ravegen

                    Well do you have a vlan capable switch? How did you configure it - what make model do you have? Did you create the firewall rules on your vlans to allow what you want. Only lan has default any any rules. And new interfaces or vlans you create will need firewall rules

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R
                      ravegen
                      last edited by ravegen

                      @johnpoz

                      I dont have any vlan capable switches. although those switches might be cheap on your side but its not cheap on my side. so i am thinking how to possibly use pfsense and unmanaged ordinary switch for doing vlan. like i said, i dont need the functionality of thosw managed switch but i just want to logically separate my users if that is achievable.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        No. It is not possible. Get a dot1q switch.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Cheap on my side? Where are you located? A simple smart switch that can do vlans is like 30$ no real difference than a dumb switch.

                          As Derelict stated if you need to do vlans - then you need a vlan capable switch our only other option is to do it with physical isolation where you have multiple interfaces on the router and connect multiple different switches for your different networks..

                          I for the life of me can not see how that would be a cheaper option.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • S
                            scottlindner
                            last edited by scottlindner

                            It sounds like you do need the functionality of a managed switch. I recently went through this myself. I'm not a professional network engineer but I do understand networking reasonably well. I can help translate what the pros here are saying because I'm not one of these guys .. they know their stuff.

                            What might help this discussion is to understand your needs a bit more clearly.

                            • How many VLANs do you anticipate?
                            • How many clients/ports do you need to support per VLAN?
                            • How are you running pfSense? Is it a Netgate appliance, home built, in a VM?
                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.