Home lab vlan config help
-
I finally have most of the equipment I want for my home lab, and would appreciate some help with the vlan setup. I'm more than a little lost…I've tried reading different tutorials and posts but can't seem to get the configuration right.
I'd like to have 4 different vlans: 1 for servers with internet access, 1 for servers with no internet access, 1 for clients (lan), and 1 for wireless (dd-wrt).
I am running a pfSense 2.2 vm (ESXi) with a Cisco SG300 series switch, which I am assuming should be in L3 mode and have DHCP server enabled. I don't know whether the ports on the switch the clients/servers connect to should be access, trunk, general, or private vlan (i think access?) and be tagged or not; and I don't know whether the uplink port(s) should be set to trunk, general, or private vlan (i think trunk) and be tagged or not.
I've included 2 basic diagrams of the intended network.
-
I seem to have gotten it working, provided I can configure the ACL's correctly.
-
Actually, you probably want to leave the switch in layer 2 mode.
If you had this on pfSense:
LAN em0_vlan100
DMZ em0_vlan200
SRVRS em0_vlan300You would do something like this on the switch:
int gig 0
switchport mode trunk
switchport trunk allowed vlan 100,200,300Then all your firewalling will be done with pfSense.
Now if you want to use the switch in Layer 3 mode, creating virtual interfaces for the VLANs and using access lists, that's cool too. I have never really looked at it but I don't think those switches are stateful firewalls. Pretty much just packet filters.
-
The reason I like the idea of L3 switching is for my NAS and ownCloud: because they are not accessible from and do not have access to the internet it seems to make more sense not to pass them through pfSense - an unneeded hop.
-
Absolutely and the switch is routing at link speed whereas you have to throw a whole lot of hardware onto pfSense to have it routing 1Gb/s constantly.
-
That is a fine use for a layer 3 switch.
Please share your ACLs when you get something working.
-
Got the basic ACL's working, its pretty easy. I'll write a tutorial later.
-
I was just looking for the ACLs you used. But if you want to write a tutorial, all the better.
-
Yeah I'm gonna write one so no one else has to reinvent the wheel. I'll include screenshots and CLI commands.
-
good stuff! I've been eye'in a SG300 myself… Not sure if I need more then 10ports and if I want the PoE version. Only have 2 devices have could use.
-
The naming of those SG300 switches in regards to PoE capabilities is a bit … non-intuitive (P, PP, MP)
Other than that, to supply PoE to two devices I'd shoot for the -10P switch with the smallest amount of available power. Saves you two inserters and probably two walwart PSUs as well... -
Yeah I'm gonna write one so no one else has to reinvent the wheel. I'll include screenshots and CLI commands.
Can you hint it's availability in THIS thread, please. I'll get notified of it automatically then.
Thanks! -
I'm still working on the MAC ACL used for the wireless connection.
Expect a full tutorial in a day or two.
-
So I finally wrote a basic IPv4 ACL tutorial for the Cisco SG300 series (I've been busy with work).
It's really basic, it's a little guide for blocking traffic to 2 other VLANs and allowing all other traffic. With a little thinking someone could adapt it for more specific needs.
http://kb.the-pds.net/?p=66When I get some more time I'll post the tutorial on here.
