Vlans No Switch?
-
If Pf sense is routing your entire network do u need a switch to segment traffic into separate vlans
-
How exactly are you connecting these devices with out switches ;)
If your going to use vlans then yes you need a switch that supports vlans.. You don't need a 1000 enterprise grade switch, unless you want one ;) A port gig switch that understands vlans is like 30-35$ to start..
But if your going to create vlans - then yes your whole infrastructure needs to understand them.. ie your switch, your AP, etc..
Now if you want to use all different switches and AP for your different networks - sure have fun ;)
If your whole network is wireless - then sure you could connect your vlan capable AP into a port on pfsense and do it that way..
-
Ok...I have pfsense running entire home network it has 3 real interfaces em0 em1 and opt1. I have multiple possibilities I have DDWRT vlan capable routers multiple of them ea4200 is the fastest. I also have a second machine with 3 more ehernet ports and 1 wireless card so possible to make this running Linux maybe I could turn it into vlan tagging switch or something. I'm not familiar with this stuff.i want to secure my network to close off any possible attacksi mean I have enough machine a 12 gb ram so I am hopeing maybe a few suggestions on DDWRT and can you use multiple openvpn instances to secure local traffic from each device or machine wouldn't that be more secure
-
With the price of switches these days, why bother trying to create one. Just avoid TP-Link managed switches.
-
@telescopedepth said in Vlans No Switch?:
I could turn it into vlan tagging switch or something
What a horrible horrible idea when a 8 port gig switch that does vlans NEW will cost you like $30 to your door in 2 days..
You could prob find some screaming full managed 24-48 port switch on ebay for less than a $100, etc..
Here 10 second google find under $40 24 port FULL MANAGED switch - why would you did around with some PC and some nics trying to make a switch??? That box prob make a decent ROUTER!!
use multiple openvpn instances to secure local traffic
Another just HORRIBLE idea... Talk about loss of performance!! for ZERO reason..
-
Thanks You I'm buying the switch from ebay
-
That specific one - or just a switch off ebay? That was something I found in 10 seconds... I have no idea on that seller etc.. Could be a complete rip off, etc.
While you for sure can find some great deals on ebay - please do some research both on the seller and the device before buying, etc. While that seller might be great and the switch a scream of a deal - for all you know half the ports are dead, etc. You never know what you might get off ebay could be real jem at great price or it could just be someones junk your taking off their hands vs them throwing it in the traffic because is really worthless..
You can for sure buy NEW at reasonable prices with full warranty, etc. for few bucks more.. Especially if you don't need full managed and just need basic features like vlan support. And don't need high port density or poe.. Which are things that raise the price..
-
@telescopedepth In a pinch you can just use ea4200 as a 5 port managed switch.
-
I bought that exact one and I hope it has all I need it had a 30 day DOA money back guarantee... Usually I do try to figure out the best option but I spent so much time on this.. I thought that was one that will work and has 30 day DOA money back I will try its overkill but maybe I will start a neighborhood watch program and get everyone's surveillance feeds and put NASA out of a job and No Not NaSa but you know who they that must not be named ...I wasn't sure which one i needed I thought I needed full managed... Thanks Again
-
Let us know how it turns out... 24 ports isn't all that many ;) I have a 28 port sg300 that is getting full.. You would be amazed at how fast you can use up ports when you have them...
And you can never have too many features in your "switch" Go Big or Go Home as they say -- hehehe
-
@johnpoz especially when your a nerd I was thinking of seeing if Android supports usb Ethernet your right you never remember the 400 devices laying around not being used until you decide a new use for them
-
From a quick look at the specs that should be a great switch at the price point.. Quick glance it only seems to be layer 2 and not 3... So guess you won't be able to use it as downstream router ;)
While DOA warranty is nice and all - but 23 ports dead out of 24 is not DOA... I would validate all ports work and such asap..
-
This post is deleted! -
@telescopedepth Hi!
VLANs on pfSense work well with right hardware, my question is why
I mean ,the final goal of bulding more virtual lan instead of putting additional ethernet cable and interface on pfSense?For my work I do VLANs on hotel with older network layout and a cable "do it all in one" PPPoE , private lan, guests lan, lool ... So I put two identical switchs at both ends for bulding one VLAN TRUNK and only why not available quick other method to manage different networks above.
This not avoid me to notice "poor performance" with high load traffic, like frame retransmission and packet loss. So is not too much fun when your customers make pressure on you everyday, because network is slow even if it's "more secure".
Basically my first rule in mind is "K.I.S.S." (Keep It Simple Stupid)
for good reasons, I mean I need very good reason for build more "complex" network layouts with VLANs and in most case is better to leave existing network "as is" if you not planning a "serious" rebuld of network at your site.VLANs just for fun? No thanks
-
@babiz said in Vlans No Switch?:
@telescopedepth Hi!
VLANs on pfSense work well with right hardware, my question is why
I mean ,the final goal of bulding more virtual lan instead of putting additional ethernet cable and interface on pfSense?For my work I do VLANs on hotel with older network layout and a cable "do it all in one" PPPoE , private lan, guests lan, lool ... So I put two identical switchs at both ends for bulding one VLAN TRUNK and only why not available quick other method to manage different networks above.
This not avoid me to notice "poor performance" with high load traffic, like frame retransmission and packet loss. So is not too much fun when your customers make pressure on you everyday, because network is slow even if it's "more secure".
Basically my first rule in mind is "K.I.S.S." (Keep It Simple Stupid)
for good reasons, I mean I need very good reason for build more "complex" network layouts with VLANs and in most case is better to leave existing network "as is" if you not planning a "serious" rebuld of network at your site.VLANs just for fun? No thanks
The purpose of VLANs is to provide logical isolation. For example, many networks use VoIP phones and a pass through port for a computer. On one job I did in a seniors residence, a few years back, there was the native LAN for the office and VLANs for VoIP,
inmate'sresident's internet access and one for network management. -
@jknott
Yes, you are right, I'm agreed your point of view!
Cheers. -
There is one thing for logical, and then there is actual isolation and security... I don't want iot devices on the same network as my PC and NAS, etc.. I sure an the hell do not want guest wifi clients on any of my networks, etc. Who knows what nasty billy's device has on it, etc..
Sorry but the days of the single lan home network are thing of the past... Atleast from any sort of security concerns - your typical home has more and more devices on the "network" Doesn't mean that have to be on 1 flat network.. I want a firewall between these different types of devices thank you very much ;)
KISS while sure that 1st S can stand for simple and it can also stand for SECURE ;)
-
@johnpoz said in Vlans No Switch?:
I don't want iot devices on the same network as my PC and NAS, etc.. I sure an the hell do not want guest wifi clients on any of my networks, etc.
You often don't have a choice about cabling. You have to use what's there. In that senior's residence I mentioned, we used ADSL over existing phone lines to bring Internet access to the rooms. I did similar in a hotel turned university residence. Phone lines were there, Ethernet cables weren't, so ADSL was used over the phone lines.
-
@johnpoz said in Vlans No Switch?:
I sure an the hell do not want guest wifi clients on any of my networks, etc. Who knows what nasty billy's device has on it, etc..
Assuming the guest WiFi has it's own SSID and VLAN, how would a guest user have access to the main LAN traffic? Even if they managed to tag their traffic, it would result in QinQ tagging, which wouldn't get them anything.
-
Have no idea what your talking about dude - yeah the ssid would be on its own vlan - DUH... My points were to the ""do it all in one"" sort of comment..
ie " leave existing network "as is"
That is not what the OP should be doing but segmenting his network. Which is the point trying to make.
-
After reading lastest post, I think to write a mini how-to for vlans primitive users like me.
So I own a pair of TL-SG105E and will be nice to write about standard vlans configuration with added global tribute from Netgate community! Hmmm...
...lol, I missing the vlans train, heh basically vlan concept is simple but is easy to lost under hardware real worLd! Ho yes.. hardware will be make a difference with various configuration stranger things happens -
@babiz said in Vlans No Switch?:
So I own a pair of TL-SG105E
You don't want to use those switches. They don't handle VLANs properly.
-
@jknott looool
Not , really not ideal hardware ;) , you are in truth,
I notice some packets errors under statistic tab, when this bad switch configured only one vlan trunk
Is nice for me, to figure it out why happen this, because it's working fine with few clients talking, and when many clients talking I get network problem.
For sure this kind of hardware is no good for business, SG105E kidding me! : -
@babiz cable costs I have allready put alot of $ into cables and it would be hundreds of feet of wireing my entire property ... and I need to isolate my security systems 3 separate systems then I got smart wifi power switches then I got endless number of computer's and devices that I want to secure ..Just saw that multiple openvpn instances would cost performance so that ideas gone
-
@johnpoz using a single linksys 6350 or something like that in bridge mode and if i need more ports i put another netgear 6300 in wireless access point mode
-
well i want to order a switch which one is capable of vlans alot of the ones i see dont say 802.1q Best buy office depot most likely choices for finding them
-
You want something that says Managed, Smart, WebSmart, etc. The specifications should definitely list 802.1q.
I will never again buy anything that requires some form of client application to configure. Needs to have a web interface.
I like the D-Link DGS-1100-08 for a cheap switch.
-
@telescopedepth said in Vlans No Switch?:
linksys 6350
Is it running something like openwrt or dd-wrt.. I find it highly unlikely that its native firmware has a clue to doing any sort of vlans other than when you create a guest network and it routes.. Its not going to to tag your ssid traffic with the correct vlan, nor does it allow for vlan support on any of its switch ports.
Get switch that does vlans, get an AP that does them... Its that simple and you wont be scratching your head on why this doesn't work, etc.
It says that is $60 on the linksys site... I see the uap-ac-lite for 70 over on newegg. That is a NO Brainer choice!! That dgs-1100-08 that derelict mentions is a good starter vlan switch.. Show it for $35 over at amazon currently
-
Thanks everyone I really appreciate it
-
@johnpoz DDWRT linkys router but I'm just going to try to buy new ap and switch so I can get on with my life
-
@johnpoz I make your saying a reality got my switch and locked myself out of it going to try to find a way in but I'm probably sending it back dlink suggest Ed I do
-
huh? Can you not just factory reset it... How you could have locked yourself out?
"Reset: By pressing the Reset button for 5 seconds the Switch will change back to the default configuration
and all changes will be lost."You got the dgs-1100-08?
-
Yes that is the model i did reset it unfortunately for me i read the instructions manual it didnt say how to reset it so i did a 30-30-30 reset and the only thing i could get it to do after that is upload the firmware unfortunately for me my network isnt allowing me to find the address to download the factory firmware somethings messed up somewhere I have tried the my cellphone network too nothing goes through so i dont know im just sending it back order the same one again...
-
@derelict Would you walk me through just a basic Pfsense and The DGS-1100-08 switch you recommended with a vlan for each port setup and if you just tell me How to do it once i can probably figure out the rest Maybe...Please if not i might not ruin this switch like the last one :)
-
Umm. Not without knowing what you want to do.
-
@derelict well Basically just segregate each port into different vlans besides the two seperate vlans that are for roku and security systems i have multiple roku tv computers etc i bought two of those switchs i have em0 as wan Re0 and Re1 as lan side stuff so i was hopeing hook one switch to the Re0 and one to the Re1 I need a security system vlan with 4 ports all on same vlan i was hopeing if i put a router on that it would work to access my security systems even that would make my life easy... and setup another wireless router and roku tv vlan with 3 ports for that and that seperates my stuff if all other ports are segregated from each other and maybe once i see how thats done i can figure out whats what thanks
-
I'm under testing some kind of vlans configuration for watching if all work good or not work good.
Setup vlans itself is pretty simple, I need to test a lot of vlans subnet , and pfSense almost will manage without issue.
On pic above you can notice at one shot all my vlans testing environment, so you can see;interface tag number,
subnet and mask in cdir notation,
(Indeed I'm done with all other basic interface setting, DNS and DHCP enabled, one basic rule "interface to all" for each vlans)
This is a side note. If some folks not understand enough all background of pfSense
So, last one CDIR netmask is different for each subnet, I will to try, for testing purposes.
I need to known if will be reliable to generate some more much traffich at once and with different netmask. and switch tagging/untagging and last wireless multi ssid access pointFor go foward now with vlans setup after this , before you leave from pfsense webui make sure to do everything is needed you need and rebott it
Next to assign tagged and untagged port on your switch*
well, my layout on crappy tl-sg105e as follow:
At this stage you can look a nice layout on the paper, I made this with my network teacher in mind, when he said something like "is better do a full vlans configuration on your device, for avoiding issues"
LOOL, just start with small "seven" tag configuration, this is enough for checking some vlans behaviors.
** My pfSense is connected at port 1 and my wlan ap is plugged at port 2 , other ports go to other devices and I will test later.**
I'm notice no many problem between devices, but because my crappy switch I guess some kind of "overlaps" and missing to get internet access when I'm under testing this only trought my multi ssid wlan ap.
Because this I back to only two ssid broadcasting instead of four available, with more to two ssid my wlan ap give up
I'm pretty sure of this, so next pic show my current multi ssid configuration:
So my test trials is not really done, but I like to show how to is pretty simple, dealing with vlans and pfSense!
Indeed routing trought all this subnet works well like a charm.
Bye -
If that TP-Link AP behaves the same as my WA-901N, I can guarantee it won't handle VLANs properly.
-
That sg105e doesnt allow you to remove vlan 1.. So your whole attempt at trying to do vlans is moot.. You can not actually do valns with such switch..
If its v3 hardware you should be able to update so you can remove vlan 1 form your interfaces your wanting to put in other vlans.
Yeah their AP are the same lack of understanding design..
-
@johnpoz said in Vlans No Switch?:
Yeah their AP are the same lack of understanding design..
Same with their support staff. When I contacted them, they couldn't understand that VLANs should act as logically separate LANs, with no traffic passing between them. When I was able to reach 2nd level support, they accepted there was a problem, but no fix was forthcoming.