How to assign same vlan tag with different network segment on two ports
-
We are going to migrate from the Sonicwall firewall to the Netgate 7100. On the Sonicwall firewall, there are two physical ports (X0 and X4) marked as EMP and GUEST. And phone company creates a vlan called VOIP tagged 11 on both GUEST and EMP's sub-interfaces as X0:V11 and X4:V11 and assigned a different network segment on each. On Netgate, I created vlan GUEST, EMP and VOIP; And EMP has been assigned to ETH2 and GUEST has been assigned to ETH3 on Netgear 7100. I can assign the VOIP vlan to both ports (ETH2 and ETH3). But how can I create a different network segment for the VOIP on both ports?
-
@pwang99 said in How to assign same vlan tag with different network segment on two ports:
assigned a different network segment on each
You mean tagged vlan with ID 11, is 2 different networks? That is borked.. You would not ever do that..
If you want 2 different L3 networks. 192.168.X/24 and 192.168.Y/24 for example. Those on the same switch shouldn't use the same vlan ID..
The vlan isolates traffic at layer 2.. Using 2 different L3 networks on the same L2 doesn't provide for isolation..
If you want ports on the same vlan on the 7100, use the switch ports. And then sure you can put as many ports as you have in the same vlan..
-
@johnpoz Thank you! Totally agree with you. In theory, it should not configure this way
On the Netgate 7100, can I configure this way?ETH2 – EMP (192.168.1.0/24)
--> ETH2:V11 (ETH2’s sub-interface with vlan tag 11 and with 192.168.11.0/24)ETH3 -- GUEST (10.10.1.0/24)
--> ETH3:V11 (ETH3’s sub-interface with vlan tag 11 and with 10.10.11.0/24)There will be physical separate switches connecting with each port of ETH1 & ETH2.
Please make a note, we hope that we can keep the vlan tag 11 due to tons of the VOIP phones attached.
-
IMHO - Not a good idea.
When the 7100 receives a packet tagged with VL11 , which of the two configured interfaces is it supposed to put the packet on ?
/Bingo
-
@bingo600 Thank you! I know that it is a not good idea. This configuration has been made on SonicWall firewall. I just want to copy the same configuration into Netgate. The phone system is a cloud based. So both interfaces (ETH2 and EHT3) receive the VOIP (VL11) package which will be forwarded to a PBX in the internet.
-
@pwang99 No, you cannot do that because you can only tag VLAN 11 on lagg0 to the built-in switch once. You can only assign VLAN 11 on lagg0 (lagg0.11) to one pfSense interface.
There is probably a better, more compliant way to accomplish what you look to do. Maybe this is a good time to re-design the network properly?
-
@derelict Thank you! much appreciate!!!
-
I agree w. Derelict , about maybe redesign the network.
But if all you need is a VL11 , that serves two ip networks at the same time.
I would look into using a single interface with "the most important ip lan as the interface ip/mask" , and then use a VIP (Firewall -> Virtual IP Address) as the 2'nd lan ip address/mask.If you are handing out DHCP addresses on "both lans" , be prepared for issues, and even "not possible".
Maybe there are other issues lurking , but i think VIP is the "Cleanest" way to do a "Dirty thing".
/Bingo
-
@bingo600 Thank you! Ya...We have to assign IP to those IP phones on both vlan 11...
-
You could also connect an untagged (no VLAN) pfSense interface to a switchport that is already a member of VL11.
And get two ip lan's that way , but i think the VIP is "Cleaner".The untagged way might enable you to give out DHCP from both lans.
But it would be a "lottery" in what phone will get a DHCP IP in which lan range.And probably haunt you until you redesign , the setup.
/Bingo
-
@bingo600 Thanks... Both vlan11 are a sub-interface of eth2 (EMP vlan) and eth3 (GUEST vlan), so I think it must be tagged.
-
Ahh i didn't fully understand (read) the setup until now.
So you get 2 different lines in from the phone company , and both lines carry phone traffic tagged in VL11.
For that i would get two small vlan capable switches, connect an incomming tagged (trunk in cisco language) ISP input interface on each.
Do NOT connect the two switches together.Then i would split out VL11 on both switches to an untagged "phone" switchport , that is a member of VL11. That would "get rid of the VL tagging", and convert it to untagged/normal ethernet.
Now that the "phone" switchport on each switch is a "normal untagged" ethernet port , that port can be connected directly to a pfSense ethernet interface , that has the corresponding lan ip/mask.
You could do with just one little switch for splitting out (untagging) just one of the phone VL11's , and run the other tagged VL11 into the pfSense.
But if i had the interfaces availabls in the 7100 , i'd prob. untag both phone VL11's , to get consistency in my setup.Is any other traffic is carried on those ISP links ??
/Bingo
-
@pwang99 Thanks.. I am with you. But how can I assign a different network segment to the ETH V11 vlan and ETH3 V11 vlan? See the diagram below:
ETH2 – EMP (192.168.1.0/24)
--> ETH2:V11 (ETH2’s sub-interface with vlan tag 11 and with 192.168.11.0/24)ETH3 -- GUEST (10.10.1.0/24)
--> ETH3:V11 (ETH3’s sub-interface with vlan tag 11 and with 10.10.11.0/24) -
@pwang99
I'm starting to think you are a "Robot" , or totally miss the point here.
Always the same answer.How much network/switch experience do you have ?
/Bingo
