How to assign same vlan tag with different network segment on two ports
-
@bingo600 Thank you! I know that it is a not good idea. This configuration has been made on SonicWall firewall. I just want to copy the same configuration into Netgate. The phone system is a cloud based. So both interfaces (ETH2 and EHT3) receive the VOIP (VL11) package which will be forwarded to a PBX in the internet.
-
@pwang99 No, you cannot do that because you can only tag VLAN 11 on lagg0 to the built-in switch once. You can only assign VLAN 11 on lagg0 (lagg0.11) to one pfSense interface.
There is probably a better, more compliant way to accomplish what you look to do. Maybe this is a good time to re-design the network properly?
-
@derelict Thank you! much appreciate!!!
-
I agree w. Derelict , about maybe redesign the network.
But if all you need is a VL11 , that serves two ip networks at the same time.
I would look into using a single interface with "the most important ip lan as the interface ip/mask" , and then use a VIP (Firewall -> Virtual IP Address) as the 2'nd lan ip address/mask.If you are handing out DHCP addresses on "both lans" , be prepared for issues, and even "not possible".
Maybe there are other issues lurking , but i think VIP is the "Cleanest" way to do a "Dirty thing".
/Bingo
-
@bingo600 Thank you! Ya...We have to assign IP to those IP phones on both vlan 11...
-
You could also connect an untagged (no VLAN) pfSense interface to a switchport that is already a member of VL11.
And get two ip lan's that way , but i think the VIP is "Cleaner".The untagged way might enable you to give out DHCP from both lans.
But it would be a "lottery" in what phone will get a DHCP IP in which lan range.And probably haunt you until you redesign , the setup.
/Bingo
-
@bingo600 Thanks... Both vlan11 are a sub-interface of eth2 (EMP vlan) and eth3 (GUEST vlan), so I think it must be tagged.
-
Ahh i didn't fully understand (read) the setup until now.
So you get 2 different lines in from the phone company , and both lines carry phone traffic tagged in VL11.
For that i would get two small vlan capable switches, connect an incomming tagged (trunk in cisco language) ISP input interface on each.
Do NOT connect the two switches together.Then i would split out VL11 on both switches to an untagged "phone" switchport , that is a member of VL11. That would "get rid of the VL tagging", and convert it to untagged/normal ethernet.
Now that the "phone" switchport on each switch is a "normal untagged" ethernet port , that port can be connected directly to a pfSense ethernet interface , that has the corresponding lan ip/mask.
You could do with just one little switch for splitting out (untagging) just one of the phone VL11's , and run the other tagged VL11 into the pfSense.
But if i had the interfaces availabls in the 7100 , i'd prob. untag both phone VL11's , to get consistency in my setup.Is any other traffic is carried on those ISP links ??
/Bingo
-
@pwang99 Thanks.. I am with you. But how can I assign a different network segment to the ETH V11 vlan and ETH3 V11 vlan? See the diagram below:
ETH2 ā EMP (192.168.1.0/24)
--> ETH2:V11 (ETH2ās sub-interface with vlan tag 11 and with 192.168.11.0/24)ETH3 -- GUEST (10.10.1.0/24)
--> ETH3:V11 (ETH3ās sub-interface with vlan tag 11 and with 10.10.11.0/24) -
@pwang99
I'm starting to think you are a "Robot" , or totally miss the point here.
Always the same answer.How much network/switch experience do you have ?
/Bingo
