How to assign same vlan tag with different network segment on two ports

pwang99

@bingo600 Thank you! I know that it is a not good idea. This configuration has been made on SonicWall firewall. I just want to copy the same configuration into Netgate. The phone system is a cloud based. So both interfaces (ETH2 and EHT3) receive the VOIP (VL11) package which will be forwarded to a PBX in the internet.

Derelict

@pwang99 No, you cannot do that because you can only tag VLAN 11 on lagg0 to the built-in switch once. You can only assign VLAN 11 on lagg0 (lagg0.11) to one pfSense interface.

There is probably a better, more compliant way to accomplish what you look to do. Maybe this is a good time to re-design the network properly?

pwang99

@derelict Thank you! much appreciate!!!

bingo600

I agree w. Derelict , about maybe redesign the network.

But if all you need is a VL11 , that serves two ip networks at the same time.
I would look into using a single interface with "the most important ip lan as the interface ip/mask" , and then use a VIP (Firewall -> Virtual IP Address) as the 2'nd lan ip address/mask.

If you are handing out DHCP addresses on "both lans" , be prepared for issues, and even "not possible".

Maybe there are other issues lurking , but i think VIP is the "Cleanest" way to do a "Dirty thing".

/Bingo

pwang99

@bingo600 Thank you! Ya...We have to assign IP to those IP phones on both vlan 11...

bingo600

@pwang99

You could also connect an untagged (no VLAN) pfSense interface to a switchport that is already a member of VL11.
And get two ip lan's that way , but i think the VIP is "Cleaner".

The untagged way might enable you to give out DHCP from both lans.
But it would be a "lottery" in what phone will get a DHCP IP in which lan range.

And probably haunt you until you redesign , the setup.

/Bingo

pwang99

@bingo600 Thanks... Both vlan11 are a sub-interface of eth2 (EMP vlan) and eth3 (GUEST vlan), so I think it must be tagged.

bingo600

@pwang99

Ahh i didn't fully understand (read) the setup until now.

So you get 2 different lines in from the phone company , and both lines carry phone traffic tagged in VL11.

For that i would get two small vlan capable switches, connect an incomming tagged (trunk in cisco language) ISP input interface on each.
Do NOT connect the two switches together.

Then i would split out VL11 on both switches to an untagged "phone" switchport , that is a member of VL11. That would "get rid of the VL tagging", and convert it to untagged/normal ethernet.

Now that the "phone" switchport on each switch is a "normal untagged" ethernet port , that port can be connected directly to a pfSense ethernet interface , that has the corresponding lan ip/mask.

You could do with just one little switch for splitting out (untagging) just one of the phone VL11's , and run the other tagged VL11 into the pfSense.
But if i had the interfaces availabls in the 7100 , i'd prob. untag both phone VL11's , to get consistency in my setup.

Is any other traffic is carried on those ISP links ??

/Bingo

pwang99

@pwang99 Thanks.. I am with you. But how can I assign a different network segment to the ETH V11 vlan and ETH3 V11 vlan? See the diagram below:

ETH2 – EMP (192.168.1.0/24)
--> ETH2:V11 (ETH2’s sub-interface with vlan tag 11 and with 192.168.11.0/24)

ETH3 -- GUEST (10.10.1.0/24)
--> ETH3:V11 (ETH3’s sub-interface with vlan tag 11 and with 10.10.11.0/24)

bingo600

@pwang99
I'm starting to think you are a "Robot" , or totally miss the point here.
Always the same answer.

How much network/switch experience do you have ?

/Bingo