VLAN on multiple NICs

kitt_i

Hi all,
I'm new to Pfsense but not to firewalls
I'm trying to set the following setup on my Pfsense and didn't find a way or an answer on the web
I have a 6 NICs PC 1 for WAN and I would like to make the rest as LAN
I want 3 VLANs on my network
the first switch connected to the PFsense will have all 3 VLANs on it, the second switch will have only one VLAN and I have two more computers I want to connect directly to the PFsense untagged
For the moment I have all the 5 NICs as one bridge, but I see I can't allocate VLANs to it
How can I set my PFsense to my wanted setup?
How do I set IP range and DHCP for each VLAN?

hieroglyph

@kitt_i Pretty sure the way this is explained will require nested bridges. Which I assume can be done. But would be messy. I have run bridges in the past and depending on the hardware and amount of traffic it could cause resource issues. Bridges force pfsense to handle extra packet processing to behave like a switch.

Other options (still requiring bridging ports 2 - 6 together first, enabling the bridge0 interface, and setting it with a static IP):

• Set pfsense port2 to carry all x3 VLANs. Enable pfsense port2 and set static IP. Put a 3rd small VLAN aware switch on port2. In the 3rd switch make a port to the 1st switch carrying all x3 VLANs. In the 3rd switch make a port to the 2nd switch carrying x1 VLAN.

OR

• Set pfsense port2 to carry all x3 VLANs. Enable x3 VLANs and set static IPs. Set pfsense port3 to carry x1 VLAN with the VLAN_ID as one on pfsense port2. Enable VLAN and set static IP. Firewall rules can then allow traffic between the shared VLAN_ID between pfsense port2 and pfsense port3. Additionally if it is desired to make it appear as tho the same IP pool is used a 192.168.2.0/25 and a 192.168.2.128/25 can be used for the shared VLAN_IDs.

hieroglyph

@kitt_i After I typed that and thought about it a little more. I am not even sure you can have two different interface with the same VLAN_ID. You may be better off with just the first option.

Or using the second option but not using the same VLAN ID for the shared VLAN. Just use firewall rules to allow devices on the different VLANs to talk to each other.

kitt_i

@hieroglyph Thank you for your reply
I need the setup as I described it since I will have two AP's that will broiadcast 3 SSIDs each needs to be a different VLAN one of them is my main VLAN that has all of my other devices that need to talk to each other and thus is the second switch
I can daisy chain the two switches but then all of the computers on one switch can talk to all other devices on a single 1 Gb port instead of having 1 Gb port between the two switches and to the PFsense itself and have the ability to talk faster between segment of the network

hieroglyph

@kitt_i If the switches can do LAGG (LACP), daisy chain them. Then x2 1Gb connections from pfsense to switch 1. And x2 1Gb connections from switch1 to switch2.

hieroglyph

@hieroglyph Also, pfsense is not going to be able to move packets faster at layer3 than a switch can at layer2. If you want pfsense to be efficient, let the switches handle all inter-LAN traffic (i.e. LAN10 to LAN10. LAN20 to LAN20. Etc...). That way pfsense only needs to handle cross-LAN traffic (LAN10 to LAN20. LAN20 to LAN30, Etc...) and traffic headed out of WAN.