VLAN Setup question
-
I'm getting ready to configure pfsense on my firewall for work, and been racking my head around probably a basic question but wanted to reach out to see if someone could give me the best practice answer. We use the following configuration:
vlan10-corporate data
vlan20- voice
vlan40-guest networkwhen you configure pfsense, would you just give the lan network the same ip scheme as the default vlan10 or would you give lan a different address and configure the vlans and setup the firewall rules for the lan network to allow them to all route?
Thanks for your help, sorry to ask a basic question.
-Steven
-
@swgarland said in VLAN Setup question:
vlan10-corporate data
Typically, you'd have that on the native LAN, not VLAN.
-
So currently your all tagged? Or do you have untagged native vlans?
Just putting whatever on the lan would be untagged.. There is nothing wrong with that really - but I would prob not change up anything your currently doing. Some locations all vlans are tagged for example.
Be it your vlan is tagged or untagged doesn't really matter as long as you setup your network to correctly isolate the vlans and "you" and everyone else on the networking/it team understands what is what ;)
-
@johnpoz said in VLAN Setup question:
e it your vlan is tagged or untagged doesn't really matter as long as you setup your network to correctly isolate the vlans and "you" and everyone else on the networking/it team understands what is what ;)
Correct, I'm running dell switches and it tags all untagged traffic as vlan10. My original pfsense firewall died and I'm recreating everything and just wanted to make sure I'm setting it correctly. I'm not a strong networking person, and its just me running the show so sometimes it can get challenging trying to keep up.
Previously I had it set that the lan address was the same as vlan10 (corporate network) and then I identified all the vlans within pfsense and set the rule accordingly. I had this theory that I was doing it wrong from the start and this go around I figured I would reach out and ask so I don't over complicate things.
-
You can not put the same netblock on lan, and also on a vlan..
You could setup a vlan and put a netblock on it, and then not put an address on "lan" etc. There are a few ways to skin this cat to be sure.
I would prob put an address on lan, that is outside your scope that is untagged. This would allow you to access pfsense from this port without having to tag any traffic - say plug a laptop in sort of thing..
-
@swgarland said in VLAN Setup question:
I'm running dell switches and it tags all untagged traffic as vlan10.
????
Do you mean it uses VLAN 10 internally? Or puts tagged frames out on the wire? While I haven't worked with Dell switches, I have never seen a switch do that.
-
It currently tags all traffic as vlan10 unless it is changed on the switchport. It will look at the avaya phones and automatically put them vlan20.
-
When you have VoIP phones, they are typically on a VLAN, while the computers are on the native LAN. The computers are often plugged into the phone which, in turn, is connected to the switch. The phone will use the VLAN and leave the computer data untagged. If tagged frames are used, then the other devices will have to be configured to use tagged frames. You can do that with computers, but not with many other devices. If you fire up Wireshark on a computer, will you see the VLAN tags?
-
@swgarland said in VLAN Setup question:
It currently tags all traffic as vlan10 unless it is changed on the switchport.
Well change it if you don't want what you want.. If you want to use just native lan as vlan 10 - then just set the port to connected to lan port of pfsense to not tag vlan 10. So your saying if you put some pc connected to port X, that you have to set the PC to understand the vlan, ie the tag.. PCs sure do not do that out of the box.
