Isolated VLAN / Private VLAN

sokolum

@jknott
Not really, yes the switch have to be aware, but

@jknott said in Isolated VLAN / Private VLAN:

@sokolum

That's a switch function, not router. For example, even my crappy TP-Link managed switch supports it, IIRC. Some APs do too.

That doesn’t mean a firewall couldn’t support it, it makes sense in smaller setups such functionality on the firewall. By the way, on the router you have to configure in the interface the communities.

Actually, if the Firewall becomes PVLAN aware in single/multi switch setup, the switch itself doesn’t have to be PVLAN aware. Then on the switch you just continue creating VLAN’s as you do. Only Isolated VLAN is a thing, perhaps QinQ could solve this.

JKnott

@sokolum

Then you'd need some way to make the individual connections to pfsense. How would you do that? Perhaps by putting a managed switch in front of pfsense to provide private VLANs? Even if you had tagged VLANs right into pfsense, you'd still need a managed switch to do that.

johnpoz

@sokolum said in Isolated VLAN / Private VLAN:

the switch itself doesn’t have to be PVLAN aware

But as stated what switch would you be using that doesn't support it? But vlans, such a shitty switch would most likely have a limit on number of vlans you could create anyway, and most likely sure wouldn't support QinQ ;)

As stated this a thing you do on your switch or your AP.. This is not something that you would do on a router even if the router had a small switch..

If you want to isolate devices now say on a 3100 with your 4 switch ports.. Then just put them on 4 different vlans.

private vlans come into play when you have large switching environment, with say hundreds of clients that you don't want talking to each other. If its just a handful of clients.. Then put them in their own normal vlan. Even if just 1 device in each vlan.

JKnott

@johnpoz said in Isolated VLAN / Private VLAN:

Then put them in their own normal vlan. Even if just 1 device in each vlan.

That would still require a managed switch, unless you want to configure the devices to use VLANs directly.

johnpoz

Talking a about connecting devices directly into the switch ports on the router ;)

But yeah - all of this stuff is what you do on your switching environment. You want to do private vlans - then get a switch that does them.. Its not like you need $2k cisco 9k nexus to do private vlans ;)

My $200 (brand new price) 28 port sg300 cisco does them.. So its not like you need a enterprise bankroll or anything.

JKnott

@johnpoz

Of course that brings up the question of how many ports a router has. Mine has 4, so I could use 1 for WAN, leaving all of 3 for isolating users. However, if I was doing that, I'd set up separate VLANs, as I do for my guest WiFi, that are not allowed to communicate. @sokolum wants a switch to do this, not pfsense.

JKnott

This post is deleted!

sokolum

@johnpoz said in Isolated VLAN / Private VLAN:

@sokolum said in Isolated VLAN / Private VLAN:

the switch itself doesn’t have to be PVLAN aware

But as stated what switch would you be using that doesn't support it? But vlans, such a shitty switch would most likely have a limit on number of vlans you could create anyway, and most likely sure wouldn't support QinQ ;)

As stated this a thing you do on your switch or your AP.. This is not something that you would do on a router even if the router had a small switch..

If you want to isolate devices now say on a 3100 with your 4 switch ports.. Then just put them on 4 different vlans.

private vlans come into play when you have large switching environment, with say hundreds of clients that you don't want talking to each other. If its just a handful of clients.. Then put them in their own normal vlan. Even if just 1 device in each vlan.

I have actually another use case to have PVLAN, that is to have a systems sitting in the same subnet but in a isolated or in a community to prevent cross infections.

Yes my N9K can do it all ESX cluster running in Enterprise mode, but for my test lab is a bit to expensive on my household testlab budget to buy a N9K. VMware actually changed their trials policy’s for NSX, you can try them out for 60 days, also Vcenter.

This opens doors for my test lab, to test various settings.

Configure PVLAN on ESX, as system in a community just leaves the ESX with a tagged VLAN header. Try it, just configure a VLAN on PfSense.... Netgate having the VLAN ID of your community, it works.

Technically, it’s actually having a interface with a subnet that sitting in multiple VLAN’S.

So, I guess it would be a impossible feature request.

In my testlab the Netfate sits on a bare metal.

JKnott

@sokolum

If they're in the same subnet, there is no way to separate them other than a switch that supports it. Pfsense can do absolutely nothing to block devices on the same subnet from communicating, as they can do so directly, without involving pfsense.

sokolum

@jknott said in Isolated VLAN / Private VLAN:

@sokolum

Then you'd need some way to make the individual connections to pfsense. How would you do that? Perhaps by putting a managed switch in front of pfsense to provide private VLANs? Even if you had tagged VLANs right into pfsense, you'd still need a managed switch to do that.

It not possible to do it now on pfsense, yes a managed switch can do that trick But i have read TP-Link can do this trick.... maybe time to say goodbye to my Netgear GS108TV3.

JKnott

@sokolum

Yes, I told you my crappy TP-Link switch can do it, as can my Unifi AP and I expect my Cisco switch can too, though I haven't checked. However, if you're buying a managed switch, avoid TP-Link as some models have problems with VLANs.

JKnott

@sokolum said in Isolated VLAN / Private VLAN:

Netgear GS108TV3.

You might want to check the manual to see if that function is supported. You may have to check carefully, as it might not be obvious. For example, with my crappy TP-Link switch, it's called "Multi-Tenant Unit VLAN".