Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    segment wifi traffic (guest, IoT, trusted)

    Scheduled Pinned Locked Moved General pfSense Questions
    46 Posts 7 Posters 9.1k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @JKnott
      last edited by johnpoz

      While you can do that.. Understand that dumb switch doesn't understand vlans.. So there is no isolation. All the broadcast and multicast traffic from all the vlans as soon as hits switch will go to all the other ports.

      While your dumb switch will pass the vlan tags.. Since he doesn't understand them doesn't know that broadcast/multicast traffic from vlan X, is not suppose to go to all the ports.

      If your doing it that way because you can not afford say $30-50 switch... You shouldn't be running so many freaking devices in the first place. I mean the electric cost alone must eat up your whole budget ;)

      Give up couple $10 coffee's at starbucks and get a switch that actually understands vlans.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      JKnottJ F 2 Replies Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @johnpoz
        last edited by

        @johnpoz said in segment wifi traffic (guest, IoT, trusted):

        So there is no isolation. All the broadcast and multicast traffic from all the vlans as soon as hits switch will go to all the other ports.

        There is some isolation in that the devices won't receive the packets for other VLANs. They will appear at the NIC, where they will be promptly ignored.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • F Offline
          farmerjohn @johnpoz
          last edited by

          @johnpoz

          So there is no isolation. All the broadcast and multicast traffic from all the vlans as soon as hits switch will go to all the other ports.

          seems not optimal, but what is the downside to this? will this cause a noticeable hit to network performance or other issues?

          johnpozJ JKnottJ 2 Replies Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @farmerjohn
            last edited by johnpoz

            The downside is your sending broadcast/multicast to somewhere it doesn't need to go.

            While the nic might drop it. You also can join any vlan you want with any device just be tagging. So no security at all.

            If your to the point you wanting to segment your network into different vlans, yet not willing to spend the few bucks required to do it correctly - your doing it F'ing Wrong! ;)

            If its a stop gap until your smart switch gets delivered, or you want to do it on purpose as say a easy tap into viewing traffic.. Or your using the dumb switch as sort of relay to extend length of a run or something.. Sure ok..

            While there may be some scenarios you need/want to do it - overall its a borked way to do it.

            There is one correct answer to want to run vlans on a switch - the switch should understand the tags ;) It doesn't need to be some super managed everything under the sun sort of networking magic that can be done sort of switch.. But it should at least understand what the tag is, and how to process them and isolate them correctly.. So that you actually get the L2 isolation that vlans are meant to do..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            JKnottJ F 2 Replies Last reply Reply Quote 1
            • JKnottJ Offline
              JKnott @farmerjohn
              last edited by

              @farmerjohn

              It will waste some bandwidth on the wire, but devices will not recognize packets on a VLAN they're not configured for. Those packets will be discarded by the NIC.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @johnpoz
                last edited by

                @johnpoz said in segment wifi traffic (guest, IoT, trusted):

                You also can join any vlan you want with any device just be tagging. So no security at all.

                Assuming:

                a) You have admin rights¹ and
                b) Know how to do that

                1. Yeah, I know many people run their computers as admin because they don't know better and that's the way it came.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                bingo600B 1 Reply Last reply Reply Quote 0
                • bingo600B Offline
                  bingo600 @JKnott
                  last edited by

                  @farmerjohn
                  I totally agree w. @johnpoz here.
                  Get a cheap managed switch for the job.
                  As a "bonus" you could use the 6 other ports for other vlans, and treat it as an additional 6 Lan interfaces.

                  @jknott
                  Just because you could ... Doesn't mean you should. 😊
                  And certainly not for saving $50

                  /Bingo

                  If you find my answer useful - Please give the post a 👍 - "thumbs up"

                  pfSense+ 23.05.1 (ZFS)

                  QOTOM-Q355G4 Quad Lan.
                  CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                  LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                  1 Reply Last reply Reply Quote 0
                  • bingo600B Offline
                    bingo600 @farmerjohn
                    last edited by

                    @farmerjohn

                    I suppose you're thinking about dd-wrt

                    Hw-Rev A1
                    https://wiki.dd-wrt.com/wiki/index.php/Asus_RT-AC66U

                    Hw-Rev B1
                    https://wiki.dd-wrt.com/wiki/index.php/Asus_RT-AC66U_B1

                    If you find my answer useful - Please give the post a 👍 - "thumbs up"

                    pfSense+ 23.05.1 (ZFS)

                    QOTOM-Q355G4 Quad Lan.
                    CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                    LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                    F 1 Reply Last reply Reply Quote 0
                    • bingo600B Offline
                      bingo600
                      last edited by

                      There might be some "Trickery" in connecting the managed switch to the Lan IF , and enable tagging , wo. loosing Lan (that you need for configuring).

                      I suppose you could keep Lan as untagged.

                      Maybe one of the others have trued to run untagged & tagged on a pfS IF.
                      I haven't yet

                      /Bingo

                      If you find my answer useful - Please give the post a 👍 - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      johnpozJ JKnottJ 2 Replies Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator @bingo600
                        last edited by

                        @bingo600 said in segment wifi traffic (guest, IoT, trusted):

                        Maybe one of the others have trued to run untagged & tagged on a pfS IF.

                        I run one of my interfaces with native (untagged) and then vlans on it.. There really isn't anything tricky about ;)

                        here.png

                        You can see that native network my wlan is untagged and on the igb2 interface. While then 2 other networks (vlans) are on that physical interface igb2

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 2
                        • JKnottJ Offline
                          JKnott @bingo600
                          last edited by JKnott

                          @bingo600 said in segment wifi traffic (guest, IoT, trusted):

                          Maybe one of the others have trued to run untagged & tagged on a pfS IF.
                          I haven't yet

                          That's what I have here. My guest Wifi is connected via VLAN3 and the main Wifi is on the native LAN. This is quite common with things like VoIP phones and office computers. On the pfsense end, once the VLANs are enabled, there's no difference with a native LAN when configuring them.

                          eda3d4df-a08c-4b95-b359-5dd756aa7108-image.png

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 1
                          • F Offline
                            farmerjohn @bingo600
                            last edited by

                            @bingo600

                            I suppose you're thinking about dd-wrt

                            That was my original plan, but also considering a Ubiquity UAP-AC-PRO - not sure if flashing and configuring the Asus router will be as simple as buying a Ubiquity.

                            bingo600B 1 Reply Last reply Reply Quote 0
                            • bingo600B Offline
                              bingo600 @farmerjohn
                              last edited by

                              @farmerjohn

                              I like the UAP AC Pro 👍
                              I have 5 sites with that model installed.

                              Then i also assume that $50 for a Vlan switch isn't an issue.

                              /Bingo

                              If you find my answer useful - Please give the post a 👍 - "thumbs up"

                              pfSense+ 23.05.1 (ZFS)

                              QOTOM-Q355G4 Quad Lan.
                              CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                              LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                              1 Reply Last reply Reply Quote 1
                              • F Offline
                                farmerjohn @johnpoz
                                last edited by farmerjohn

                                @johnpoz

                                There is one correct answer to want to run vlans on a switch - the switch should understand the tags ;)

                                I currently have 3 unmanged switches in the house
                                one: trendnet TEG-S80G
                                two: HP procurve 1410-8G

                                I'll be attaching the VLAN capable AP into one of the HP procurve switches - until I save up for a managed switch ;)

                                Are there advantages of replacing the other two dumb switches if I don't intend to run VLAN tagged traffic through them?

                                if so, I may go with a 3-pack of these Ubiquiti USW-Flex-Mini for $28 each.

                                bingo600B 1 Reply Last reply Reply Quote 0
                                • bingo600B Offline
                                  bingo600 @farmerjohn
                                  last edited by

                                  @farmerjohn
                                  I'd go for 8-port switches ...
                                  Not that 5 wouldn't do , just that w. a 5 , you only have 4(3) for user ports , as the other 1(2) would be used for uplink(s)

                                  The advantage of Vlan enabled switches around your house.
                                  Would be that you could , "pull out" ie. a Guest or "IOT" ethernet port on any switch , if needed. Or you could attach a new "AP AC Pro" on "that" remote switch , if you need better coverage in that area.

                                  I'd only buy managed switches today, price diff is too small not to.

                                  You could reuse your old "dumb" switches , if you have the need for many ports of the same type (vlan) - Just make one port on the managed switch a member of vlan xx , and connect the "dumb" switch to that port.
                                  Now every port on the dumb switch will be a member of vlan xx.

                                  /Bingo

                                  If you find my answer useful - Please give the post a 👍 - "thumbs up"

                                  pfSense+ 23.05.1 (ZFS)

                                  QOTOM-Q355G4 Quad Lan.
                                  CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                  LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                  F 1 Reply Last reply Reply Quote 1
                                  • F Offline
                                    farmerjohn @bingo600
                                    last edited by farmerjohn

                                    @bingo600

                                    You could reuse your old "dumb" switches , if you have the need for many ports of the same type (vlan)

                                    Good to know - I'll probably go with 3 of the 5-port flex mini's and if I need to add more devices (same vlan), I'll attach one of my 8-port dumb switches.

                                    But, found this in the unifi datasheet:

                                    USW-Flex-Mini uses port-based VLANs only and does
                                    not support SSH, STP (forwarding only), 802.1X, DNS
                                    suffix, or experience in the controller.

                                    SSH is not an issue for me, but not sure about the other limitations.

                                    bingo600B 1 Reply Last reply Reply Quote 0
                                    • bingo600B Offline
                                      bingo600 @farmerjohn
                                      last edited by bingo600

                                      @farmerjohn

                                      Re : Ubi switches ...
                                      While cheap .. I'd drop them , looks like an el-cheapo model.

                                      D-Link just released a new 1100-08V2 (V2 is new)
                                      https://us.dlink.com/en/products/dgs-1100-08v2-8-port-gigabit-smart-managed-switch

                                      DS
                                      https://us.dlink.com/-/media/obu-content/us/datasheets/dgs/dgs-1100-v2-series_datasheet_v_100_dus.pdf

                                      Guide
                                      https://support.dlink.com/resource/PRODUCTS/DGS-1100-08V2/REVA/DGS-1100-08V2_REVA_MANUAL_v1.00_WW.pdf

                                      Buy
                                      https://www.amazon.com/dp/B08P2C2GXF

                                      I have used the old 1100-08 and 1100-08P (Non V2) , and that is my goto switch when needing something small & effective.

                                      Seems like the PoE V2 has a bit of issues , but $35 for an 8-port & $30 for a 5-port, not that bad.

                                      But they mention some GUI issues
                                      But I'd get one , and try it out , if it were me.

                                      Datasheet actually shows a lot of value for the $$

                                      My choice would be D-Link or Netgear

                                      /Bingo

                                      If you find my answer useful - Please give the post a 👍 - "thumbs up"

                                      pfSense+ 23.05.1 (ZFS)

                                      QOTOM-Q355G4 Quad Lan.
                                      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                      F 3 Replies Last reply Reply Quote 1
                                      • F Offline
                                        farmerjohn @bingo600
                                        last edited by

                                        @bingo600
                                        thanks for the recommendations - I will check them out. One appeal of the ubiquity, was that if I went with the wireless AP and switches, it would be easier to manage them all under their unifi controller software. I was hoping the reduced features of the flex mini would not be an issue for my use case.

                                        bingo600B 1 Reply Last reply Reply Quote 0
                                        • bingo600B Offline
                                          bingo600 @farmerjohn
                                          last edited by

                                          @farmerjohn

                                          If you read what you wrote above about the UBI switches

                                          USW-Flex-Mini uses port-based VLANs only and does
                                          not support SSH, STP (forwarding only), 802.1X, DNS
                                          suffix, or experience in the controller.

                                          I read that as it's too cheap to play w. the controller.
                                          So no advantage in going for those cheapo's

                                          If you find my answer useful - Please give the post a 👍 - "thumbs up"

                                          pfSense+ 23.05.1 (ZFS)

                                          QOTOM-Q355G4 Quad Lan.
                                          CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                          LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                          johnpozJ 1 Reply Last reply Reply Quote 1
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator @bingo600
                                            last edited by

                                            So while the $29 mini look interesting and I could seem them in specific use case..

                                            But for my switch I was going to put on my network as just a general purpose switch. No - wouldn't look at those even with the nice price point.

                                            Switching is quite often over looked at the importance in your network - just connect this one there, that one there.. you find daisy chained, etc. etc..

                                            A proper laid out and configured L2 is a huge portion of overall network health and performance for sure.. Always overlooked.. Don't just buy xyz because its cheap.. think about what your wanting to do and what you may "want" to do in the future..

                                            For example - being able to filter multicast doesn't always come to mind.. Tell you what with the broadcast monsters you put on your network.. Its a major thing I do and filter at my L2.. Just noise machines!! Filter them at the port vs that noise going everywhere..

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.