Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN1 and the LAN

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    4 Posts 3 Posters 983 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alan.t
      last edited by

      Hello,

      I have an installation that is working fine, just trying to improve it. I have a six port pfSense Box connected to Unifi equipment.

      On the pfSense Box:
      Port 1 WAN
      Port 2 LAN
      Ports 3,4,5 setup as a LAGG that hosts a group of VLANs such as IoT, Management, Guest etc.
      Port 6 goes to another (small) physical switch used for a DMZ.

      First question, I have assigned the LAN to it's own VLAN, is there any advantage to this as it has its own physical interface ?

      Secondly, I am trying to control VLAN1 as it is required for adoption of new devices on the Unifi network. Consequently, VLAN1 is assigned to the same physical port as the LAN (port 2) and also to its own IP subnet so that the firewall can limit access to basically only the Unifi hardware (cloudkey, switches, access points).

      Thoughts and suggestions are welcome (the attempt to control VLAN1 is new).

      BRgds/Alan

      bingo600B 1 Reply Last reply Reply Quote 0
      • bingo600B
        bingo600 @alan.t
        last edited by

        @alan-t

        RE: Lan on own IF
        It would make sense to have (spread) "High load interfaces" on several physical IF's.

        If all Vlans were on the same IF , they would share the same IF bandwidth.

        So having ie. Lan have it's own IF , would mean you could go Lan --> Wan wo affecting the "shared" Multi-Vlan IF.

        My Unifi controller does not reside in Vlan1 , it just resides on "The untagged vlan (PVID vlan) for that specific IF".

        Btw: I seem to remember that @johnpoz said the newer Unifi controllers could run on "all tagged vlans" , i haven't tried.

        /Bingo
        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        johnpozJ A 2 Replies Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @bingo600
          last edited by johnpoz

          @bingo600 is correct - the only thing unifi needs is untagged vlan... I don't have mine on vlan 1 - its vlan 9 in my network.. Its just not a tagged network as far as unifi is concerned..

          And they did add the ability to use tagged vlan for management a while back.. What version of the controller are you running, what firmware on your AP, etc.

          Not a fan of that lagg group setup you have.. You have no control over what goes over what in that sort of setup.. Yeah it works and its easy enough to setup.. Just I would manually place my vlans on specific interfaces so that I know the vlans that talk to each other the most won't be using the same physical interface for the conversation. When you just throw them all on a lagg you don't really know.

          Also the vlan could be tagged to pfsense.. Just not tagged to unifi devices..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • A
            alan.t @bingo600
            last edited by

            @bingo600
            I have the latest version of Cloudkey Software and firmware (Gen 2 CK), APs and switches on the latest firmware.

            I received a fairly lukewarm reception on the Unifi support forums for the idea of putting each VLAN on a separate wire ... šŸ˜“
            e.g. "VLANs on one interface are no more or less secure than a single LAN on separate interfaces. How much bandwidth are you passing?"

            There certainly seems to be a case for physically separating things like a DMZ to a different switch ...

            For a 6 port pfsense box, how about:
            Port 1: WAN
            Port 2: LAN
            Port 3: Wireless Network (VLAN a)
            Port 4: IoT (VLAN b). Guest (VLAN c)
            Port 5: Managment (VLAN d)
            Port 6: To a small switch for a DMZ (VLAN e)

            Thoughts ?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.