PfSense - VLAN (Layer 2 or Layer 3 Switch)

damir

Hello all,

coming from this thread (deciding which switch to buy - Layer 2 or Layer 3)
https://forum.pfsense.org/index.php?topic=109755.30

I would like to clear some things in my head, to help me decide what exactly i should purchase in the end. (Right now i ordered 10 port SG300-10, but its going back, actually, as in the end i will need more ports) (Decision is between SG200-18 or SG300-20)

I am thinking of having 2-3 VLANs.

Right now my pfSense is set to 192.168.1.1/24

I am thinking about creating another 2 VLAN for/as:

VLAN10: 192.168.2.1/24 for WiFI (To isolite it from Local Network (Windows HomeGroup)
VLAN20: 192.168.3.1/24 for NAS (To block outside traffic, completely, but, to be able to access it from PCs from 192.168.1.1/24 only, and not from 192.168.2.1/24 (VLAN10).

From my understanding, to be able to access VLAN20 from 192.168.1.1/24 i need Layer 3 Switch? (idea is to get Cisco SG300-20)

Also, in the future, i am planing to add my childrens PCs to separate VLAN, so i can use some blocking features + OpenDNS (which will probably end up being VLAN30 192.168.4.1/24)

In that case, i am looking to be able to access NAS (VLAN20) as well from VLAN30 (children's PCs), so, they can stream Cartoons/whatever.

Maybe, not sure if its recommended to have another VLAN for VOIP / Printers, etc.

Does this require a lot of configuration? Would somebody please point me to right direction.
I am new to VLAN thing / Layer2 / Layer3 routing, but, i am willing to learn / test / try and hopefully make it work, so i can have "safe network" , properly setup-ed.

Thank you for your time / input!

All help / suggestions are very much appreciated.

jahonix

https://forum.pfsense.org/index.php?topic=109755.msg629952#msg629952

johnpoz

"to access VLAN20 from 192.168.1.1/24 i need Layer 3 Switch?"

Where did you get that idea?  You do not need a layer 3 switch to access different vlans.  You need something to route between the vlans yet - but that would be pfsense in a typical setup.

As to breaking out stuff to different vlans.  Depends on what your wanting to accomplish.  If you want to firewall from network A to network B, then sure you put some devices in A and some in B and then use pfsense to limit/control access between these segments.

I have multiple vlans in my setup.  I have 3 different networks for wifi, my normal wifi, my guest wifi and then wifi for devices that do not support eap-tls that my normal wifi uses.  Stuff like my nest thermostat and protect and my harmony hub, my roku, etc.  Are on this wifi.

I also then have a few different wired vlans.  My directv dvr for example, a dmz segment where I Play with stuff.  My normal lan, etc.

You do not need layer 3 switch to do this, since pfsense is your router/firewall between your vlans.  While the sg300 does do layer 3, I have mine in just layer 2 mode I have no need for layer 3 switch (router) downstream from my pfsense.

damir

Thank you for responding.

It makes sense now to me.

I am just waiting for confirmation on customs from one of US companies, as this switch appears to be cheaper in US (Even after converting CAD to US), so, i can finally order :)

Wolf666

@johnpoz:

"to access VLAN20 from 192.168.1.1/24 i need Layer 3 Switch?"

Where did you get that idea?  You do not need a layer 3 switch to access different vlans.  You need something to route between the vlans yet - but that would be pfsense in a typical setup.

As to breaking out stuff to different vlans.  Depends on what your wanting to accomplish.  If you want to firewall from network A to network B, then sure you put some devices in A and some in B and then use pfsense to limit/control access between these segments.

I have multiple vlans in my setup.  I have 3 different networks for wifi, my normal wifi, my guest wifi and then wifi for devices that do not support eap-tls that my normal wifi uses.  Stuff like my nest thermostat and protect and my harmony hub, my roku, etc.  Are on this wifi.

I also then have a few different wired vlans.  My directv dvr for example, a dmz segment where I Play with stuff.  My normal lan, etc.

You do not need layer 3 switch to do this, since pfsense is your router/firewall between your vlans.  While the sg300 does do layer 3, I have mine in just layer 2 mode I have no need for layer 3 switch (router) downstream from my pfsense.

Hi,
can I ask you what brand and model you are using as WiFi AP? Looking around for something supporting VLAN in a setup similar to yours.

damir

Sure thing! :)

I've used R7000 in AP, but, recently i purchased/ordered UAP-AC-PRO.

UAP-AC-PRO should support VLAN configuraiton.