Setting up a new pfsense box (VLAN or not)

  • I'm in the middle of setting up a new pfsense box.
    But i cannot decide how i want to set it up..

    I have 6 subnets and at first i set it up with one interface for every subnet.
    But what about just having 2 interfaces (WAN,LAN) and then use VLAN tagging instead.

    What would be the best solution here? And what would the best regarding performance?

  • Bit of an open-ended question. I use VLANs for three networks running through one NIC and have no issues at all. Performance optimisation is really down to you: What kind of traffic will you be running through each network? Will the traffic be heavier in one network than another, and will this cause latency issues with your other networks? How many users will you have on each network? A gigabit NIC which needs to run just web traffic from six networks ought to be fine, although there are always other factors to consider - which only you know, of course.

  • You are right about that, Only i can awnser thoose questions.

    But is there any drawbacks when it comes to pfsense and theese to solutions?
    Example if i go with VLAN is there something i need to think of compare to using different interfaces?

    One pro i can see right now using different interfaces is that i can se mutch clearly statistics for eatch subnet.

  • LAYER 8 Global Moderator

    To pfsense doesn't really care if phy interface or vlan.. In your rules, dhcp, etc.  To pfsense its just another interface so no once you set it up I don't think there is anything different you have to think about a vlan or a physical interface.

    vlans are going to share that bandwidth, phy is going to eat up ports both on pfsense and your switch for each network so its a trade off.

  • Ohh. I forgott to mention that pfsense is running in a VM on ESXi-cluster :(

  • In which case it's probably even less of a concern whether you go 'separate NICs' or 'VLANs', since your interfaces are all virtual and running through the same VM cluster.

  • LAYER 8 Global Moderator

    So how are you going to tag or not tag the traffic to pfsense?

    How does the vm nics match up to the physical world nics?  Are they over 1 physical switch to your real network.. What is the networking on this real world network?

    I have pfsense running on esxi host, the wan matches up to physical nic, there is a vmnic in pfsense tied to the vswitch that phy nic is connect to that is connect to my cable modem.  There is also a lan nic on a lan vswitch that pfsense has vmnic in.  This traffic is not tagged and matches up to a layer 2 untagged vlan in my real world network.

    I then have another interface in pfsense that has vlans on it.  This is tied to the real world with another vswitch and phy nic on it.  There is the native untagged network or vlan in the phy world, and then there is tagged vlans also that pfsense sees on this vmnic.  The vswitch is set to 4095 so it passes the tagged traffic to pfsense.  The phy nic is connected to a trunked port on the switch that has the native vlan and tagged vlans on it, etc.

  • On the ESXi-hosts i have setup 2 NICs for every function (because of failover) (MGTM,VMs,vMotion,iSCSI) and i have a VLAN for "WAN", My connection from the ISP goes directly into my main switch on a port that is member of the WAN VLAN. So i just have one NIC on the pfsense in that VLAN.

    And then i just add one interface per VLAN if i want to do it like that wich i probaly do (instead of VLAN on pfsense)

  • LAYER 8 Global Moderator

    So how many esxi hosts do you have that you setup.. Are you going to run pfsense in carp mode?  Since you seem pretty worried about failover.  So your esxi box has 8 nics?  So take it your wan and lan networks are going to come in on the VM vswitch.  Is this a standard vswitch or a distributed switch?

    IF you only have 1 switch tied to a pair of interfaces that connect into your real network, then your going to have to use vlan tagging.

Log in to reply