Layer 2 isolation (how to enable)

  • I can't find anything on layer 2 isolation.  I have 7 buildings coming to one ( where the router is locates).  These are all vlan'd from netgear switch.  How can I block users from each building from seeing each others packets and arp traffic?  Each building is also using VLAN from another netgear 48 port smartswitch.  These clients should also be isolated the same.  The Zyxel router that was removed specifically has a toggle for the feature. (vsg-1200v2)


  • Are you talking about 802.1Q VLAN's?
    I'm not sure i understand you correctly.
    If you created multiple VLAN's then Layer2 Traffic already should not be seen on other VLAN's.

    Maybe you could provide a "bit" more info.

  • I am using hardware vlan feature of the smart switches.  Therefore, Layer 2 isolation must be done on the gateway/router.  If that is not possible, then how would I use the 802.1q isolation in combination with these switches and pfsense?  These switches do support it, They are just not the full implementation of Layer 2 support.  Netgear calls them smart switches and they are much cheaper that the full layer 2 switch. I am thinking that the 802.1q is the better way to go, but I don't know how to implement in pfsense.

    48 clients (dhcp)->-smartswitch-
                                                  -48 port smartswitch–>pfsense-> internet
    48 clients (dhcp)->-smartswitch-/

    X9 48 port client switches.  All with isolation
    Total of about 400 clients

    I am not that good at asci diagrams as some of you on the forum, but hope it helps.

  • I am using a bunch of FS726T myself.
    Every switch supports full Layer2.
    Otherwise it wouldnt be a switch. I think you might be talking about Layer3.

    On pfSense go to the "Interfaces" "assign" page.
    Create as many VLAN's as you need on an interface which is not used.
    It's not so good to mix tagged and untagged traffic on the same interface.

    On the switch enable 802.1Q tagged VLAN's.
    Define a trunk-port that is member of all VLANs and which eggresses all VLAN's tagged.
    Every client port goes into it's own untagged VLAN.

    Maybe it's the best if you familiarize yourself with VLANs before you start messing around with an existing setup.

  • you are right about the Layer 3 for smart switch.
    Just so that I got you right.  I should not use vlan tagging.  only enable 802.1q.
    Set up vlan's on an interfice that is not used.
    I have Lan1 with DHCP.
    Lan 2 (opt1) will be the Captive portal for clients.
    set up a new interface even thoughthere is not a card installed for it and add vlans.  All 400??????
    setup a trunk port (currently) not used, but have vlan hardware type with port 49 in each vlan.
    Confused.  You say enable "VLAN tagged", then you say "own untagged VLAN".
    Can you explain a little more.  There are 2 segments of switches.  One in each building X9 (call it "client switch") and one at the main building side. (call it the "router switch")  should each switch be configured differently?
    I very much appreciate the help!

  • Read up on how VLAN's work and what tagged and untagged means.
    You need a base to understand what i tell you ;)
    Reading the documentation to your switch about the VLAN capability isnt bad either.

    I'll try to post some screenshots of a working system with a FS726 after i had some sleep.

  • That's fairly simple. Create vlan with "untag" as much as you want and also create aliases for LAN side of your interface then assign IP addresses which correspond to each vlan that all defaulted to the WAN. You'll have isolated in L2 but L3 routable vlans. There's no need for "tagged" vlans at all. I don' t believe that you have assinged vlans for each client 1 by 1 so that the numbers of vlans you have to create is way less than 400. It of course depends on the NIC you've implemented in your pfSense box(es) but em(Intel) in my box easily handles ~20 vlans/aliases now.

  • Nocer: what do you mean tagged VLANs are not needed?
    How else would pfSense be able to differ between the VLANs?

    Anyway: comment to the screenshots:

    As you can see i have 5 VLANs.
    -VLAN1: It is the default VLAN. No port has as PVID a value of 1, because i dont want to use VLAN1.
    -VLAN2: This is my admin interface. I noticed that you need access to port1 for the webinterface of the switch to work correctly…
    -VLAN313: This is the VLAN to which i assigned all ports i'm not using right now but plan to use in the future. If someone connects his computer to such a port he'll get an IP but will be blocked by the captive portal telling him my phonenumber so i set his port up.
    -VLAN1100: This is the first office.
    -VLAN1300: This is the second office.

    As you can see port26 is tagged. This is the port going to my pfSense. --> The so called Trunkport.
    All traffic to the clients has to be untagged.

    I created the 4 VLAN's on pfSense. vr2 is an interface i'm not using for untagged traffic.
    As i wrote before: it's not such a good idea to mix tagged and untagged traffic on the same cable.
    I had some nasty experiences that arp requests could be resolved and the clients tried to communicate directly with each other instead of over the pfSense.... But one of the clients was sendig tagged traffic and the other untagged.

    I think the interface assignment is selfexplaining. Here as well you can see that i separate tagged and untagged traffic.
    --> WAN is untagged traffic
    --> LAN and all OPTx's are tagged.

    I dont know how your other switches are set up.

    48 clients (dhcp)->-smartswitch--|
                                                  |-----48 port smartswitch----pfsense----internet
    48 clients (dhcp)->-smartswitch--|
    48 clients (dhcp)->-smartswitch--|

    To me it seems as if the switches on the left side are for the clients, and the switch on the right side to connect the "client-switches" together.
    You would need to specify a bit clearer how the clients are to communicate with each other.
    Do you have a subnet for each "client-switch"?
    Or do you have workgroups spanned over multiple switches that have to be able to communicate with each other?
    Or do you want that each client is only able to communicate with pfSense and nothing else?

  • @GruensFroeschli:

    Nocer: what do you mean tagged VLANs are not needed?
    How else would pfSense be able to differ between the VLANs?

    Hi. well, because you're "switching" vlans using tags, mine is "routing" vlans. Assigns L3 addresses to each vlan, vlan doesn't have to be a tagged because all the vlans are routed at L3 but isolated at L2. It's a basic way of treating L2/L3 combo traffics on the common network gears like cisco/Foundry/Extreme, whatever the equipments called L2/L3 switch. Or honestly, am I missing the point ??? ???

  • I think we're talking about the same :)
    Each VLAN has it's own subnet.
    Each subnet has it's own "virtual" VLAN interface on pfSense.
    But for pfSense to be able to differ between the VLANs the traffic to and from pfSense has to be tagged.

    Of course you can add alias IP's to a single untagged interface, but then a client could change his IP to something he shouldnt and still be able to communicate with pfSense.

  • Ah, okay I finally reached at the same page  ;D  ;D ;D


Log in to reply