Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VLAN Trunk to Extra pfSense Hardware NICs

    General pfSense Questions
    3
    16
    1790
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jacobgraf last edited by

      I have a 4-port pfSense box. First port is WAN, second port is LAN, and I'd like to use the other two ports as VLAN trunks to some POE WAPs (Xclaim xi-3 to be exact which support vLAN tagging across multiple SSIDs). I would like to have a default Private vLAN and a separate Public vLAN with it's own DHCP scope and absolutely no access to the Private vLAN.

      I can't seem to figure out how to accomplish this from within pfSense. Am I missing something? Does this sound logical?

      Thanks in advance for all your help!

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Put one interface to a managed switch trunking the VLANs and put the APs on the switch.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jacobgraf last edited by

          I guess I was hoping to get by without buying a managed switch since in will only have two APs and have two extra ports open on the pfsense box. Is that not possible?

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            I wouldn't do it. I would buy a $40 managed switch. If you want to try to build a bunch of bridge interfaces, then have at it.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              jacobgraf last edited by

              If you don't recommend it than that's good enough for me. I'll go buy a switch. :-)

              1 Reply Last reply Reply Quote 0
              • J
                jacobgraf last edited by

                Do you recommend a certain brand 802.1q compatible managed switch for cheap? Only need 4-8 ports max.

                1 Reply Last reply Reply Quote 0
                • Derelict
                  Derelict LAYER 8 Netgate last edited by

                  I'm sort of partial to D-Link. Others seem to have decent luck with TP-Link - never owned one. In this space I would run away from anything that starts with the letter Netgear.

                  Something like this: http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I

                  You have to decide if about $70 spent now is worth not having to deal with PoE injectors over the long haul. :)

                  Chattanooga, Tennessee, USA
                  The pfSense Book is free of charge!
                  DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • J
                    jacobgraf last edited by

                    Glad I checked with you then because on the non-managed side I usually buy Netgear but have been reading some reviews of their vLAN support and they don't look too favorable. Thanks again.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jacobgraf last edited by

                      Ok so I received the D-Link switch and added it to an open port on the pfSense box, I've also created two vLANs and corresponding firewall rules to allow traffic to travel out of each subnet. I've also created DHCP scopes for both subnets. My question is now, how do I turn that port that I plugged into the open pfSense port into a trunk port which has access to the original lan port? (Not sure that makes sense, but hoping it does.  ;))

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        Create those VLANs on the switch and set them to tagged on the interface going to pfSense.

                        Any port set untagged on the same VLAN will be on that network.

                        You probably want the VLAN on which you will control the Ubiquiti gear to be set to untagged going to the access points. Tag any extra VLANs on which you will be placing secondary SSIDs.

                        This is a quirk of the Ubiquiti gear. I have found they REALLY like to be managed on their untagged network. I don't generally mix tagged and untagged traffic but I would do it that way talking to ubnt APs.

                        The attached has tagged traffic going to the APs, which is a little different than I am describing. You would untag VLAN 100 and tag VLAN 300 going to the AP.

                        It also describes a one-port "router-on-a-stick." Your setup probably has WAN on it's own firewall interface such as em0 there. Pretend VLAN200 is just another tagged network.


                        Chattanooga, Tennessee, USA
                        The pfSense Book is free of charge!
                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • J
                          jacobgraf last edited by

                          Why does your graph show internet plugged into the managed switch? Wouldn't that stay in em0?

                          1 Reply Last reply Reply Quote 0
                          • Derelict
                            Derelict LAYER 8 Netgate last edited by

                            It also describes a one-port "router-on-a-stick." Your setup probably has WAN on it's own firewall interface such as em0 there. Pretend VLAN200 is just another tagged network.

                            Chattanooga, Tennessee, USA
                            The pfSense Book is free of charge!
                            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • J
                              jacobgraf last edited by

                              Ugh. My bad. Totally missed that part.

                              1 Reply Last reply Reply Quote 0
                              • W
                                W4RH34D last edited by

                                I've used dlink managed switches for about 3 years now.  They have a few things you need to know about.

                                #1:  They do not like heat.  They will burn out on you and it will not be an easy diagnosis.

                                #2:  System time will change randomly on you - check the time once a month at least.

                                #3:  They do not like Safari or VPN - Do not configure these in Safari you never know what you're going to get.  VPN will make it seem like the switch is bugged out but if you login locally it will seem to be fine.

                                If you have a few extra bucks I cannot recommend the cisco small business switches enough.  No CLI but so far I haven't needed it.

                                Did you really check your cables?

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jacobgraf last edited by

                                  Thanks again for all your help! It's working great and more importantly, I learned a lot through the process!

                                  1 Reply Last reply Reply Quote 0
                                  • Derelict
                                    Derelict LAYER 8 Netgate last edited by

                                    Outstanding. Thanks for letting us know.

                                    Chattanooga, Tennessee, USA
                                    The pfSense Book is free of charge!
                                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post