VLAN Trunk to Extra pfSense Hardware NICs

  • I have a 4-port pfSense box. First port is WAN, second port is LAN, and I'd like to use the other two ports as VLAN trunks to some POE WAPs (Xclaim xi-3 to be exact which support vLAN tagging across multiple SSIDs). I would like to have a default Private vLAN and a separate Public vLAN with it's own DHCP scope and absolutely no access to the Private vLAN.

    I can't seem to figure out how to accomplish this from within pfSense. Am I missing something? Does this sound logical?

    Thanks in advance for all your help!

  • LAYER 8 Netgate

    Put one interface to a managed switch trunking the VLANs and put the APs on the switch.

  • I guess I was hoping to get by without buying a managed switch since in will only have two APs and have two extra ports open on the pfsense box. Is that not possible?

  • LAYER 8 Netgate

    I wouldn't do it. I would buy a $40 managed switch. If you want to try to build a bunch of bridge interfaces, then have at it.

  • If you don't recommend it than that's good enough for me. I'll go buy a switch. :-)

  • Do you recommend a certain brand 802.1q compatible managed switch for cheap? Only need 4-8 ports max.

  • LAYER 8 Netgate

    I'm sort of partial to D-Link. Others seem to have decent luck with TP-Link - never owned one. In this space I would run away from anything that starts with the letter Netgear.

    Something like this: http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I

    You have to decide if about $70 spent now is worth not having to deal with PoE injectors over the long haul. :)

  • Glad I checked with you then because on the non-managed side I usually buy Netgear but have been reading some reviews of their vLAN support and they don't look too favorable. Thanks again.

  • Ok so I received the D-Link switch and added it to an open port on the pfSense box, I've also created two vLANs and corresponding firewall rules to allow traffic to travel out of each subnet. I've also created DHCP scopes for both subnets. My question is now, how do I turn that port that I plugged into the open pfSense port into a trunk port which has access to the original lan port? (Not sure that makes sense, but hoping it does.  ;))

  • LAYER 8 Netgate

    Create those VLANs on the switch and set them to tagged on the interface going to pfSense.

    Any port set untagged on the same VLAN will be on that network.

    You probably want the VLAN on which you will control the Ubiquiti gear to be set to untagged going to the access points. Tag any extra VLANs on which you will be placing secondary SSIDs.

    This is a quirk of the Ubiquiti gear. I have found they REALLY like to be managed on their untagged network. I don't generally mix tagged and untagged traffic but I would do it that way talking to ubnt APs.

    The attached has tagged traffic going to the APs, which is a little different than I am describing. You would untag VLAN 100 and tag VLAN 300 going to the AP.

    It also describes a one-port "router-on-a-stick." Your setup probably has WAN on it's own firewall interface such as em0 there. Pretend VLAN200 is just another tagged network.

  • Why does your graph show internet plugged into the managed switch? Wouldn't that stay in em0?

  • LAYER 8 Netgate

    It also describes a one-port "router-on-a-stick." Your setup probably has WAN on it's own firewall interface such as em0 there. Pretend VLAN200 is just another tagged network.

  • Ugh. My bad. Totally missed that part.

  • I've used dlink managed switches for about 3 years now.  They have a few things you need to know about.

    #1:  They do not like heat.  They will burn out on you and it will not be an easy diagnosis.

    #2:  System time will change randomly on you - check the time once a month at least.

    #3:  They do not like Safari or VPN - Do not configure these in Safari you never know what you're going to get.  VPN will make it seem like the switch is bugged out but if you login locally it will seem to be fine.

    If you have a few extra bucks I cannot recommend the cisco small business switches enough.  No CLI but so far I haven't needed it.

  • Thanks again for all your help! It's working great and more importantly, I learned a lot through the process!

  • LAYER 8 Netgate

    Outstanding. Thanks for letting us know.

Log in to reply