Confusion about VLAN placement (LAN, OPT)
This guide specifically states NOT to put any VLANs on the LAN interface. -> https://nguvu.org/pfsense/pfsense-2.3-setup/ Scroll down until you see "Setup VLAN Interfaces" for source
It recommends using a seperate physical interface for VLANs, that is not assigned to any pfSense interface.
Now to my question; is this an issue? I've been running with this for a year now, without seeing any problems….
See my attached picture for my current interface assignments. I have extra LAN ports to use, but I really see no reason to do this.
It's not an issue as long as you're not mixing tagged and untagged frames on the same physical interface. If you leave the parent LAN interface unused it's completely fine.
I've been running untagged LAN (native) and tagged WAN on a single interface notebook for years.
WAN (wan) -> bfe0_vlan99 -> v4/DHCP4: x.x.x.x/23 LAN (lan) -> bfe0 -> v4: 192.168.2.1/24
What issues can occur?
It's easy to hop from VLAN to another on a client computer if you know that the network segment the computer is connected has tagged traffic. If the network is completely under your own control then it doesn't matter of course.
So potential security issue as opposed to functionality issue.
However here I think we are talking about the pfSense interface connection to the switch. Clients attached to the switch should only have access to their traffic/vlan.
As for hopping from VLAN to another how is that any different due to the pfSense interface having an untagged LAN (native) and tagged WAN (vlan), rather than both being tagged vlans? Can't any client that has access to that physical segment see all the traffic on it regardless of native, tagged or untagged vlans combinations?
Just love it when people make statements like this and don't backup why. Frequently because they don't actually know why and are just regurgitating what someone who "should" "know" feed them.
You should not assign your parent interface to any interface in pfSense. Its sole function is to act as the parent interface to the VLANs we create.
Show me a real case of VLAN hopping on a properly-configured modern switch. I'd love to see it.
Every internet packet everyone sends is on a VLAN somewhere. 100% Guaranteed.
So to conclude something from this debate:
Having a physical LAN port configured as a trunk with multiple tagged VLANs inside and, in my case, a single untagged VLAN (since the Cisco SG-200 does not allow an interface to be a member of tagged traffic only, for odd reason it wants an untagged VLAN as well), does not pose a functional problem?
Check my screenshot for LAN port switch config
The warning about mixing tagged and untagged traffic on pfSense was something we said many years ago because it would cause problems with Captive Portal, among other things. There haven't been any pfSense issues with it in years. That said, there could possibly be something about the switch that makes it impractical or undesirable. That's completely up to the switch, however.
Given the choice I'd still avoid it, but that isn't always practical.