• Hello community.  First, I am not a network person, but have been running pfsense for many years, however I am making my first foray into vlans and don't have a complete understanding of how vlan 1 plays into things when using tagging/trunking access port/pvid.
    When I say tagging/trunking I am using the term interchangably as I understand Cisco calls it trunking and other vendors call it tagging.
    Same with access port/pvid.

    In the past I have run pfsense with 3 nics for dual wan + LAN.  I recently bought an Intel nuc (only 1 nic) and have things set up with vmware and esx using trunking/tagging.

    There is the default vlan of 1, and I have created vlans 10,20,30.

    My switch is a TP LINK TL-SG108E using 802.q

    Port 1 is trunked/tagged to 10,20,30, a member of vlan 1, and pvid is vlan 1. It is connected to vmware esx virtual switch and a portgroup set to vlan (4095) (all) and pfsense is doing the tagging for vlan 10 wan, 20 opt1, 30 lan.  Everything is working as expected.
    Port 2 is an access port/pvid set to 10 (cable modem)(but still a member of vlan 1)
    Port 3 is an access port/pvid set to 20 (DSL)(but still a member of vlan 1)
    Port 4-8 are access ports/pvid set to 30 (LAN)(but still a member of vlan 1)

    Basically I'm using a single nic to break out to 3 ports effectively.

    So, now my real question.  On my switch you seemingly cannot do anything with vlan 1.  You can't take it down, you can't remove ports from it.  This seems to me to be a security issue.  Even with PVID/access port set, it seems like traffic can pass on vlan 1 and the goal here is to effectively isolate ports 2 and 3 from the LAN portion of my network.

    Is this because I am using a cheap switch?  I have heard in other cases being able to remove vlan 1 from ports, or being able to down vlan 1.

    Thanks in advance!

  • Any update on this?

    I'm also using the TL-SG108E with a single NIC pfsense.

    My cable modem is also connected using the untagged VLAN 10.
    If this port has PVID 10 set (forcing tagging of inbound traffic), shouldn't it be impossible to access VLAN 1 (from the internet)?


  • A couple of posts regarding this device:

    IIRC they have a severe VLAN1 problem. Don't know if that's true for v2 though.
    Personally I use TL-SG3210s without problems but they are a bit more expensive.
    And I have a bunch of Cisco SG300s as well, which I prefer over the TL-SGs. But at home they are pretty much ok.

  • LAYER 8 Global Moderator

    They have the problem on v1, v2 and v3.. You can not remove vlan 1 from any port.  It is their design..  They also have an issue where they they seem to tagged traffic as RxBadPkt, seems to be cosmetic.. And there is a long running thread on their forums that has something to do with the chipset they are using..

    While the price makes it attractive as entry level simple switch to use where you only really need vlan support… And depending on your setup you can prob can just use vlan 1 as your untagged vlan anyway - as long as you don't have security concerns of someone access the switch gui from any port, etc.

    It sure would not be on the top of my listed of recommended switches to buy..  But if you change the pvid of a port, and then send untagged traffic it sure should not bleed over to every other port because of vlan 1..  And vlan 1 traffic should not be sent out all ports, etc..  It is there to be able to access the gui, etc..

  • Guys,

    Please see my post here to disable vlan1.  It is on page#5

Log in to reply