PfSense & Cisco SG300 vlans w/ Fibre Optic Internet - proper routing?



  • Hoping someone can help out with similar equipment.  Here's my situation.

    I just had fibre optic internet installed at my home.  The internet comes down via PPPoE on the providers sagecom modem on vlan 35.  Inside that sagecom is a fibre SFP which I unplugged from the modem and plugged into the SFP port in my cisco switch.  Using pfsense, I have the WAN interface logging in with the PPPoE credentials.

    I want to make sure the internet vlan is completely controlled by pfsense so there is no risk to my internal network.  I'm getting confused with "tagged, untagged, access and general ports".  Here is what I would like to happen:

    1. Port 1 - Fibre internet (vlan 35, from provider) to Cisco SG300 (SG300 is being run in layer 2 mode).  Port 1 setup as follows:
    Vlan Management > Vlan Settings > Vlan table (includes vlan ID 35 for internet).
    Vlan Management > Interface Settings > Interface Settings Table > Port 1 set as "Trunk"
    Vlan Management > Interface Settings  > Port to Vlan > Vlan Membership Table > Port 1 set as "tagged"
    Vlan Management > Interface Settings  > Port Vlan Membership > Port Vlan Membership Table > Port 52 set as "trunk" as well as "1T" and "35T" as members.

    2. Port 2 - SG300 to pfSense router.  Exact same configuration as above on this port.

    3. Port 3 - Cisco Aironet 5508wlc to Cisco SG300. 
    Same configuration as above except for one change:
    Vlan Management > Interface Settings  > Port to Vlan > Vlan Membership Table > Port 3 set as "untagged".  If I set it to tagged, internet does not work and pfsense is unreachable.

    Does anyone have any idea if this is optimal … and could possibly explain exactly what's going on?

    Thanks in advance!


  • LAYER 8 Global Moderator

    Are there other vlans coming in from your isp?

    What I would do is trunk the port this coming in from your isp on your sg300. The port that connects to pfsense would be in vlan 35 should not have not have to be tagged.

    If your going to run other vlans into pfsense lan for example that that port to pfsense would be trunked with with the vlans your going to use allowed on it.  Put your other ports that will have devices as access and they do not need to be tagged, just in the vlan you want that device to be in.

    You only need to tagged vlans on uplinks to other switches, or devices that will make use of the tags.  Like a pfsense interface with vlans on it.



  • @johnpoz:

    Are there other vlans coming in from your isp?

    Yes, the ISP has other vlans coming in (34 for voip, 36 for TV), although I use neither right now, so I just want those vlan packets dropped/blocked.

    @johnpoz:

    What I would do is trunk the port this coming in from your isp on your sg300. The port that connects to pfsense would be in vlan 35 should not have not have to be tagged.

    Just so I'm clear, is the port from pfSense to SG300 (LAN) also trunked?

    Also, I'm using the main vlan (I guess vlan1) for my home network.  Since this vlan is untagged, and the trunk port to my ISP has "1U, 35T" as a member, does that mean the ISP connection can access the rest of my network unchecked?

    @johnpoz:

    If your going to run other vlans into pfsense lan for example that that port to pfsense would be trunked with with the vlans your going to use allowed on it.  Put your other ports that will have devices as access and they do not need to be tagged, just in the vlan you want that device to be in.

    You only need to tagged vlans on uplinks to other switches, or devices that will make use of the tags.  Like a pfsense interface with vlans on it.

    Ok, one more wrench.  I use vlan 20 for a guest wifi.  Works fine for now, but if I change the other ports to access as you suggest, how do I get some of those ports to see both vlan1 (untagged main vlan) and vlan 20 (Guest wifi) - since the cisco WLC is plugged into the same port.

    Thanks much


  • LAYER 8 Global Moderator

    "Just so I'm clear, is the port from pfSense to SG300 (LAN) also trunked? "

    why would it need to be if your not passing other vlans that pfsense would make use of?


Log in to reply