LAN setup with pfSense
I need some help and suggestion for setting up my LAN. I've made a sketch over my situation. Which includes 2 locations (room1 and room2) all located in the same apartment. Unfortunately I have only 1 LAN cable between the rooms which made me wondering if it could be solved with VLANs. This is possible as it seems, but I still need to get my head around how I should set it up. Especially in pfSense.
I have created interfaces in pfSense for vlan10 and vlan20. activated them both.
Is my sketch possible to implement in my setup?
Only the WAN interface on pfSense should receive DHCP from WAN modem (I have 5 public IP's) All clients connected to green ports (vlan20) should have access to internet. I've setup a 250Mbps OpenVPN client set up on my Qnap pfSense.
I hope someone could spread some light and or point me in the right direction. :)
That should work fine.
Room 1 ports 1-7 will be untagged, Port 8 will be tagged and in both VLANs.
Room 2 port 1 will be tagged and in both VLANs, port 2 to 8 will be untagged.
pfSense WAN should see the "WAN Modem" in the clear on room 2 port 2.
pfSense LAN should see all the green ports via Room 2 port 8.
If you want or need to, you can make a single tagged port for pfSense and run the WAN and LAN as separate tagged VLANs on the same physical port. But usually I prefer the configuration you have drawn. When fault-finding it is very handy to have the pfSense LAN as a "vanilla" port. Then you can plug in a laptop directly and get to the webGUI. If the LAN port is offered on a VLAN then you can only get to it by connecting a VLAN-tagging device that is setup with the correct VLAN tag.
Hi there Phil and thank you for replying.
If I understand this correctly I just have to put pfSense DHCP range to the desired VLAN20 for this to work? on those ports which is untagged (room1 p1-7 + room2 p2-8) and hook up clients?
In my mind this this wouldn't work since the WAN modem is just in bridged mode and give public IPs to whatever is connected behind it. If I have room1 port1 to 7 untagged, all these ports will get public IPs from the DHCP on my ISP side? I have a feeling that I don't understand this correctly. :-X
Untagged just means that when a packet is transmitted on that port, it is not wrapped with a VLAN tag. You still put the port in a VLAN number (tag) - then when a "raw" packet is received on that port, the switch internally "wraps it in a VLAN tag". The switch then sends it out whatever other port(s) are in that VLAN (note: bit more technical stuff here not related to VLANs, of course it does not send it out every port in the VLAN, because it is switch, not hub, so it is smart about only sending out the port(s) that have the target MAC address…). If the output port is untagged, then the VLAN "tag wrapper" is removed. If the output port is tagged then the LAN "tag wrapper" is left on.
So untaged ports in different VLANs never see each other's traffic.
And tagged ports carry traffic from multiple VLANs but each packet carries the relevant VLAN tag. As long as the device at each end of the "tagged VLAN ports" trunk has good firmware that actually implements the standard securely, then traffic in different VLANs never sees each other.
Thank you for clarifying the difference. I got a hang on it now.
Next up is how pfSense is supposed to work. I get troubble getting the WAN side of pfSense get a public IP from my ISP when going through a VLAN.
Hooking up the cable from the modem->pfSense WAN port works like a charm. I've set the WAN interface to spood MAC address from a client that have a lease from my ISP.
Going from modem in port1, room1 I get nothing when hooking up the pfSense WAN port to a port in the switch which is at VLAN10.
Have I missed some obvious setting?
Room 1 Port 1 should be untagged and part of VLAN10
Room 1 Port 8 should be tagged for VLAN 10
Room 2 Port 1 should be taged for VLAN 10
Room 2 Port 2 should be untagged and part of VLAN10
Depending on the make and model of smart switch, it probably has something called PVID that can be set on each port. That controls what to do with incoming "raw" packets. So Room 1 Port 1 and Room 2 Port 2 need to have PVID 10. (As well as being "part of VLAN 10" somewhere else in the smart switch configuration screens)