Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN basic

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 7 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bilbo
      last edited by

      Is it possible to put one client on a separate vlan with just a dump switch, I am trying but not having success so far.

      I have one wan pppoe and one lan, the default lan (em1)  is 192.168.0/254
      I created a vlan with em1 as the parent vlan tag 101
      I then added the interface "VLAN101" and enabled it under interface assignments address 192.168.101.254
      I then enabled dhcp on VLAN101 range 192.168.101.99 - 100
      I added a firewall rule for vlan 101 pass all all

      On the windows client which is connected via a dumb switch I installed the realtek diagnostic which enabled me to specify 101 as the vlan id for the card.

      Should this work and should and should the windows get a vlan ip at present it does not?

      1 Reply Last reply Reply Quote 0
      • M Offline
        mikeisfly
        last edited by

        It depends if you switch is stripping off the vlan tag then this will not work. Why not just get a smart switch? You can get some really good used gear on ebay depending on your requirements and budget. Probably not a good idea to put both tagged and untagged traffic on the same interface for security purposes.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          You really want a managed switch for that.

          If it works at all (which it looks like it doesn't) you will be relying on every device connected to the switch to act on ethernet broadcasts based on the presence or absence of the dot1q VLAN tag. That is a lot to ask of devices that do not claim dot1q compatibility.

          An 8-port dot1q gigabit switch can be had for < US$35 new.

          http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • B Offline
            bilbo
            last edited by

            Thanks for the tips.

            With the managed switch would the pfsense setup be the same as above, and the specific port on the switch the client  is connected to be set as vlan 101 ?

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              I would:
              untag 100 and tag 101 and get a client connected to the web gui and the switch on VLAN 101.

              Then I would tag 100 to pfSense, create VLAN 100 on pfSense, and assign LAN to that.

              That would leave you with:

              LAN assigned to eth0_vlan100
              OPT1 assigned to eth0_vlan101
              eth0 unassigned to anything

              That way all your traffic to the switch is untagged tagged.

              Keep that realtek software in your pocket because if you ever need to bypass the switch and connect directly you will need to tag vlan 100 or 101 there.

              You could just leave eth0_vlan101 assigned to OPT1 and eth0 assigned to LAN.

              In that case you would tag VLAN101 to pfSense and set the port's PVID to 100. That's another option.

              Then set the other switch ports to untagged/PVID 100 or 101 depending on what network you want them to be on.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • N Offline
                NOYB
                last edited by

                @mikeisfly:

                Probably not a good idea to put both tagged and untagged traffic on the same interface for security purposes.

                On what do you base this?  The op does not include any security related details or requirements.  The environment may not be security sensitive to combining vlans on same physical layer.  And even it is what does being untagged have to do with it.

                1 Reply Last reply Reply Quote 0
                • V Offline
                  va176thunderbolt
                  last edited by

                  "On what do you base this?  The op does not include any security related details or requirements.  The environment may not be security sensitive to combining vlans on same physical layer.  And even it is what does being untagged have to do with it."

                  I've done this before, and it works - mostly. Keep in mind that the vlan's are layer2 boundaries, so if the "clients" rely on broadcasted traffic (say bootp or dhcp) before the native os is fully initialized and can tag it's own traffic, it can end up on the untagged vlan instead of the tagged vlan.

                  If it's just a lab, sure - try it out and play with it. It'll make for some interesting packet captures to review, but may give you enough functionality to do your lab testing.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "The environment may not be security sensitive to combining vlans on same physical layer. "

                    Doesn't matter if they security sensitive or not.. Suggesting someone run multiple layer 3 networks on the same layer 2 is just F'ing Borked!!!

                    A smart switch is $30 these days.. If he wants to play with vlans in his "lab" then get a switch that supports vlans!!

                    As to running 1 native or untagged vlan and then tagged vlans on an interface, this is not security issue nor a problem..  This is done all the time.  Some device require it even if you can not tag the say the management interface.  But you do not put multiple untagged vlans together on the same wire.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      NOYB
                      last edited by

                      @johnpoz:

                      "The environment may not be security sensitive to combining vlans on same physical layer. "

                      Doesn't matter if they security sensitive or not.. Suggesting someone run multiple layer 3 networks on the same layer 2 is just F'ing Borked!!!

                      Where did I suggest that?

                      @johnpoz:

                      As to running 1 native or untagged vlan and then tagged vlans on an interface, this is not security issue nor a problem..

                      Exactly.  That is the point of response to the statement that was made indicating that somehow combining untagged and tagged is a security issue.

                      @johnpoz:

                      But you do not put multiple untagged vlans together on the same wire.

                      Would that even be possible?  i.e. Strictly technically speaking once untagged they are no longer different vlans.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Oh NOYB It was more geared to "And even it is what does being untagged have to do with it." by va176thunderbolt

                        I am with you if its tagged traffic then its not actually the same layer 2.. But you would be amazed at how often you see people running multiple layer 3 networks on the same layer 2..

                        Yes it is possible.. Many of the so called "smart" switches do not stop you from adding untagged vlans to the same port.  And you see it all the time just using a dumb switch and putting machines on say 192.168.0/24 and others on 192.168.1 and then thinking they are isolated from each other.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          mikeisfly
                          last edited by

                          That was my point,  saying you probably shouldn't do it. Plus it looks like this person is learning, so why not start off with a good foundation before they start dealing with native vlan mismatches. I've also seen in previous versions of pfsense the captive portal doesn't play well with tagged and untagged traffic on the same interface. Not sure if this is still the case today.

                          1 Reply Last reply Reply Quote 0
                          • B Offline
                            bilbo
                            last edited by

                            Thanks again. I am just learning really, at home.

                            I do have an old asus merlin router which I believe can tag a port so might try that.

                            It would be  client > asus in switch mode vlan tag > dumb switch > pfsense  or would the dumb switch bork it?

                            Also my pfsense runs on vmware workstation and I have a sneaking suspicion that could be interfering?

                            1 Reply Last reply Reply Quote 0
                            • ? This user is from outside of this forum
                              Guest
                              last edited by

                              Also my pfsense runs on vmware workstation and I have a sneaking suspicion that could be interfering?

                              Internet –- pfSense --- Switch --- Merlin router in WALN AP mode
                              That would be my set up to learn about VLANs and with two SSIDs (WLAN private and guests) you might be needing tagged VLANs and
                              if you set up only one SSID (private WLAN) you may only need a untagged VLAN. Would be nearly comming to real situations also at home.

                              Forget the dump Switch please, for ~$25 you may get a small Netgear GS105E that will be non configured working or acting as a
                              dump Switch and it supports VLANs if you configure it over the webgui.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.