VLAN basic

bilbo

Is it possible to put one client on a separate vlan with just a dump switch, I am trying but not having success so far.

I have one wan pppoe and one lan, the default lan (em1)  is 192.168.0/254
I created a vlan with em1 as the parent vlan tag 101
I then added the interface "VLAN101" and enabled it under interface assignments address 192.168.101.254
I then enabled dhcp on VLAN101 range 192.168.101.99 - 100
I added a firewall rule for vlan 101 pass all all

On the windows client which is connected via a dumb switch I installed the realtek diagnostic which enabled me to specify 101 as the vlan id for the card.

Should this work and should and should the windows get a vlan ip at present it does not?

mikeisfly

It depends if you switch is stripping off the vlan tag then this will not work. Why not just get a smart switch? You can get some really good used gear on ebay depending on your requirements and budget. Probably not a good idea to put both tagged and untagged traffic on the same interface for security purposes.

Derelict

You really want a managed switch for that.

If it works at all (which it looks like it doesn't) you will be relying on every device connected to the switch to act on ethernet broadcasts based on the presence or absence of the dot1q VLAN tag. That is a lot to ask of devices that do not claim dot1q compatibility.

An 8-port dot1q gigabit switch can be had for < US$35 new.

http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I

bilbo

Thanks for the tips.

With the managed switch would the pfsense setup be the same as above, and the specific port on the switch the client  is connected to be set as vlan 101 ?

Derelict

I would:
untag 100 and tag 101 and get a client connected to the web gui and the switch on VLAN 101.

Then I would tag 100 to pfSense, create VLAN 100 on pfSense, and assign LAN to that.

That would leave you with:

LAN assigned to eth0_vlan100
OPT1 assigned to eth0_vlan101
eth0 unassigned to anything

That way all your traffic to the switch is untagged tagged.

Keep that realtek software in your pocket because if you ever need to bypass the switch and connect directly you will need to tag vlan 100 or 101 there.

You could just leave eth0_vlan101 assigned to OPT1 and eth0 assigned to LAN.

In that case you would tag VLAN101 to pfSense and set the port's PVID to 100. That's another option.

Then set the other switch ports to untagged/PVID 100 or 101 depending on what network you want them to be on.

NOYB

@mikeisfly:

Probably not a good idea to put both tagged and untagged traffic on the same interface for security purposes.

On what do you base this?  The op does not include any security related details or requirements.  The environment may not be security sensitive to combining vlans on same physical layer.  And even it is what does being untagged have to do with it.

va176thunderbolt

"On what do you base this?  The op does not include any security related details or requirements.  The environment may not be security sensitive to combining vlans on same physical layer.  And even it is what does being untagged have to do with it."

I've done this before, and it works - mostly. Keep in mind that the vlan's are layer2 boundaries, so if the "clients" rely on broadcasted traffic (say bootp or dhcp) before the native os is fully initialized and can tag it's own traffic, it can end up on the untagged vlan instead of the tagged vlan.

If it's just a lab, sure - try it out and play with it. It'll make for some interesting packet captures to review, but may give you enough functionality to do your lab testing.

johnpoz

"The environment may not be security sensitive to combining vlans on same physical layer. "

Doesn't matter if they security sensitive or not.. Suggesting someone run multiple layer 3 networks on the same layer 2 is just F'ing Borked!!!

A smart switch is $30 these days.. If he wants to play with vlans in his "lab" then get a switch that supports vlans!!

As to running 1 native or untagged vlan and then tagged vlans on an interface, this is not security issue nor a problem..  This is done all the time.  Some device require it even if you can not tag the say the management interface.  But you do not put multiple untagged vlans together on the same wire.

NOYB

@johnpoz:

"The environment may not be security sensitive to combining vlans on same physical layer. "

Doesn't matter if they security sensitive or not.. Suggesting someone run multiple layer 3 networks on the same layer 2 is just F'ing Borked!!!

Where did I suggest that?

@johnpoz:

As to running 1 native or untagged vlan and then tagged vlans on an interface, this is not security issue nor a problem..

Exactly.  That is the point of response to the statement that was made indicating that somehow combining untagged and tagged is a security issue.

@johnpoz:

But you do not put multiple untagged vlans together on the same wire.

Would that even be possible?  i.e. Strictly technically speaking once untagged they are no longer different vlans.

johnpoz

Oh NOYB It was more geared to "And even it is what does being untagged have to do with it." by va176thunderbolt

I am with you if its tagged traffic then its not actually the same layer 2.. But you would be amazed at how often you see people running multiple layer 3 networks on the same layer 2..

Yes it is possible.. Many of the so called "smart" switches do not stop you from adding untagged vlans to the same port.  And you see it all the time just using a dumb switch and putting machines on say 192.168.0/24 and others on 192.168.1 and then thinking they are isolated from each other.

mikeisfly

That was my point,  saying you probably shouldn't do it. Plus it looks like this person is learning, so why not start off with a good foundation before they start dealing with native vlan mismatches. I've also seen in previous versions of pfsense the captive portal doesn't play well with tagged and untagged traffic on the same interface. Not sure if this is still the case today.

bilbo

Thanks again. I am just learning really, at home.

I do have an old asus merlin router which I believe can tag a port so might try that.

It would be  client > asus in switch mode vlan tag > dumb switch > pfsense  or would the dumb switch bork it?

Also my pfsense runs on vmware workstation and I have a sneaking suspicion that could be interfering?

Guest

Also my pfsense runs on vmware workstation and I have a sneaking suspicion that could be interfering?

Internet –- pfSense --- Switch --- Merlin router in WALN AP mode
That would be my set up to learn about VLANs and with two SSIDs (WLAN private and guests) you might be needing tagged VLANs and
if you set up only one SSID (private WLAN) you may only need a untagged VLAN. Would be nearly comming to real situations also at home.

Forget the dump Switch please, for ~$25 you may get a small Netgear GS105E that will be non configured working or acting as a
dump Switch and it supports VLANs if you configure it over the webgui.