Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Do I really need a LAN interface or can I use all VLANS

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 5 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      britesc
      last edited by

      I have a pfSense box with 8 interfaces.
      Currently WAN, LAN, MGT + 4 OPTs & 2nd WAN
      I am converting the overgrown network into a number of VLANs
      Currently I have the usual WAN on interface 1, the LAN on interface 2, I want a Management (V)LAN on MGT and have a 2nd WAN Interface.

      My aim is to move everything from the overgrown LAN interface into specific VLANs with a DMZ on 1, then various others divided between them.
      I also want the pfSense box to only be accessible from 192.168.200.8 for example with other its IPMI and other IPMI interfaces using the 192.168.200.0 /23 VLAN subnet tagged as 200.
      I want the DMZ VLAN accessible only from the 2nd WAN and certain other VLANs but only to not from.
      I want a Guest VLAN that will accept WiFi (specific SSID) or Wired that can access the system VLAN to use printers (thought of having a VLAN just for those and a file server)
      I want a VLANs for the system devices such as the servers, printers, switches etc…
      I want a VLAN for the security system, cameras and other sensors.
      I want a VLAN for the development labs.
      I want a VLAN for Media which will have WAN 2 as its WAN, everything else will use WAN 1

      I am slowly getting there, I will use a NetGear M4100-26G or a NetGear XS752TS as the managed switch fed by the pfSense box.

      I assume I have to leave the LAN interface as a real interface as it has the details of the PDC, BDC and WINS etc.
      But it seems that I cannot run a tagged VLAN and an LAN on the same interface as it causes issue according to messages and documents I have read. so it seems logical to me to make the LAN a DHCP interface with a 192.168.0.1/24 subnet to allow newly attached equipment to have a landing, before being properly assigned.

      Is what I am doing / proposing the correct way of doing things.
      Thanks and kind regards,  8)
      Almost blind but still smiling.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        No. You can leave, say, igb0 unassigned and just reassign LAN to VLAN X on igb0. All of its configuration (rules, DHCP, etc) will move with it but it will be tagged to/from the switch after you make the change.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          Currently WAN, LAN, MGT + 4 OPTs & 2nd WAN
          I am converting the overgrown network into a number of VLANs

          Why not using at this multi-wan set up load balancing and PBR (policy based routing) together with some fail over rules?
          WAN + 2 WAN are we are talking now over three WAN interfaces? (Sorry this was not clear to me from your opening post)
          Setting up all in VLANs will be a fine thing, but putting all what is often connected to the Internet such as servers (web, ftp, mail),
          or some snitching IoT devices inside of a dmz will be also nice.

          Currently I have the usual WAN on interface 1, the LAN on interface 2, I want a Management (V)LAN on MGT and have a 2nd WAN Interface.

          If this is a Supermicro board, often the IPMI port is also acting as the or a fall back WAN port and this might be causing in
          some situations trouble then, I would suggest to disable that function inside of the BIOS.

          My aim is to move everything from the overgrown LAN interface into specific VLANs with a DMZ on 1, then various others divided between them.

          If you have a small pfSense appliance and a really strong and powerful Layer3 switch, you may be think about to let the switch
          route the entire VLAN traffic with wire speed. With that you may free horse power at the entire pfSense box and you will perhaps
          be able to install other packets and turning on additional services if wanted.

          I also want the pfSense box to only be accessible from 192.168.200.8 for example with other its IPMI and other IPMI interfaces using the 192.168.200.0 /23 VLAN subnet tagged as 200.

          Set the IPMI only to use as IPMI port and not as the fall back WAN port please and then connect or integrate this IPMI port
          only to the VLAN1, that is often the default VLANs and all devices are members inside there, ease to admit for you.

          I want the DMZ VLAN accessible only from the 2nd WAN and certain other VLANs but only to not from.
          I want a Guest VLAN that will accept WiFi (specific SSID) or Wired that can access the system VLAN to use printers (thought of having a VLAN just for those and a file server)
          I want a VLANs for the system devices such as the servers, printers, switches etc…
          I want a VLAN for the security system, cameras and other sensors.
          I want a VLAN for the development labs.
          I want a VLAN for Media which will have WAN 2 as its WAN, everything else will use WAN 1

          Placing all servers inside of a real DMZ will be the best way in my eyes (only my opinion) this are
          all devices that are connecting permanently or periodical the internet over opened and forwarded ports.
          So one Interface should be then for the DMZ with let us say the 172.xxx IP range.

          And all other devices could be put inside of the LAN grouped into their own VLANs.
          VLAN1 - management - 192.168.3.0/24 (255.255.255.0)
          IPMI port
          VLAN10 - home lab    - 192.168.4.0/24 (255.255.255.0)
          As it is
          VLAN20 - computers    - 192.168.5.0/24 (255.255.255.0)
          Secured over the OpenLDAP
          VLAN30 - wireless devices (private) - 192.168.6.0/24 (255.255.255.0)
          Secured over the FreeRadius Server with certificates
          VLAN40 - wireless devices (guests)  - 192.168.7.0/24 (255.255.255.0)
          Secured over the Captive Portal with voucher system and activated client isolation
          VLAN50 - printers - 192.168.8.0/24 (255.255.255.0)
          As they are
          VLAN60 - servers  - 192.168.9.0/24 (255.255.255.0)
          As they are
          VLAN70 - multimedia (IoT) - 192.168.10.0/24 (255.255.255.0)
          As they are

          I am slowly getting there, I will use a NetGear M4100-26G or a NetGear XS752TS as the managed switch fed by the pfSense box.

          Please take the time and compare prices for switches! A Netgear M4100-26G is able to get here for ~550 Euros
          and a Cisco SG350-26 or a Cisco SG500-28 too. So you might be thinking of going with that layer3 switches
          SG350 or SG500 more then a layer2 switch for the same money.

          1 Reply Last reply Reply Quote 0
          • B Offline
            britesc
            last edited by

            Hi,
            Echt es ganz toll, danke.
            Sehr schon.
            Brilliant response thanks, no only 2 WANs, you read 2nd WAN as 2 WAN, 
            I will try and digest this today, if I have any problems I hope I can bounce back to you?
            I already have the switches etc…
            Vielen dank.

            jB
            (Haven't used my German for a few years now!!!!)

            1 Reply Last reply Reply Quote 0
            • T Offline
              tsmalmbe
              last edited by

              @Derelict:

              No. You can leave, say, igb0 unassigned and just reassign LAN to VLAN X on igb0. All of its configuration (rules, DHCP, etc) will move with it but it will be tagged to/from the switch after you make the change.

              Could you explain step-by-step how to do this reassigning?

              Security Consultant at Mint Security Ltd - www.mintsecurity.fi

              1 Reply Last reply Reply Quote 0
              • B Offline
                britesc
                last edited by

                Could you explain step-by-step how to do this reassigning?

                +1 please.

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Make the VLAN, Interfaces > Assign, Change LAN to be assigned to "VLAN X on ethX", change the switch port from untagged to tagged for VLAN X.

                  Do all this logged into the firewall from another interface else you will lock yourself out. Another tagged VLAN on the same physical interface should be OK.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    tsmalmbe
                    last edited by

                    Is there a way to do this from the CLI? Or would the easiest way be to simply use a 3G/4G connection and OpenVPN to do this change - that would qualify as another interface - correct?

                    Security Consultant at Mint Security Ltd - www.mintsecurity.fi

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      Just any other interface. Anything except the LAN you are messing with layer 2 on.

                      Yes, you might be able to do it from the CLI but those scripts are really geared to configuring from nothing, not making small changes to an existing config.

                      If you have access to the switch from the inside, set pfSense to tagged and apply, then connect to the switch and set the port to tagged you should be fine.

                      Not rocket science here.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • bingo600B Offline
                        bingo600
                        last edited by

                        @BlueKobold:

                        If you have a small pfSense appliance and a really strong and powerful Layer3 switch, you may be think about to let the switch
                        route the entire VLAN traffic with wire speed. With that you may free horse power at the entire pfSense box and you will perhaps
                        be able to install other packets and turning on additional services if wanted.

                        Wouldn't multi-vlan L3 routing enable packets to switch from one vlan to another within the same L3 switch , defeating the purpose of the fw ?

                        /Bingo

                        If you find my answer useful - Please give the post a 👍 - "thumbs up"

                        pfSense+ 23.05.1 (ZFS)

                        QOTOM-Q355G4 Quad Lan.
                        CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                        LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          Yes. You can do both, however. Some routes across a transit network tagged to the L3 switch and a VLAN tagged to the same switch but no L3 there.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.