Do I really need a LAN interface or can I use all VLANS
-
I have a pfSense box with 8 interfaces.
Currently WAN, LAN, MGT + 4 OPTs & 2nd WAN
I am converting the overgrown network into a number of VLANs
Currently I have the usual WAN on interface 1, the LAN on interface 2, I want a Management (V)LAN on MGT and have a 2nd WAN Interface.My aim is to move everything from the overgrown LAN interface into specific VLANs with a DMZ on 1, then various others divided between them.
I also want the pfSense box to only be accessible from 192.168.200.8 for example with other its IPMI and other IPMI interfaces using the 192.168.200.0 /23 VLAN subnet tagged as 200.
I want the DMZ VLAN accessible only from the 2nd WAN and certain other VLANs but only to not from.
I want a Guest VLAN that will accept WiFi (specific SSID) or Wired that can access the system VLAN to use printers (thought of having a VLAN just for those and a file server)
I want a VLANs for the system devices such as the servers, printers, switches etc…
I want a VLAN for the security system, cameras and other sensors.
I want a VLAN for the development labs.
I want a VLAN for Media which will have WAN 2 as its WAN, everything else will use WAN 1I am slowly getting there, I will use a NetGear M4100-26G or a NetGear XS752TS as the managed switch fed by the pfSense box.
I assume I have to leave the LAN interface as a real interface as it has the details of the PDC, BDC and WINS etc.
But it seems that I cannot run a tagged VLAN and an LAN on the same interface as it causes issue according to messages and documents I have read. so it seems logical to me to make the LAN a DHCP interface with a 192.168.0.1/24 subnet to allow newly attached equipment to have a landing, before being properly assigned.Is what I am doing / proposing the correct way of doing things.
Thanks and kind regards, 8)
Almost blind but still smiling. -
No. You can leave, say, igb0 unassigned and just reassign LAN to VLAN X on igb0. All of its configuration (rules, DHCP, etc) will move with it but it will be tagged to/from the switch after you make the change.
-
Currently WAN, LAN, MGT + 4 OPTs & 2nd WAN
I am converting the overgrown network into a number of VLANsWhy not using at this multi-wan set up load balancing and PBR (policy based routing) together with some fail over rules?
WAN + 2 WAN are we are talking now over three WAN interfaces? (Sorry this was not clear to me from your opening post)
Setting up all in VLANs will be a fine thing, but putting all what is often connected to the Internet such as servers (web, ftp, mail),
or some snitching IoT devices inside of a dmz will be also nice.Currently I have the usual WAN on interface 1, the LAN on interface 2, I want a Management (V)LAN on MGT and have a 2nd WAN Interface.
If this is a Supermicro board, often the IPMI port is also acting as the or a fall back WAN port and this might be causing in
some situations trouble then, I would suggest to disable that function inside of the BIOS.My aim is to move everything from the overgrown LAN interface into specific VLANs with a DMZ on 1, then various others divided between them.
If you have a small pfSense appliance and a really strong and powerful Layer3 switch, you may be think about to let the switch
route the entire VLAN traffic with wire speed. With that you may free horse power at the entire pfSense box and you will perhaps
be able to install other packets and turning on additional services if wanted.I also want the pfSense box to only be accessible from 192.168.200.8 for example with other its IPMI and other IPMI interfaces using the 192.168.200.0 /23 VLAN subnet tagged as 200.
Set the IPMI only to use as IPMI port and not as the fall back WAN port please and then connect or integrate this IPMI port
only to the VLAN1, that is often the default VLANs and all devices are members inside there, ease to admit for you.I want the DMZ VLAN accessible only from the 2nd WAN and certain other VLANs but only to not from.
I want a Guest VLAN that will accept WiFi (specific SSID) or Wired that can access the system VLAN to use printers (thought of having a VLAN just for those and a file server)
I want a VLANs for the system devices such as the servers, printers, switches etc…
I want a VLAN for the security system, cameras and other sensors.
I want a VLAN for the development labs.
I want a VLAN for Media which will have WAN 2 as its WAN, everything else will use WAN 1Placing all servers inside of a real DMZ will be the best way in my eyes (only my opinion) this are
all devices that are connecting permanently or periodical the internet over opened and forwarded ports.
So one Interface should be then for the DMZ with let us say the 172.xxx IP range.And all other devices could be put inside of the LAN grouped into their own VLANs.
VLAN1 - management - 192.168.3.0/24 (255.255.255.0)
IPMI port
VLAN10 - home lab - 192.168.4.0/24 (255.255.255.0)
As it is
VLAN20 - computers - 192.168.5.0/24 (255.255.255.0)
Secured over the OpenLDAP
VLAN30 - wireless devices (private) - 192.168.6.0/24 (255.255.255.0)
Secured over the FreeRadius Server with certificates
VLAN40 - wireless devices (guests) - 192.168.7.0/24 (255.255.255.0)
Secured over the Captive Portal with voucher system and activated client isolation
VLAN50 - printers - 192.168.8.0/24 (255.255.255.0)
As they are
VLAN60 - servers - 192.168.9.0/24 (255.255.255.0)
As they are
VLAN70 - multimedia (IoT) - 192.168.10.0/24 (255.255.255.0)
As they areI am slowly getting there, I will use a NetGear M4100-26G or a NetGear XS752TS as the managed switch fed by the pfSense box.
Please take the time and compare prices for switches! A Netgear M4100-26G is able to get here for ~550 Euros
and a Cisco SG350-26 or a Cisco SG500-28 too. So you might be thinking of going with that layer3 switches
SG350 or SG500 more then a layer2 switch for the same money. -
Hi,
Echt es ganz toll, danke.
Sehr schon.
Brilliant response thanks, no only 2 WANs, you read 2nd WAN as 2 WAN,
I will try and digest this today, if I have any problems I hope I can bounce back to you?
I already have the switches etc…
Vielen dank.jB
(Haven't used my German for a few years now!!!!) -
No. You can leave, say, igb0 unassigned and just reassign LAN to VLAN X on igb0. All of its configuration (rules, DHCP, etc) will move with it but it will be tagged to/from the switch after you make the change.
Could you explain step-by-step how to do this reassigning?
-
Could you explain step-by-step how to do this reassigning?
+1 please.
-
Make the VLAN, Interfaces > Assign, Change LAN to be assigned to "VLAN X on ethX", change the switch port from untagged to tagged for VLAN X.
Do all this logged into the firewall from another interface else you will lock yourself out. Another tagged VLAN on the same physical interface should be OK.
-
Is there a way to do this from the CLI? Or would the easiest way be to simply use a 3G/4G connection and OpenVPN to do this change - that would qualify as another interface - correct?
-
Just any other interface. Anything except the LAN you are messing with layer 2 on.
Yes, you might be able to do it from the CLI but those scripts are really geared to configuring from nothing, not making small changes to an existing config.
If you have access to the switch from the inside, set pfSense to tagged and apply, then connect to the switch and set the port to tagged you should be fine.
Not rocket science here.
-
@BlueKobold:
If you have a small pfSense appliance and a really strong and powerful Layer3 switch, you may be think about to let the switch
route the entire VLAN traffic with wire speed. With that you may free horse power at the entire pfSense box and you will perhaps
be able to install other packets and turning on additional services if wanted.Wouldn't multi-vlan L3 routing enable packets to switch from one vlan to another within the same L3 switch , defeating the purpose of the fw ?
/Bingo
-
Yes. You can do both, however. Some routes across a transit network tagged to the L3 switch and a VLAN tagged to the same switch but no L3 there.
