Using Vlans and configuration



  • Hi,

    I have never used vlans before but i am looking at using vlans on my network so can separate traffic and create a guess network.

    I have just got some zyxel managed switches that allow vlans and never configured vlans before.

    If i configure the vlan's on the switches to do the following, must i also configure pfsense to use the separate vlans and if so how easy is it to do this.

    switch 1
    pfsense in port1 to be able to communicate with all devices on 4 switches
    wifi port 2 - guest network internet access only
    wifi port 3 - media and mobile devices via wifi - internet plus media server only
    port 4 - switch 2
    port 5 - switch 3
    port 6 - vdsl modem for monitoring - only has access from pc on port 7 on switch 3

    switch 2
    port 1 - switch 1
    port 2 - media player
    port 3 - wifi

    switch 3
    port 1 - switch 1
    port 2 - switch 4
    port 3 - wifi
    port 4 - media server
    port 5 - NAS1
    port 6 - NAS2
    port 7 - pc
    port 8 - work pc - access only to internet

    switch 4
    port 1 - switch 3
    port 2 - wifi
    port 3 - pc
    port 4 - pc
    port 5 - pc

    I will be later looking at switching out the separate AP's to ceiling AP's which allow vlan tagging.

    i will also be changing some of the network so the pc's can only communicate with themselves, the media server and internet.

    thanks


  • Galactic Empire

    Work out what devices you want on what subnet, choose a vlan number and try to use that as your 3rd octet in the IPv4 & IPv6 subnet

    I've set mine up like this :-

    LAN 172.16.1.1 2a02:xxxx:yyyy:1::1 < VLAN 4093 untagged
    USER 172.16.2.1 2a02:xxxx:yyyy:2::1 < VLAN 2 tagged
    GUEST 172.16.3.1 2a02:xxxx:yyyy:3::1 < VLAN 3 tagged
    IOT 172.16.4.1 2a02:xxxx:yyyy:4::1 < VLAN 4 tagged
    DMZ 172.16.5.1 2a02:xxxx:yyyy:5::1 < VLAN 5 tagged
    VOICE 172.16.6.1 2a02:xxxx:yyyy:6::1 < VLAN 6 tagged

    One of the vlan's will more than likley need to be untagged, if your going to get a Ubiquity AP you'll need an untagged vlan for the AP & CloudKey.

    I made the LAN interface my untagged network management subnet.

    Creating vlans in pfSense is dead easy :-

    1. Interfaces ->Interface Assignments

    2. VLANS

    3. +Add

    4. Select the Parent Interface, add the vlan number & Description

    5. Configure the IP info on the interface

    I've also renamed my interfaces from OPTx to their function.

    Remember you need to carry all the vlans required on the edge switch across the interlink



  • cheers

    i have my current lan on 1.1 with gateway .254 and my ipv6 is set to tracked interface via wan.

    I was looking at getting a zyxel ap at later date, currently i'm using a mixture of tplink, bthh and sky router for ap's

    so as test if setup the following

    vlan1 is default - 1.1
    vlan2 is wifi  - 2.1
    vlan3 is pcs - 3.1
    vlan4 is servers - 4.1
    vlan5 is guest - 5.1

    configure these on the switches and then add them in pfsense

    must i reboot between each add on pfsense as have seen this on thread/youtube video that you need to reboot pfsense when configuring each vlan

    must i then do anything else on pf so vlan3 can talk to vlan4 and internet, vlan5 can only talk to internet or will the vlan configuration on the switches sort this bit out

    also you mention an edge switch? I assume you mean pfsense?

    ie my network is as follows

    VDSL modem (HG612) -> pfsense (WAN using PPPoE and DHCP login) -> switch 1 (lan) which then connects to the other switches and access points

    pfsense only has 2 nics and configured wan and lan interfaces


  • Galactic Empire

    @walkerx:

    cheers

    i have my current lan on 1.1 with gateway .254 and my ipv6 is set to tracked interface via wan.

    I was looking at getting a zyxel ap at later date, currently i'm using a mixture of tplink, bthh and sky router for ap's

    so as test if setup the following

    vlan1 is default - 1.1
    vlan2 is wifi  - 2.1
    vlan3 is pcs - 3.1
    vlan4 is servers - 4.1
    vlan5 is guest - 5.1

    configure these on the switches and then add them in pfsense

    must i reboot between each add on pfsense as have seen this on thread/youtube video that you need to reboot pfsense when configuring each vlan I didn't need to reboot my router

    must i then do anything else on pf so vlan3 can talk to vlan4 and internet, vlan5 can only talk to internet or will the vlan configuration on the switches sort this bit out Add pass/deny firewall rules on each pfSense interface as required

    also you mention an edge switch? I assume you mean pfsense? Nope I mean switch 2 3 & 4

    ie my network is as follows

    VDSL modem (HG612) -> pfsense (WAN using PPPoE and DHCP login) -> switch 1 (lan) which then connects to the other switches and access points

    pfsense only has 2 nics and configured wan and lan interfaces The parent interface for the vlans will be the lan interface