VLAN on WAN but no VLAN on LAN?
-
Can I set up pfsense to VLAN (EG 10) on the WAN port but not use VLAN on the LAN port? Essentially pfsense translates all outgoing packets from the LAN to VLAN and incoming drop the VLAN (EG 10).
-
Does your ISP send data on "vlan 10" , or do you just need extra "ethernet" interfaces on the pfsense box ?
And you would prob. need a vlan capable switch, in order to do this.But if you have a vlan capable switch, you could prob. run pfSense with only 1 pysical lan port on the psSense box.
I would expect that even the WAN port on pfSense could be a tagged vlan , but am a pfSense beginner.The vlan capable switch could map each pfSense vlan tagged vlan, to a physical untagged port on the switch.
As an untagged (switch) port has the vlan tag removed , anything you put in the switch port would see the port as a regular ethernet interface.
/Bingo
-
Do you mean a one armed router AKA router on a stick ?
-
VLAN on the WAN port but not use VLAN on the LAN port
Yes.
VLANs are additional interfaces you create on top of an existing HW interface. -
I tried it…
Have 2 WANs.1 PPPoE
1 DHCPCreated 2 vlans on 1 NIC, tagged port on switch and plugged in cable to it from pfsense WAN. Then I created 2 untagged ports on different VLANs on same switch and plugged in 2 cables from my modem. I made these 2 untagged ports members of correct VLANs for WAN.
It did work but not well unfortunatley. On idle line I got random packet loss, high latency and pppoe disconnects...
Dunno..
-
It's a somewhat "special" configuration. The WAN interface connects to an upstream switch that has to be vlan'd (I used 10 as an example). Internet is through that switch but I have no management access to it. They will assign me a public IP and pass all incoming/outgoing data through it. The LAN port is connected to the network I'll manage. I'd rather not use vlan on that network as I'm not certain all devices will be vlan capable and as it isn't really needed it would be just an additional thing to manage.
The hardware I'm using is the Netgate SG-2220.
So I take all I need to do is assign a VLAN to the WAN interface and no vlan to the LAN interface? The SG-2220 will then strip the tagging on all LAN traffic and add tagging on all WAN traffic? Are there any considerations for VPN traffic I should be aware of?
-
You didn't get it yet.
When creating a VLAN you create a new interface. The parent interface just tells you on which plug, kind of.
You have to choose this newly created interface as your WAN interface then.
Think of pfSense as an onion. Outside are interfaces, inside is routing et al. Once a packet is inside pfSense does not care about VLAN IDs anymore, just interfaces. If it sends a packet to your WAN then the outer shell tagges it with the VLAN ID bit you assigned when creating a VLAN interface (or strips it on an incoming packet).Having said that, VLANs are only supported from VLAN capable, aka managed, switches. Is your upstream WAN switch capable of doing so and someone else has management access to it?
-
Thanks for the feedback.
Yes, the upstream switch is VLAN capable and I have no management access to it. I've used VLAN in the past on another network but that was on Cisco switches and internal to the network (no firewall involvement). Looks like I need to play with the interfaces area of pfsense a little to develop a feel for it.
