Move from non-VLAN to VLAN without complete reconfig?



  • Hello,
    I have a quick question.
    I have a non VLAN deployment and would like to introduce VLANs on the LAN interface.
    Can I do that without loosing everything?
    I thought about this procedure:

    1. define the VLANs on the switch
    2. configure a backdoor management interface on pfsense, so I don't loose access
    3. configure VLANs
    4. Re-Assign LAN from em0 to my defined VLAN
      -> all defined rules for LAN should now apply to the new interface assignment and all should work, correct?

    thanks if someone could just quickly confirm this before I break things.

    Till


  • LAYER 8 Netgate

    Yeah. The simple act of defining the VLANs is not generally an interruption.

    After you have the VLANs defined on the right interface and the switchport properly tagged just go to Interfaces > (assign) and change the interface to the tagged VLAN.

    For instance, if you have LAN assigned to igb0, then create VLAN 100 on igb0, you can change the interface assignment to VLAN 100 on igb0 and that network will now be tagged to the switch. All of your configuration (firewall rules, DHCP, etc) will move with that interface assignment.

    Changes like this are certainly best done connected on an interface you are not messing with, as you said.



  • Great. That's exactly what I wanted to hear!

    many thanks!


  • Galactic Empire

    I used the untagged vlan for the LAN magagement vlan and tagged the other vlans and gradually moved everything, I didn't see an outage.

    That way if I ever do something to hose the VLANS I can still connect to the router by directly connecting a laptop.


  • LAYER 8 Netgate

    As much as I rail against mixing tagged and untagged traffic I am coming around to this way of thinking as well.

    In fact I just sent a bundle of SG-2440, Ruckus 7372, and D-link DGS-1100-08 home with a family member who lives a few hours from me.

    Everything was untagged except for the OPTX interface for guest WiFi. If something goes wrong I certainly don't want to be dealing with VLAN tags on the phone with them.

    Even though the macOS makes it drop-dead easy to add a tagged virtual interface.



  • @Derelict:

    Even though the macOS makes it drop-dead easy to add a tagged virtual interface.

    Thanks for the hint, just found it! Is that new in macOS or has it been there longer already? Never looked before …


  • LAYER 8 Netgate

    It has been there as long as I can remember.


Log in to reply