Tag LAN as vlan id 1



  • I've got a LAN interface and a VLAN5 interface (which has the same parent interface as LAN), is there a way to tag LAN traffic with vlan id 1 or is that done by default?

    I basically have only two NICs in my pfSense VM and both LAN / VLAN5 share the same interface.



  • I think on the switch end, by default it will keep VLAN 1 which is the default untagged VLAN traffic for most every switch I've seen separate from VLAN 5 tagged traffic and vice versa, so I don't think it would be necessary to tag VLAN 1 traffic.  There is a "vlan dot1q tag native" command that I remember for Cisco, but I don't think it would do anything in this case for VLAN 1 being the native VLAN.


  • LAYER 8 Global Moderator

    Why do you want to tag vlan 1?  As Razidd stated there shouldn't be any reason for this.  You just have to tag vlan 5 on the port, vlan 1 would/could be untagged.  Then you just setup the network on interface direct, and attach your vlan 5 interface you created on pfsense to that lan interface.

    But sure depending on your switch you should be able to tag 1 if you want to just have 2 vlan interfaces on your actual interface and no native/un tagged network on it.

    What switch do you have?

    Your pfsense is VM I just noticed what VM software is it running on?  Hyper-V, Esxi, VirtualBox.. How many physical nics do you have on the host that are tied to this vm nic you setup on your pfsense vm?



  • @johnpoz:

    Why do you want to tag vlan 1?  As Razidd stated there shouldn't be any reason for this.  You just have to tag vlan 5 on the port, vlan 1 would/could be untagged.  Then you just setup the network on interface direct, and attach your vlan 5 interface you created on pfsense to that lan interface.

    But sure depending on your switch you should be able to tag 1 if you want to just have 2 vlan interfaces on your actual interface and no native/un tagged network on it.

    What switch do you have?

    Your pfsense is VM I just noticed what VM software is it running on?  Hyper-V, Esxi, VirtualBox.. How many physical nics do you have on the host that are tied to this vm nic you setup on your pfsense vm?

    I've got a cheap Netgear GS105Ev2 switch that's vlan capable and a tomato router also capable of doing vlan tagging. pfSense sits on ESXi and has two NICs (Lan NIC port group is set to 4095). I've got a LAN interface and a VLAN5 interface on pfsense (VLAN5 has the same parent interface as LAN.)

    This is my current topology (see attached photo) but there is a redundant wire on port 4 that I think can be removed.

    The idea was to set up a guest wifi on VLAN5. All works as it should, wifi devices on both networks get out and all.

    But if I ssh into the router (192.168.3.2) traffic does not go out via the default gateway. I cannot ping IPs on the internet and interestingly enough I can't ping the pfsense vm at 192.168.3.1 (default gateway) nor vice versa, but wifi devices connected can…I just don't understand why this is the case really.

    An improvement would be to perhaps change some things? (possibly avoid tagging id 1 and just leave untagged traffic as is)

    Netgear Switch:

    • Port 1: Should be tagged and member of VLAN id 1 and VLAN id 5.

    • Port 2: Should be tagged and member of VLAN id 1 and VLAN id 5.

    • Port 4: Disconnect it.

    • Port 5: OK, untagged and member of VLAN id 1

    RT-N66U

    • Port 2: Should be tagged and member of VLAN id 1 and VLAN id 5.

    • Port 4: Disconnect it.

    pfsense VM

    • The "LAN" NIC should also be tagged for VLAN id 1 and VLAN id 5.



  • LAYER 8 Netgate

    Just run away from tagging vlan id 1. Run away.

    If you want to deal with untagged traffic and tag it later, set the PVID on that switch port to something other than VLAN ID 1 and tag that VLAN ID on your trunk ports.

    The last time I looked, it did not seem like it was forbidden to tag with 1 but it's pretty asinine and you will probably find gear that doesn't play nicely with it.

    As soon as you start tagging traffic around it is usually best to just forget VLAN ID 1 exists.



  • The last time I looked, it did not seem like it was forbidden to tag with 1 but it's pretty asinine and you will probably find gear that doesn't play nicely with it.

    Such as the TP-Link switches we all know & love.  Same with my TP-Link access point.


  • LAYER 8 Netgate

    Just. Don't.


Log in to reply