Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Create access interface (member of a vlan but not tagged)?

    General pfSense Questions
    5
    9
    385
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asimov-solensan last edited by

      Hello,

      First message here. I'm testing a pfsense as a home firewall, and right now I miss a feature that I have seen in other firewall and would solve the problem I have got.

      Basically I have got a trunk with all the vlans I want to use. What I need right now is a way to configure secondary interfaces as members of this vlans but not tagged, I want them just share broadcast domain. Think of them as access ports.

      I expect this traffic to be read as the vlan interface created and same firewall rules applied.

      I know for sure that other firewalls can manage this but can't find any option in pfsense. Is this even possible?

      I'm running 2.4.2 by the way.

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        You can run as multiple layer 3s on the same layer 2 if you want.. It's a BORKED config.. If you want to do that on pfsense just create a vip on the interface - there you go multiple layer 3 on the same layer 2 without any tags..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • JKnott
          JKnott last edited by

          You can run as multiple layer 3s on the same layer 2 if you want.. It's a BORKED config..

          You keep saying that, but with IPv6, it's expected.  For example, you'd likely have at least a link local address and at least one global address network on each interface and you may also have Unique Local Addresses as well.  A single layer 3 on an interface is IPv4 thinking.

          Here's what it says in IPv6 Essentials, 3rd ed., pg. 19 by Silvia Hagen:

          Some General Rules

          IPv6 addresses are assigned to interfaces as in IPv4, not to nodes as in OSI, so each interface of a node needs at least one unicast address. A single interface can also be assigned multiple IPv6 addresses of any type (unicast, multicast, and anycast).

          IPv6 supports addresses of different scopes. There are global and nonglobal (e.g., link-local) scopes. Operationally, the use of nonglobal addresses has been introduced with IPv4 by using IP addresses from the private range or administratively scoped multicast addresses. The design of IPv6 includes the address scope in the base architecture. Every IPv6 address other than the unspecified address has a specific scope, which is a topological span within which the address may be used as a unique identifier for an interface or set of interfaces. The scope of an address is encoded as part of the address. You can find a description of scopes in the section “Multicast Address”, and refer to RFC 4007, “IPv6 Scoped Address Architecture” for an explanation of scopes.

          So yeah, multiple layer 3s are normal with IPv6.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            "You keep saying that, but with IPv6, it's expected.  "

            NO its is NOT… All of the IPv6 are in the same prefix...  Please do not tell people its ok to run multiple ipv4 networks on the same layer 2 and think that is good design...

            freaking link local and your normal prefix are NOT the same thing... Arrggh......

            Why should I vlan... I will just put 192.168.1, .2, .3 all my networks on this 1 layer 2... Does that sound like a good idea to you... Link local and your IPv6 prefix is NOT the same freaking thing as that sort of BORKED config...

            Running IPv4 space and IPv6 space on the same layer 2 because they are meant to be the SAME network....  Just different addressing of what is suppose to be 1 network.. Not what I am talking about....  In your network seems ok to just use dumb switches and other networks.. So can understand why you think there is nothing wrong with just all running on the same wire...

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • JKnott
              JKnott last edited by

              All of the IPv6 are in the same prefix…  Please do not tell people its ok to run multiple ipv4 networks on the same layer 2 and think that is good design...

              That info I quoted mentioned multiple scopes.  Well, what scopes are there?  Ignoring the interface only scope, we have link local, Unique Local Address and Global Unicast Address, not to mention multicast.  They are all valid and can all be on the same interface at the same time, because that was intended by the IPv6 designers.  As for link local and normal prefix not being the same, other than scope, what is the difference?  Both can be used to carry packets between devices and that's all IP does.  ULA work just the same as global, but with a limited scope, but other than that works the same way.  It carries packets, no more no less.  Different scopes were created because there was a need for them.  On IPv4, there was originally only one scope, with multicast, RFC 1918 and 169.254.0.0/16 link local added later, because there was a need for them.  IPv6 allows multiple scopes on the same interface, IPv4 doesn't.  We're moving on and a lot of what applied to IPv4 no longer holds true with IPv6.

              Here's what RFC 4291 says:

              2.1.  Addressing Model

              IPv6 addresses of all types are assigned to interfaces, not nodes.
                An IPv6 unicast address refers to a single interface.  Since each
                interface belongs to a single node, any of that node's interfaces'
                unicast addresses may be used as an identifier for the node.

              All interfaces are required to have at least one Link-Local unicast
                address (see Section 2.8 for additional required addresses).  A
                single interface may also have multiple IPv6 addresses of any type
                (unicast, anycast, and multicast) or scope.

              https://tools.ietf.org/html/rfc4291

              Sure looks to me like multiple address types/ranges were intended.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • A
                asimov-solensan last edited by

                Pretty interesting discussion but I'm not really sure it's related to my problem.

                Given the answers and the documentation I found It's simple no possible create "switch like" interfaces in pfsense.

                The only solution I got was to create on the host system (I'm testing pfsense virtualized) a virtual interface for every vlan and then add interfaces to pfsense. On pfsense I bridge those interfaces with it's correspondent vlan interface.

                It's the only way I got it working

                This would be a nice feature for pfsense. Note aside: wouldn't solve the problem the inclusion of openvswitch as a core packet in pfsense?

                1 Reply Last reply Reply Quote 0
                • K
                  kpa last edited by

                  PfSense was never intended to be used like a switch and most likely you'll never see the kind of features you'll see in managed switches in it such as PVID, those belong squearly to managed switches. Separation of concerns.

                  1 Reply Last reply Reply Quote 0
                  • JKnott
                    JKnott last edited by

                    Pretty interesting discussion but I'm not really sure it's related to my problem.

                    With VLANs, you have 2 choices, individual access ports, each configured on a single VLAN or a trunk port,which carries tagged VLANs.  Otherwise, you have no way to separate the VLANs.  It doesn't make any difference what equipment you use, that's the way VLANs work.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      So yeah, multiple layer 3s are normal with IPv6.

                      That might be pertinent had OP mentioned IPv6.

                      Chattanooga, Tennessee, USA
                      The pfSense Book is free of charge!
                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post