Can someone explain this warning
-
https://www.youtube.com/watch?v=mPXMnSDOE8U&t=4m33s
-
That is an old video and an outdated warning. It's no longer relevant.
There is still some slight security benefit to not mixing tagged and untagged traffic on an interface but there isn't any technical reason you can't do that on a current version of pfSense. Once upon a time it caused problems with captive portal and maybe something else that I can't remember.
-
That is an old video and an outdated warning. It's no longer relevant.
There is still some slight security benefit to not mixing tagged and untagged traffic on an interface but there isn't any technical reason you can't do that on a current version of pfSense. Once upon a time it caused problems with captive portal and maybe something else that I can't remember.
If I want one normal lan network and one vlan netowrk. Should I set both up as vlans? Essentially, have my three ports that were going to be lan ports as vlan 1 and set up the last port I intended to setup as a vlan as vlan 2. Then assign no ports to the lan network.
-
In a perfect world, yes they should all be tagged, but you don't have to.
-
As far as traffic stats go, the untagged LAN will show the cumulative totals of LAN + any VLANs hanging off the LAN port. For example, on traffic graphs, when there's a spike on the VLAN, you'll see the same spike on the LAN graph. For IDS, all VLAN traffic will show up on the LAN traffic when viewing the LAN traffic (but if just viewing VLAN traffic you'll only get VLAN traffic).
This is enough of a reason for me to move my LAN to a VLAN, for statistical segregation.
-
I think Derelict is the big fan of all tagged.. While you can do it that way - I really don't see the point.. I run native/naked network on the interface that is untagged, then vlans on top of that.
Its all how you want to skin that specific cat..
-
I think Derelict is the big fan of all tagged.. While you can do it that way - I really don't see the point.. I run native/naked network on the interface that is untagged, then vlans on top of that.
Its all how you want to skin that specific cat..
What exactly are these slight security benefits to using all vlan?
-
There isn't one if you ask me - ask Derelict he is the fan all tagged, no native or untagged on interface ;)
I am not aware of any security issue with running tagged or untagged on same interface. As long as you don't try and run multiple untagged vlans on the same interface there is no problem.
moikerz point about the stats would be the only reason I could see of putting all vlans vs native and vlans… Because he is right the native interface will show total stats for the untagged and all tagged traffic... While your stats for your vlan interfaces will only show you stats for that specific vlan.. So if that is your concern, then that would be the reason you skin the cat that way vs the other way ;)
