Would it be better to use VLan or just another interface? Noob needs Advice.



  • So.
    I haven’t really used VLANS much.

    I want 3 main networks.

    1. General (UnTagged)(192.168.11.x)
    2. Accounting (VLAN or new Nic?  2016 Server Essentials runs from Hyper-v)(192.168.10.x)
    3. Ubiquiti  (VLAN10 on HyperV)(192.168.100.x)

    I would like to setup so
    General can access Ubiquiti and net.
    Accounting can access General, and net.
    Ubiquiti (VLAN10)can only access the net.
    This seems ok with my current setup.

    I have a PF Sense router with 3 nics  Wan, Lan and Opt(only 10/100 and not currently used).  The lan goes to 24 port managed switch via Trunk.  Connected to the switch via another trunk line I have a Hyper-V core server.  On my Hyper-v server I have 4 untagged servers running and one VLAN10 running for a Linux based Ubiquiti Server(For APs).  Also connected to  the switch is a very very old sonicwall router(192.168.10.x) for our accounting pc’s.  I would like to remove the sonicwall and only have one router.

    As is, I have 2 24 port Managed switches and a handful of unmanaged switches.  I have unmanaged switches behind the sonicwall and behind the managed switches.

    I’m thinking it might be better to just use another nic in the router and also in the hyper-v server, then I could use all the other existing equipment other than the sonicwall.

    If anyone makes it this far thanks for the help.
    As a side note I tried to setup another VLan for my server2016 on the hyper-v and when I enabled dhcp on the VLan it stopped my untagged DHCP server from working.  Is it bad form to have tagged and untagged on the same virtual switch?



  • I have a similar setup by where my vdsl modem is in the house and in the garden man cave the server running hyper v had pfsense and several other windows server vm’s running, with two managed switches in-between.

    So
                                              Lan
    Modem==                            /
                  house              Cabin
                  Switch======Switch======Server (Hyper V, Pfsense, Windows VMguests).
    Lan====            Trunk              Trunk
                                                      to the server NIC

    Now the trick is the configure the windows server host to accept tagged packets.

    This can only be achieved through powershell and should be run on the hyper V host, to query the nic run```
    get-vmnetworkadaptervlan

    
    Then the command I ran for my network was```
    Get-VMNetworkAdapter -VMName "PFSense" | Where-Object -Property MacAddress -eq "00155d0061f" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "1-10" -NativeVlanId 99
    

    Hope this helps.

    Any more help let me know.


  • Rebel Alliance

    " Is it bad form to have tagged and untagged on the same virtual switch?"

    As long as there is never more than 1 untagged vlan on port then its not a problem.  This is just considered a native vlan on say a trunk port that carries tagged.



  • "Get-VMNetworkAdapter -VMName “PFSense” | Where-Object -Property MacAddress -eq “00155d0061f” | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList “1-10” -NativeVlanId 99"
    is this different from setting VLAN ID in the Hyper-v VM Network GUI?

    "As long as there is never more than 1 untagged vlan on port then its not a problem.  This is just considered a native vlan on say a trunk port that carries tagged. "
    So many VLANs as well as 1 Untagged on 1 Port and the switch and 1 Port on hyper-v server is ok?

    When I tried to setup this way it killed my dhcp server on my untagged network( stopped working ).  (maybe just need to isolate with firewall rules)
    Thank you both for the help, and sorry for the late response.



  • The only real downside is that if you’re using traffic graphs, the interface will show the total of untagged+tagged; there is no way to show untagged only. Purely a graphical consequence. Otherwise, everything else works as desired.



  • Unless u are running an embedded box and it’s hard to add another NIC, they are relatively inexpensive, why go into the complication of doing VLAN if u don’t have to I say. Plus ur 1 gig NIC is gonna share bandwidth between the VLANs.


  • Netgate

    Well, you have no choice but to VLAN from something to get the Wireless AP behavior you desire. But that does not have to be done on pfSense. A switch could do it. pfSense would have two physical interfaces to two untagged ports on the different VLANs in that case. But why not just VLAN it?

    If you don’t want to mix tagged and untagged traffic on a physical interface, don’t. Just leave the untagged interface unassigned.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy