Quick VLAN Question



  • I've never used them before, but decided I want to start using them to segment my network. So my question is, are VLANs inherently private? Meaning, can you view/access machines from one VLAN on another?  If not, what's the easiest way to set this up? Would it be through the Cisco (SG300-28) switch or pfsense?

    Appreciate any help or info!!


  • Rebel Alliance Global Moderator

    You would do it on both your pfsense and your switch.

    Unless your using your sg300-28 as a L3 and its routing between your vlans already.  But I find that unlikely since if that was the case you wouldn't be here.

    What are you running for pfsense, how many interfaces does it have?  Do you have open interfaces on your sg300-28?



  • So my question is, are VLANs inherently private?

    They're private because a device configured for one VLAN cannot see traffic on another, even if both are on the same wire.  Normally, you'd configure a switch port to be on only one VLAN, though there are exceptions, such as when a VoIP phone shares a port with a computer.  VLANs are used in this instance to provide priority for the phones.  However, if you were to run Wireshark, you could see both.  The VLAN traffic will have VLAN tags on the Ethernet frames.  Another use would be for guest WiFi, which connects only to the Internet, while internal WiFi has access to the local network.  Many access points support multiple VLANs and SSIDs for this purpose.



  • I'm currently running a ZOTAC ZBOX Intel N3150 with a Dell PowerConnect switch. I just got the Cisco this weekend to switch to. I have not previously used VLAN an I've been doing some reading on the initial setup today.

    The Zbox has two ethernet ports. Basically I'm trying to separate the kids computers and my server and a couple of other machines. I want them on private networks. Also want some Wifi units on each VLAN.

    So this is a blank slate at this point. Yes I will have free ports after I've connected everything.

    Hope that helps. Appreciate the response!

    EDIT: So I think you answered my question in a round about way. A Layer 2 VLAN cannot communicate with another VLAN on the same switch. But if you running as an L3, you could have two L2 VLANs communicate. Is that the general idea?



  • @JKnott:

    So my question is, are VLANs inherently private?

    They're private because a device configured for one VLAN cannot see traffic on another, even if both are on the same wire.  Normally, you'd configure a switch port to be on only one VLAN, though there are exceptions, such as when a VoIP phone shares a port with a computer.  VLANs are used in this instance to provide priority for the phones.  However, if you were to run Wireshark, you could see both.  The VLAN traffic will have VLAN tags on the Ethernet frames.  Another use would be for guest WiFi, which connects only to the Internet, while internal WiFi has access to the local network.  Many access points support multiple VLANs and SSIDs for this purpose.

    This exactly. Basically it's to keep the kids, family, friends and girlfriends (kids, I'm married, lol) off my part of the network. Each VLAN will include ethernet and Wifi connections.

    I just wasn't sure if VLANs acted as a completely different "network", or if they were able to access IPs on another VLAN.


  • Rebel Alliance Global Moderator

    What would be the point of them if they were not isolated?  It would just be running multiple layer 3 on the same layer 2 - which would be pointless.

    Yes vlans are a way of carving up 1 physical switch into multiple layer 2 networks.  Yes you can run multiple layer 2 networks on the same wire via TAG.. So when the traffic gets to where its going on the end of the wire either the other switch and break them out into their own networks, or the router can..  Or even some cases device can - like a phone sure that allows you to connect a pc to it on another port.



  • Depending on your Internet modem, you may be able to set up separate "guest" WiFi on it.  My cable modem supports that in gateway mode.



  • @johnpoz:

    What would be the point of them if they were not isolated?  It would just be running multiple layer 3 on the same layer 2 - which would be pointless.

    Yes vlans are a way of carving up 1 physical switch into multiple layer 2 networks.  Yes you can run multiple layer 2 networks on the same wire via TAG.. So when the traffic gets to where its going on the end of the wire either the other switch and break them out into their own networks, or the router can..  Or even some cases device can - like a phone sure that allows you to connect a pc to it on another port.

    I don't know, hence the question. I do not work in network infrastructure and it's a simple, honest question from someone trying to learn to better configure a secure network. I just wanted clarification.



  • @JKnott:

    Depending on your Internet modem, you may be able to set up separate "guest" WiFi on it.  My cable modem supports that in gateway mode.

    Thanks for the reply. The issue is that it is not just wifi devices I'm trying to separate. It's both wifi and ethernet connected devices. I have unfi AP Pro that will be on each VLAN.


  • Rebel Alliance Global Moderator

    If you run your layer 3 switch as layer 3 and route on it - you would still be creating multiple layer 2 networks.. Its just the switch(router) would then route between these networks for you.  With limited "firewall" capabilities depending on the switch in question.

    Yes a sg300 can prevent specific access between the networks it will route between but much more difficult then letting pfsense do it.  If it was going to be doing the routing between downstream networks then pfsense would never see these vlans and only connection should be through a transit network.

    I would suggest you just create your vlans on your sg300 as layer 2, then connect those layer 2 networks to pfsense be it via different uplinks that are native an untagged or tagged where pfsense will route and firewall between these networks.  This gives you the most control and ease of setup..

    I have a sg300-28 and a sg300-10 in my network both just doing layer 2 (but in layer 3 mode) with unifi APs..  I have both wired and wireless vlans some native uplink to pfsense and some tagged vlans as well into pfsense interfaces.  Happy to show you how to config..

    Do you only have 1 physical interface to work with on pfsense or multiple?  How much intervlan traffic do you expect?  Keep in mind that when you put vlans on the same physical interface via tags that intervlan traffic between these vlans will have a hairpin and your overall bandwidth will be /2 of the full physical interface speed.

    Vlans on a physical connection share that physical connections bandwidth.



  • @johnpoz:

    If you run your layer 3 switch as layer 3 and route on it - you would still be creating multiple layer 2 networks.. Its just the switch(router) would then route between these networks for you.  With limited "firewall" capabilities depending on the switch in question.

    Yes a sg300 can prevent specific access between the networks it will route between but much more difficult then letting pfsense do it.  If it was going to be doing the routing between downstream networks then pfsense would never see these vlans and only connection should be through a transit network.

    I would suggest you just create your vlans on your sg300 as layer 2, then connect those layer 2 networks to pfsense be it via different uplinks that are native an untagged or tagged where pfsense will route and firewall between these networks.  This gives you the most control and ease of setup..

    I have a sg300-28 and a sg300-10 in my network both just doing layer 2 (but in layer 3 mode) with unifi APs..  I have both wired and wireless vlans some native uplink to pfsense and some tagged vlans as well into pfsense interfaces.  Happy to show you how to config..

    Do you only have 1 physical interface to work with on pfsense or multiple?  How much intervlan traffic do you expect?  Keep in mind that when you put vlans on the same physical interface via tags that intervlan traffic between these vlans will have a hairpin and your overall bandwidth will be /2 of the full physical interface speed.

    Vlans on a physical connection share that physical connections bandwidth.

    Yes, I only have 1 interface to work with for the LAN port on my unit. My primary VLAN is really going to use most of the traffic. The secondary VLAN is going to be for guest, friends and family. So it's not going to see heavy continual usage.

    Sorry for not completely understand, but when you have a hairpin LAN connection, you mentioned that the bandwith would be half it's intended full speed. Is that a constant, or does it adjust on the fly when the other VLAN needs bandwidth?

    https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/
    This was one of the links I was reading about setting up VLANs on pfsense. Then creating the Trunk on the Cisco, making identical Vlans and then assigning the ports to those vlans. That's the short and sweet version. If I'm missing something or if someone has better ideas, I'm all ears!


  • Rebel Alliance Global Moderator

    No it would be constant, minus whatever other traffic was on the physical interface at the time.  The best you could hope for would be half for intervlan traffic. 
    That has to transverse the same physical path.

    But only if the traffic is hairpinned.. If you can only carry 1gig, and you have to go over the same road twice ie up and then down, its /2

    If traffic is only 1 direction then it would just be shared.. If its hairpin then its /2 minus other traffic on the wire.  Keep in mind the /2 is just a approximation.

    If you have to travel the same physical path twice then yeah you get a /2… This is the same with wifi.. Since it is shared bandwidth.. If wireless to wireless /2 if on the same band, if wireless to wired then you can get full bandwidth.



  • @johnpoz:

    No it would be constant, minus whatever other traffic was on the physical interface at the time.  The best you could hope for would be half for intervlan traffic. 
    That has to transverse the same physical path.

    But only if the traffic is hairpinned.. If you can only carry 1gig, and you have to go over the same road twice ie up and then down, its /2

    If traffic is only 1 direction then it would just be shared.. If its hairpin then its /2 minus other traffic on the wire.  Keep in mind the /2 is just a approximation.

    If you have to travel the same physical path twice then yeah you get a /2… This is the same with wifi.. Since it is shared bandwidth.. If wireless to wireless /2 if on the same band, if wireless to wired then you can get full bandwidth.

    That makes perfect sense and is how I would expect it to perform. Appreciate all the help.

    Did my plan to roll this out sound like the ideal way to do it?


  • Rebel Alliance Global Moderator

    You mean that link to some site from 2014?

    You can tag everything you want, or you could leave lan as untagged.. There are multiple ways to skin the cat.. If you only have the 1 physical interface adding tagged vlans to it and leaving lan as untagged does allow you to do it all from the lan side and not some other interface - like the wan in that link.  Since you won't kick yourself off, etc.

    That is clearly an older version of pfsense - but overall how you do vlans has not really changed.  Some people like all tagged if doing tagged, I am open to native and tagged on the same interface..  Nothing wrong with either way.  If your all tagged then sure you could lock yourself out if traffic is not tagged.  Which is why I like to leave a native network on the interface.


  • Netgate

    @JKnott:

    So my question is, are VLANs inherently private?

    They're private because a device configured for one VLAN cannot see traffic on another, even if both are on the same wire.

    That is misleading. Yes, the device can see the traffic - it is just selectively-filtered by the local host using the VLAN tag.

    However, if you were to run Wireshark, you could see both. The VLAN traffic will have VLAN tags on the Ethernet frames.

    You sort of get to it there.

    The VLAN traffic will have VLAN tags on the Ethernet frames.  Another use would be for guest WiFi, which connects only to the Internet, while internal WiFi has access to the local network.  Many access points support multiple VLANs and SSIDs for this purpose.

    If you want to use VLANs for security, use a managed switch and only put the VLANs on specific ports that you want the connected device to see.



  • Yes, I know it's not new, but it seemed like a few sites used the same method.

    How do you go about the untagged method? Have a link or care to share a quick overview? Seems there are several ways to achieve this and each have different pro/cons. lol

    Derelict - I am using a managed Cisco switch I just purchased. As mentioned, the man was to use a trunk port and then create the same VLANs that the pfsense has. Then assign the ports to each VLAN. So that would be the secure method?


  • Netgate

    @likelinus:

    Yes, I know it's not new, but it seemed like a few sites used the same method.

    How do you go about the untagged method? Have a link or care to share a quick overview? Seems there are several ways to achieve this and each have different pro/cons. lol

    If the pfSense interface is assigned to, say, igb0 then traffic to the connected device for that interface will be untagged.

    If the pfSense interface is assigned to, say, VLAN 100 on igb0 (igb0.100) then traffic to the connected device for that interface will be tagged with VLAN 100.

    Derelict - I am using a managed Cisco switch I just purchased. As mentioned, the man was to use a trunk port and then create the same VLANs that the pfsense has. Then assign the ports to each VLAN. So that would be the secure method?

    Sounds good.


  • Rebel Alliance Global Moderator

    So for example… Here is uplink to my igb2 interface on my sg300 switch

    interface gigabitethernet5
    description "sg4860 WLan and vlans"
    switchport trunk allowed vlan add 3-7
    switchport trunk native vlan 2

    vlan 2 native there is the untagged vlan 2 on my switch which is my "wlan" network.  My AP and controller on are on this vlan on the switch... unifi until recently did not allow for tagged management vlans so your IP on your AP had to be untagged.  They have recently allowed for tagged management vlan but have not moved over to it yet. And not sure if will since this works just fine in my environment.


  • Netgate

    Right. But if you were to tag VLAN 2 between pfSense and the switch it does not mean it can't be untagged from the switch to the APs if that is what they require.

    interface gigabitethernet5
    description "sg4860 WLan and vlans"
    switchport trunk allowed vlan add 2-7

    interface gigabitethernet6
    description "Unifi AP"
    switchport trunk allowed vlan add 3-7
    switchport trunk native vlan 2



  • You sort of get to it there.

    Hi Derelict.

    I was just giving a general idea.  We can certainly get into a lot deeper discussion, if you wish.


  • Netgate

    @JKnott:

    You sort of get to it there.

    Hi Derelict.

    I was just giving a general idea.  We can certainly get into a lot deeper discussion, if you wish.

    The question was about isolation and privacy between VLANs. I just want to be sure OP understood that if the VLAN traffic is sent to a device but that device is only configured to grab the traffic for one VLAN it is not in ANY way considered secure since the other traffic is still being sent to that device and it is a simple configuration change on the edge device to see that traffic.



  • Thanks to both of you. I'm going to take a stab at this when I get home and I'll let you know if I have any further questions. Fingers crossed I can get it to work without too many issues (there's always a few)  :D


  • Rebel Alliance Global Moderator

    "Right. But if you were to tag VLAN 2"

    Very very true!  And good point to bring up..  I could tag it to pfsense sure - I just keep in the same across the network is all.  I know that vlan 2 is a native vlan.. Only place its tagged is on uplink to other switch.

    Many ways to skin the cat to be sure.



  • @Derelict:

    @JKnott:

    You sort of get to it there.

    Hi Derelict.

    I was just giving a general idea.  We can certainly get into a lot deeper discussion, if you wish.

    The question was about isolation and privacy between VLANs. I just want to be sure OP understood that if the VLAN traffic is sent to a device but that device is only configured to grab the traffic for one VLAN it is not in ANY way considered secure since the other traffic is still being sent to that device and it is a simple configuration change on the edge device to see that traffic.

    I'm a little loss. So how to I make the VLAN secure so it can't access computers/devices on a separate VLAN? Sorry, all new to this :D


  • Rebel Alliance Global Moderator

    Derelicts point was that if you tag say vlan 10,20,30 to port and you connect device to that port then it can see traffic for any of those vlans.

    You normally do not trunk or tag multiple vlans to a port where a single device will be connected.  So lets say port 10 on your switch where your PC will be connected and you want it only to be in vlan 20.  Then you would set that port as untagged vlan 20..

    The only traffic a device on that port would be capable of seeing would be vlan 20… if it wants to send traffic to say vlan 30 then it would have to go through your router.

    A trunk port with multiple vlans on it would normally only be sent to a device that will understand the tags and keep the traffic isolated, say a router or a switch.

    So on your switch say port 1, connected to pfsense you tag 10,20 and 30.

    On port 2, you have a device in 10, on port 3 you have vlan 20, on port 4 of this switch you have vlan 30..

    On port say 5 you have vlan 10, port 6 vlan 20, port 7 vlan 30..

    The only traffic those devices will see are traffic in those specific vlans.  For them to talk to other vlans they would have to route through pfsense.

    So 2 and 5 can talk, 3 and 6 and ports 4 and 7... if port 2 wanted to talk to port 3 it would have to route through pfsense and pfsense firewall.



  • OOOOH, OK. No, that is not my intent. My intent is to create VLAN 1 and set Cisco to set ports 1-5 to that same Pfsense VLAN #. Then VLAN 2 and set Cisco ports 6-10 to the same VLAN #. That way only those ports are in the same VLAN. I don't care if ports 6-10 see each other, but I don't want them to see 1-5. Will that work as intended?


  • Netgate

    The point is to enforce what VLANs are sent to a device in the switch, not in the edge device.

    Just because the device is only looking at one VLAN, it can capture any traffic on any VLAN on the port it is connected to.

    Cisco refers to the type of ports you might connect a single edge device to as access ports. They only send traffic for one VLAN and they send and receive frames untagged.



  • @Derelict:

    The point is to enforce what VLANs are sent to a device in the switch, not in the edge device.

    Just because the device is only looking at one VLAN, it can capture any traffic on any VLAN on the port it is connected to.

    Cisco refers to the type of ports you might connect a single edge device to as access ports. They only send traffic for one VLAN and they send and receive frames untagged.

    EDIT: johnpoz edited his comment to make it clear. It sounds like what I'm trying to achieve and how I understand it. Sorry for the confusion.

    I think things will be a bit clearer when I have the Cisco up and running tonight. But It sounds like there will be something in the port/vlan configuration of the Cisco to ensure this. Trunk port accepts all VLANs data and then sends it to the access ports. Those access ports then need to be configured to only accept data that is tagged for it, in a certain VLAN #. Am I close? lol


  • Netgate

    The devices on the access ports don't need to know anything about VLANs. To them it looks like they are connected to any port on any switch - managed or unmanaged. They will only see other devices on the same VLAN.



  • I'm a little loss. So how to I make the VLAN secure so it can't access computers/devices on a separate VLAN? Sorry, all new to this :D

    Normally, a device on a network will only see the LAN or VLAN it's configured for and many devices don't even support them at all.  This means that while there may be multiple VLANs on the wire, as is the case with a trunk port, a computer will normally be configured to access one.  There is, however, one very big exception.  It's called promiscuous mode, which enables the computer to receive everything on the wire.  PfSense uses this to provide VLANs through 1 interface.  Another common use is a network monitoring app called Wireshark, which can see just about everything that can be carried over a network cable.  It can even see things like spanning tree, which are normally ignored by network devices.

    For security, you'd use managed switches, with access ports configured only for the VLAN you want them to be on.  This way, a computer connected to that port will only see traffic for that VLAN and none other.


  • Netgate

    Actually, promiscuous mode is more about getting frames off the wire that have been sent to other, non-broadcast MAC addresses regardless of VLAN… The connected switch will already be filtering most of this in normal circumstances unlike when hubs were a thing and you could see everything.

    Promiscuous mode need not be enabled for a pfSense interface to "trunk" VLANs.