Quick VLAN Question

likelinus

I've never used them before, but decided I want to start using them to segment my network. So my question is, are VLANs inherently private? Meaning, can you view/access machines from one VLAN on another?  If not, what's the easiest way to set this up? Would it be through the Cisco (SG300-28) switch or pfsense?

Appreciate any help or info!!

johnpoz

You would do it on both your pfsense and your switch.

Unless your using your sg300-28 as a L3 and its routing between your vlans already.  But I find that unlikely since if that was the case you wouldn't be here.

What are you running for pfsense, how many interfaces does it have?  Do you have open interfaces on your sg300-28?

JKnott

So my question is, are VLANs inherently private?

They're private because a device configured for one VLAN cannot see traffic on another, even if both are on the same wire.  Normally, you'd configure a switch port to be on only one VLAN, though there are exceptions, such as when a VoIP phone shares a port with a computer.  VLANs are used in this instance to provide priority for the phones.  However, if you were to run Wireshark, you could see both.  The VLAN traffic will have VLAN tags on the Ethernet frames.  Another use would be for guest WiFi, which connects only to the Internet, while internal WiFi has access to the local network.  Many access points support multiple VLANs and SSIDs for this purpose.

likelinus

I'm currently running a ZOTAC ZBOX Intel N3150 with a Dell PowerConnect switch. I just got the Cisco this weekend to switch to. I have not previously used VLAN an I've been doing some reading on the initial setup today.

The Zbox has two ethernet ports. Basically I'm trying to separate the kids computers and my server and a couple of other machines. I want them on private networks. Also want some Wifi units on each VLAN.

So this is a blank slate at this point. Yes I will have free ports after I've connected everything.

Hope that helps. Appreciate the response!

EDIT: So I think you answered my question in a round about way. A Layer 2 VLAN cannot communicate with another VLAN on the same switch. But if you running as an L3, you could have two L2 VLANs communicate. Is that the general idea?

likelinus

@JKnott:

So my question is, are VLANs inherently private?

They're private because a device configured for one VLAN cannot see traffic on another, even if both are on the same wire.  Normally, you'd configure a switch port to be on only one VLAN, though there are exceptions, such as when a VoIP phone shares a port with a computer.  VLANs are used in this instance to provide priority for the phones.  However, if you were to run Wireshark, you could see both.  The VLAN traffic will have VLAN tags on the Ethernet frames.  Another use would be for guest WiFi, which connects only to the Internet, while internal WiFi has access to the local network.  Many access points support multiple VLANs and SSIDs for this purpose.

This exactly. Basically it's to keep the kids, family, friends and girlfriends (kids, I'm married, lol) off my part of the network. Each VLAN will include ethernet and Wifi connections.

I just wasn't sure if VLANs acted as a completely different "network", or if they were able to access IPs on another VLAN.

johnpoz

What would be the point of them if they were not isolated?  It would just be running multiple layer 3 on the same layer 2 - which would be pointless.

Yes vlans are a way of carving up 1 physical switch into multiple layer 2 networks.  Yes you can run multiple layer 2 networks on the same wire via TAG.. So when the traffic gets to where its going on the end of the wire either the other switch and break them out into their own networks, or the router can..  Or even some cases device can - like a phone sure that allows you to connect a pc to it on another port.

JKnott

Depending on your Internet modem, you may be able to set up separate "guest" WiFi on it.  My cable modem supports that in gateway mode.

likelinus

@johnpoz:

What would be the point of them if they were not isolated?  It would just be running multiple layer 3 on the same layer 2 - which would be pointless.

Yes vlans are a way of carving up 1 physical switch into multiple layer 2 networks.  Yes you can run multiple layer 2 networks on the same wire via TAG.. So when the traffic gets to where its going on the end of the wire either the other switch and break them out into their own networks, or the router can..  Or even some cases device can - like a phone sure that allows you to connect a pc to it on another port.

I don't know, hence the question. I do not work in network infrastructure and it's a simple, honest question from someone trying to learn to better configure a secure network. I just wanted clarification.

likelinus

@JKnott:

Depending on your Internet modem, you may be able to set up separate "guest" WiFi on it.  My cable modem supports that in gateway mode.

Thanks for the reply. The issue is that it is not just wifi devices I'm trying to separate. It's both wifi and ethernet connected devices. I have unfi AP Pro that will be on each VLAN.

johnpoz

If you run your layer 3 switch as layer 3 and route on it - you would still be creating multiple layer 2 networks.. Its just the switch(router) would then route between these networks for you.  With limited "firewall" capabilities depending on the switch in question.

Yes a sg300 can prevent specific access between the networks it will route between but much more difficult then letting pfsense do it.  If it was going to be doing the routing between downstream networks then pfsense would never see these vlans and only connection should be through a transit network.

I would suggest you just create your vlans on your sg300 as layer 2, then connect those layer 2 networks to pfsense be it via different uplinks that are native an untagged or tagged where pfsense will route and firewall between these networks.  This gives you the most control and ease of setup..

I have a sg300-28 and a sg300-10 in my network both just doing layer 2 (but in layer 3 mode) with unifi APs..  I have both wired and wireless vlans some native uplink to pfsense and some tagged vlans as well into pfsense interfaces.  Happy to show you how to config..

Do you only have 1 physical interface to work with on pfsense or multiple?  How much intervlan traffic do you expect?  Keep in mind that when you put vlans on the same physical interface via tags that intervlan traffic between these vlans will have a hairpin and your overall bandwidth will be /2 of the full physical interface speed.

Vlans on a physical connection share that physical connections bandwidth.

likelinus

@johnpoz:

If you run your layer 3 switch as layer 3 and route on it - you would still be creating multiple layer 2 networks.. Its just the switch(router) would then route between these networks for you.  With limited "firewall" capabilities depending on the switch in question.

Yes a sg300 can prevent specific access between the networks it will route between but much more difficult then letting pfsense do it.  If it was going to be doing the routing between downstream networks then pfsense would never see these vlans and only connection should be through a transit network.

I would suggest you just create your vlans on your sg300 as layer 2, then connect those layer 2 networks to pfsense be it via different uplinks that are native an untagged or tagged where pfsense will route and firewall between these networks.  This gives you the most control and ease of setup..

I have a sg300-28 and a sg300-10 in my network both just doing layer 2 (but in layer 3 mode) with unifi APs..  I have both wired and wireless vlans some native uplink to pfsense and some tagged vlans as well into pfsense interfaces.  Happy to show you how to config..

Do you only have 1 physical interface to work with on pfsense or multiple?  How much intervlan traffic do you expect?  Keep in mind that when you put vlans on the same physical interface via tags that intervlan traffic between these vlans will have a hairpin and your overall bandwidth will be /2 of the full physical interface speed.

Vlans on a physical connection share that physical connections bandwidth.

Yes, I only have 1 interface to work with for the LAN port on my unit. My primary VLAN is really going to use most of the traffic. The secondary VLAN is going to be for guest, friends and family. So it's not going to see heavy continual usage.

Sorry for not completely understand, but when you have a hairpin LAN connection, you mentioned that the bandwith would be half it's intended full speed. Is that a constant, or does it adjust on the fly when the other VLAN needs bandwidth?

https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/
This was one of the links I was reading about setting up VLANs on pfsense. Then creating the Trunk on the Cisco, making identical Vlans and then assigning the ports to those vlans. That's the short and sweet version. If I'm missing something or if someone has better ideas, I'm all ears!

johnpoz

No it would be constant, minus whatever other traffic was on the physical interface at the time.  The best you could hope for would be half for intervlan traffic. 
That has to transverse the same physical path.

But only if the traffic is hairpinned.. If you can only carry 1gig, and you have to go over the same road twice ie up and then down, its /2

If traffic is only 1 direction then it would just be shared.. If its hairpin then its /2 minus other traffic on the wire.  Keep in mind the /2 is just a approximation.

If you have to travel the same physical path twice then yeah you get a /2… This is the same with wifi.. Since it is shared bandwidth.. If wireless to wireless /2 if on the same band, if wireless to wired then you can get full bandwidth.

likelinus

@johnpoz:

No it would be constant, minus whatever other traffic was on the physical interface at the time.  The best you could hope for would be half for intervlan traffic. 
That has to transverse the same physical path.

But only if the traffic is hairpinned.. If you can only carry 1gig, and you have to go over the same road twice ie up and then down, its /2

If traffic is only 1 direction then it would just be shared.. If its hairpin then its /2 minus other traffic on the wire.  Keep in mind the /2 is just a approximation.

If you have to travel the same physical path twice then yeah you get a /2… This is the same with wifi.. Since it is shared bandwidth.. If wireless to wireless /2 if on the same band, if wireless to wired then you can get full bandwidth.

That makes perfect sense and is how I would expect it to perform. Appreciate all the help.

Did my plan to roll this out sound like the ideal way to do it?

johnpoz

You mean that link to some site from 2014?

You can tag everything you want, or you could leave lan as untagged.. There are multiple ways to skin the cat.. If you only have the 1 physical interface adding tagged vlans to it and leaving lan as untagged does allow you to do it all from the lan side and not some other interface - like the wan in that link.  Since you won't kick yourself off, etc.

That is clearly an older version of pfsense - but overall how you do vlans has not really changed.  Some people like all tagged if doing tagged, I am open to native and tagged on the same interface..  Nothing wrong with either way.  If your all tagged then sure you could lock yourself out if traffic is not tagged.  Which is why I like to leave a native network on the interface.

Derelict

@JKnott:

So my question is, are VLANs inherently private?

They're private because a device configured for one VLAN cannot see traffic on another, even if both are on the same wire.

That is misleading. Yes, the device can see the traffic - it is just selectively-filtered by the local host using the VLAN tag.

However, if you were to run Wireshark, you could see both. The VLAN traffic will have VLAN tags on the Ethernet frames.

You sort of get to it there.

The VLAN traffic will have VLAN tags on the Ethernet frames.  Another use would be for guest WiFi, which connects only to the Internet, while internal WiFi has access to the local network.  Many access points support multiple VLANs and SSIDs for this purpose.

If you want to use VLANs for security, use a managed switch and only put the VLANs on specific ports that you want the connected device to see.

likelinus

Yes, I know it's not new, but it seemed like a few sites used the same method.

How do you go about the untagged method? Have a link or care to share a quick overview? Seems there are several ways to achieve this and each have different pro/cons. lol

Derelict - I am using a managed Cisco switch I just purchased. As mentioned, the man was to use a trunk port and then create the same VLANs that the pfsense has. Then assign the ports to each VLAN. So that would be the secure method?

Derelict

@likelinus:

Yes, I know it's not new, but it seemed like a few sites used the same method.

How do you go about the untagged method? Have a link or care to share a quick overview? Seems there are several ways to achieve this and each have different pro/cons. lol

If the pfSense interface is assigned to, say, igb0 then traffic to the connected device for that interface will be untagged.

If the pfSense interface is assigned to, say, VLAN 100 on igb0 (igb0.100) then traffic to the connected device for that interface will be tagged with VLAN 100.

Derelict - I am using a managed Cisco switch I just purchased. As mentioned, the man was to use a trunk port and then create the same VLANs that the pfsense has. Then assign the ports to each VLAN. So that would be the secure method?

Sounds good.

johnpoz

So for example… Here is uplink to my igb2 interface on my sg300 switch

interface gigabitethernet5
description "sg4860 WLan and vlans"
switchport trunk allowed vlan add 3-7
switchport trunk native vlan 2

vlan 2 native there is the untagged vlan 2 on my switch which is my "wlan" network.  My AP and controller on are on this vlan on the switch... unifi until recently did not allow for tagged management vlans so your IP on your AP had to be untagged.  They have recently allowed for tagged management vlan but have not moved over to it yet. And not sure if will since this works just fine in my environment.

Derelict

Right. But if you were to tag VLAN 2 between pfSense and the switch it does not mean it can't be untagged from the switch to the APs if that is what they require.

interface gigabitethernet5
description "sg4860 WLan and vlans"
switchport trunk allowed vlan add 2-7

interface gigabitethernet6
description "Unifi AP"
switchport trunk allowed vlan add 3-7
switchport trunk native vlan 2

JKnott

You sort of get to it there.

Hi Derelict.

I was just giving a general idea.  We can certainly get into a lot deeper discussion, if you wish.