VLAN: 1 Managed Switch port connected to unmanaged switch



  • Hey,
    I have 2 small (5 ports) unmanaged switches chained after the pfSense:
    Internet -> pfSense -> Switch1 -> Switch2

    Switch1:

    • Ubiquity AP

    • NAS

    • Switch2

      • TV

      • Receiver

      • AppleTV

    (something like this)

    I am getting (one) new managed (VLAN capable) switch which I'd like to use instead of the existing Switch1 and making use of VLANs in my network.
    (Management, Guest Network, DMZ, etc)

    Is it possible to tag (i.e) port 3 and have all the devices on Switch2 in the same subnet?
    In general these 3 devices just need outgoing internet connectivity, but the TV (with Plex on it) needs to be able to talk to the NAS, which can also be on the same subnet.

    Thanks,
    M.



  • @mtk:

    Is it possible to tag (i.e) port 3 and have all the devices on Switch2 in the same subnet?

    Yes, that's a major task of VLAN capable switches.
    So incoming packets on that port are tagged by the switch and outgoing packets are untagged.

    @mtk:

    but the TV (with Plex on it) needs to be able to talk to the NAS, which can also be on the same subnet.

    So the switch port the NAS is connected to can be configured the same way.
    However, I'd suggest to put the NAS in a separate VLAN and open partial access on pfSense.



  • @viragomann:

    @mtk:

    Is it possible to tag (i.e) port 3 and have all the devices on Switch2 in the same subnet?

    Yes, that's a major task of VLAN capable switches.
    So incoming packets on that port are tagged by the switch and outgoing packets are untagged.

    So, just to confirm, I am fine with only one VLAN capable switch?

    @viragomann:

    @mtk:

    but the TV (with Plex on it) needs to be able to talk to the NAS, which can also be on the same subnet.

    So the switch port the NAS is connected to can be configured the same way.
    However, I'd suggest to put the NAS in a separate VLAN and open partial access on pfSense.

    Sure, that's also an option, thanks!



  • @mtk:

    So, just to confirm, I am fine with only one VLAN capable switch?

    Yes, of course. In your example the outside of packets on switch port 3 is untagged. So a device which is connected to it has not to be VLAN capable.
    However, internally the switch port is assinged to a VLAN.



  • @viragomann:

    @mtk:

    So, just to confirm, I am fine with only one VLAN capable switch?

    Yes, of course. In your example the outside of packets on switch port 3 is untagged. So a device which is connected to it has not to be VLAN capable.
    However, internally the switch port is assinged to a VLAN.

    And I would still be able to create a subnet (i.e 192.168.30.0/24) for the TV/Receiver/AppleTV with its own DHCP?



  • Yes, you have also configure this subnet and the VLAN on pfSense and assign an IP and on the pfSense interface you can activate the DHCP.



  • @viragomann:

    Yes, you have also configure this subnet and the VLAN on pfSense and assign an IP and on the pfSense interface you can activate the DHCP.

    Thanks!

    Curious and before I get the new switch:
    What happens if I set VLANs on both the pfSense & Ubiquity AP, but still keep the unmanaged switches?
    Would that make the NAS+TV+Receiver+AppleTV in the same vlan/subnet, while WIFI client might be on different VLANs (i.e Guests)?



  • Maybe you can set up VLANs between pfSense and the Ubiquity AP and also betwwen pfSense and the NAS which go over the switch.
    Usually simple switches are not touched of that and directs tagged packets to destination ports. But that will not be very safe.


  • Rebel Alliance Global Moderator

    You can place dumb switches on any specific vlan, all ports on this switch will be on the vlan you assign to the port its connected to on on smart switch… Anything else is not a valid sort of config.  Be it your switch does not strip the tags you might flow over it from a smart switch to another device that understands the tags.

    This is not really a valid configuration and your mileage will vary, and is frowned upon.

    I would never ever suggest such a configuration to anyone.. While it might be something that can allow you to function in a pinch or as a macgyver sort of solution it should only be put in places as temp solution while you get the hardware that will sort what your wanting to do.

    To be honest anyone in the market for a switch should really never buy a "dumb" one - it is always better to have the ability to do vlans even if not current need for them - you will save yourself in the long run.. So its not worth the couple of bucks you might save today buying a dumb switch just to be unable to do what you want tomorrow or next week or month, etc.  And then have to buy a whole new switch, etc.

    If your in the market for a switch, get one that can do vlans...



  • Be it your switch does not strip the tags you might flow over it from a smart switch to another device that understands the tags.

    Other than an access port on a managed switch, when does a switch ever strip off VLAN tags?  Unmanaged switches should simply pass the VLAN frame unchanged.


  • Netgate

    Operative word there is should. I note you did not say will.

    Look. We all get it. We've all done it. Here is another user asking how to DESIGN a network. Someone asking that is always going to get as close to the correct and sound answer as I can come up with.

    They are NOT going to get some short cut with potential pitfalls unless they specifically ask. Bad advice lives forever on the internet. Please stop.

    The proper way in his case is Firewall <-> Managed Switch <-> Unmanaged Switch on an untagged/access port



  • Operative word there is should. I note you did not say will.

    Any switch that can't pass a VLAN frame is defective.  Some older gear may choke on the larger frame size, with a full 1500 MTU, but it should never filter on a VLAN tag (managed switches excepted).  Any switch should be able to pass any and all Ethernet frame types, so long as that frame complies with the specs.  That is destination & source MAC addresses, data and CRC.  If the frame is at least 64 bytes and CRC checks then the frame should be passed.  At this level, the only difference between a VLAN frame and any other is the contents of the Ethertype/length field.  Nothing else.  In the rare instance where a switch chokes on any frame bigger than 1518 bytes, you can work around it by limiting the MTU to 1496, to allow room for the VLAN tag.  Given that just about any Gb gear supports jumbo frames, that's not likely to be an issue these days.

    Ethernet had a 1500 byte limit in the early days, when hardware was expensive and 802.3 Ethernet has the length, rather than Ethertype field, which puts a hard limit on size.  But the 1518 byte limit on Ethernet II disappeared years ago, with frame expansion to support VLANs (802.3ac 1998).  These days, you'll find Gb gear generally supports 9K bytes or more, with jumbo frames.  A lot of 100 Mb gear also supports them.

    I'm not supporting poorly configured networks, but trying to challenge misinformation that so many accept as "common knowledge".


  • Rebel Alliance Global Moderator

    Does not matter if it passes it or not - Pain and Simple its BAD BAD BAD advice… Especially to a user that doesn't even understand vlans.  If they did they wouldn't be here asking about them.

    I also wish you would stop telling users that its ok to use a dumb switch to pass vlan tags..



  • Well, the port of the pfSense that connects to the first switch, is a smart port, isn't it?
    @johnpoz:

    You can place dumb switches on any specific vlan, all ports on this switch will be on the vlan you assign to the port its connected to on on smart switch…

    Well, I am already in the situation where there are 2 unmanaged switches and I now need to replace them.
    @johnpoz:

    I would never ever suggest such a configuration to anyone.. While it might be something that can allow you to function in a pinch or as a macgyver sort of solution it should only be put in places as temp solution while you get the hardware that will sort what your wanting to do.

    To be honest anyone in the market for a switch should really never buy a "dumb" one - it is always better to have the ability to do vlans even if not current need for them - you will save yourself in the long run.. So its not worth the couple of bucks you might save today buying a dumb switch just to be unable to do what you want tomorrow or next week or month, etc.  And then have to buy a whole new switch, etc.

    If your in the market for a switch, get one that can do vlans…



  • @Derelict:

    The proper way in his case is Firewall <-> Managed Switch <-> Unmanaged Switch on an untagged/access port

    And this is exactly what I would like to (temporarily!!!) do…



  • Woukd something like this work?
    https://youtu.be/DL4vMLgBrYI
    I have an APC2U4 with an available port.

    Would this allow my to create wifi guest VLAN via the AP and a LAN subnet with the unmanaged switches?


  • Netgate

    No time to watch a youtube video for you.

    Summarize what they tell you to do here.



  • Connect directly to the pfSebse box, one port to the Ubiquity and one port to the unmanaged switch.
    @Derelict:

    No time to watch a youtube video for you.

    Summarize what they tell you to do here.


  • Netgate

    Use a managed switch.



  • So I got the Managed Switch and now I have several VLANs:

    • VL10_MGMT
    • VL20_SEC - this is were main clients will connect (mostly via WIFI) and it'll use a VPN_WAN gateway.
    • VL30_CLR - sort of a DMZ where I connected all LAN devices (Freenas and its jails, Receiver, TV, AppleTV, etc)
    • VL40_GUEST - WIFI network only for... guests
    • VL50_IOT - where I'll connect several IoT devices via WIFI (smart lamps, dimmers, climate, etc)

    Makes sense?


  • Netgate

    This post is deleted!

 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy