Help with VLans



  • hi all
    hope you are all well.

    I'm after some advice about VLans, i have done VLans in the past with no issue but a friend of mine is wanting me to setup over 20 VLans at his office building to separate all departments and security systems
    the concern i have is I've used Draytak and PFSense for managing the VLans and the DHCP in the past but im unsure what the limit is for PFSense as regards the max number of VLans it can support at once.


  • Netgate

    Many more than 20.



  • Thanks Derelict.
    He may add more at a later date as he is talking about renting out the spare office spaces but also supply them with broadband so each would have there own VLan setup as port on the switch.

    By default can the VLans talk to each other or are they blocked?


  • Netgate

    By default, no traffic passes between them or from them at all as there are no default rules on the interfaces.

    It might help to know what the desired outcome is instead of talk about "VLANs."

    Sounds like you want a multi-tenant "ISP." For that I would not firewall on their behalf. I would provide unrestricted, public IP addresses and let the tenants do their own firewalling.



  • the office spaces will be connected to his 100Mb lease line from where he only gets 1 public IP.
    was thinking of giving them each there own VLan from which they will have 1 active network point to then connect there own cable router to supply there own equipment and handle there own DHCP.


  • Netgate

    Why the VLANs then? Why not just a switch?

    I would suggest if you want to be an ISP, be one. Get enough IP address space from upstream to do it.



  • @danlad said in Help with VLans:

    the office spaces will be connected to his 100Mb lease line from where he only gets 1 public IP.

    Ouch!!!

    If each office has it's own NAT router, then there's no need for VLANs.



  • my conser is if the people in one of the offices unplugged the router in that office and connects directly to the building Lan then whats stopping them from accessing/seeing everything on the network that is nothing to do with them.
    with a VLan you are making each link to each office router more secure.


  • Netgate

    That would be outside traffic. If the other tenants are allowing traffic they don't want others to see to the outside then that's their problem.

    Every ISP has the same issue. The burden of firewalling is on the end user.

    If you isolate your tenants from each other and two of them need to establish a VPN between each other what will you do?

    You would likely want to use a good layer 3 switch with DHCP snooping, ACLs, etc to be sure each tenant can't hurt anyone else. At least that's how I would approach the problem.



  • How many users will there be? NAT works by exchanging ports for individual addresses. If you have enough users and they're busy enough, you could run out of available ports. Large networks would use more than one public IP to avoid this.