Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with VLans

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    10 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danlad
      last edited by

      hi all
      hope you are all well.

      I'm after some advice about VLans, i have done VLans in the past with no issue but a friend of mine is wanting me to setup over 20 VLans at his office building to separate all departments and security systems
      the concern i have is I've used Draytak and PFSense for managing the VLans and the DHCP in the past but im unsure what the limit is for PFSense as regards the max number of VLans it can support at once.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Many more than 20.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          danlad
          last edited by

          Thanks Derelict.
          He may add more at a later date as he is talking about renting out the spare office spaces but also supply them with broadband so each would have there own VLan setup as port on the switch.

          By default can the VLans talk to each other or are they blocked?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            By default, no traffic passes between them or from them at all as there are no default rules on the interfaces.

            It might help to know what the desired outcome is instead of talk about "VLANs."

            Sounds like you want a multi-tenant "ISP." For that I would not firewall on their behalf. I would provide unrestricted, public IP addresses and let the tenants do their own firewalling.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              danlad
              last edited by

              the office spaces will be connected to his 100Mb lease line from where he only gets 1 public IP.
              was thinking of giving them each there own VLan from which they will have 1 active network point to then connect there own cable router to supply there own equipment and handle there own DHCP.

              JKnottJ 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by Derelict

                Why the VLANs then? Why not just a switch?

                I would suggest if you want to be an ISP, be one. Get enough IP address space from upstream to do it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott @danlad
                  last edited by

                  @danlad said in Help with VLans:

                  the office spaces will be connected to his 100Mb lease line from where he only gets 1 public IP.

                  Ouch!!!

                  If each office has it's own NAT router, then there's no need for VLANs.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • D
                    danlad
                    last edited by

                    my conser is if the people in one of the offices unplugged the router in that office and connects directly to the building Lan then whats stopping them from accessing/seeing everything on the network that is nothing to do with them.
                    with a VLan you are making each link to each office router more secure.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by Derelict

                      That would be outside traffic. If the other tenants are allowing traffic they don't want others to see to the outside then that's their problem.

                      Every ISP has the same issue. The burden of firewalling is on the end user.

                      If you isolate your tenants from each other and two of them need to establish a VPN between each other what will you do?

                      You would likely want to use a good layer 3 switch with DHCP snooping, ACLs, etc to be sure each tenant can't hurt anyone else. At least that's how I would approach the problem.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott
                        last edited by

                        How many users will there be? NAT works by exchanging ports for individual addresses. If you have enough users and they're busy enough, you could run out of available ports. Large networks would use more than one public IP to avoid this.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.