Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help with VLans

    L2/Switching/VLANs
    3
    10
    479
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danlad last edited by

      hi all
      hope you are all well.

      I'm after some advice about VLans, i have done VLans in the past with no issue but a friend of mine is wanting me to setup over 20 VLans at his office building to separate all departments and security systems
      the concern i have is I've used Draytak and PFSense for managing the VLans and the DHCP in the past but im unsure what the limit is for PFSense as regards the max number of VLans it can support at once.

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Many more than 20.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          danlad last edited by

          Thanks Derelict.
          He may add more at a later date as he is talking about renting out the spare office spaces but also supply them with broadband so each would have there own VLan setup as port on the switch.

          By default can the VLans talk to each other or are they blocked?

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by Derelict

            By default, no traffic passes between them or from them at all as there are no default rules on the interfaces.

            It might help to know what the desired outcome is instead of talk about "VLANs."

            Sounds like you want a multi-tenant "ISP." For that I would not firewall on their behalf. I would provide unrestricted, public IP addresses and let the tenants do their own firewalling.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              danlad last edited by

              the office spaces will be connected to his 100Mb lease line from where he only gets 1 public IP.
              was thinking of giving them each there own VLan from which they will have 1 active network point to then connect there own cable router to supply there own equipment and handle there own DHCP.

              JKnott 1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by Derelict

                Why the VLANs then? Why not just a switch?

                I would suggest if you want to be an ISP, be one. Get enough IP address space from upstream to do it.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • JKnott
                  JKnott @danlad last edited by

                  @danlad said in Help with VLans:

                  the office spaces will be connected to his 100Mb lease line from where he only gets 1 public IP.

                  Ouch!!!

                  If each office has it's own NAT router, then there's no need for VLANs.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • D
                    danlad last edited by

                    my conser is if the people in one of the offices unplugged the router in that office and connects directly to the building Lan then whats stopping them from accessing/seeing everything on the network that is nothing to do with them.
                    with a VLan you are making each link to each office router more secure.

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by Derelict

                      That would be outside traffic. If the other tenants are allowing traffic they don't want others to see to the outside then that's their problem.

                      Every ISP has the same issue. The burden of firewalling is on the end user.

                      If you isolate your tenants from each other and two of them need to establish a VPN between each other what will you do?

                      You would likely want to use a good layer 3 switch with DHCP snooping, ACLs, etc to be sure each tenant can't hurt anyone else. At least that's how I would approach the problem.

                      Chattanooga, Tennessee, USA
                      The pfSense Book is free of charge!
                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • JKnott
                        JKnott last edited by

                        How many users will there be? NAT works by exchanging ports for individual addresses. If you have enough users and they're busy enough, you could run out of available ports. Large networks would use more than one public IP to avoid this.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post