Setting up a Vlan for security,



  • I have a Pfsense box I made with 2 NICS, isp in, out to swithch.

    ON my lan I have a CCTV system, which I would lik to take off my main lan, for security reason.

    I was thinking about setting it up an a vlan because I'm concerned how secure the software is.

    Is it possible with PF sense to create a VLAN using the SAME NIC? Does this make sense?

    right now we are on a 192.168.1.* network I'm thinking about putting my CCTV on 192.168.3.* But I'm not sure if I would require more NICS in pfbox, I think I may be limited with this supermicro 1U setup.

    Thanks



  • That is a perfect use for a VLAN. Just be aware that un-managed switches can strip out the VLAN part so will get lost. If you have managed switches then no issue.



  • Yep, that's a common use of VLAN and pfSense can do that.

    BTW, the claim that an unmanaged switch will strip off VLAN tags is nonsense. An Ethernet switch is supposed to pass ALL valid Ethernet frames. The only difference between a VLAN frame and any other is the contents of the Ethertype/length field plus 4 bytes for the VLAN tag. Any switch that strips off that tag is defective by design.

    Ethernet frame



  • @jknott said in Setting up a Vlan for security,:

    plus

    Thanks for the reply, will I need another nic in the device or can they share the same nic? I only have 2 nics in the PFSense box adding a 3rd might be difficult with this hardware.



  • @jknott said in Setting up a Vlan for security,:

    Yep, that's a common use of VLAN and pfSense can do that.

    BTW, the claim that an unmanaged switch will strip off VLAN tags is nonsense. An Ethernet switch is supposed to pass ALL valid Ethernet frames. The only difference between a VLAN frame and any other is the contents of the Ethertype/length field plus 4 bytes for the VLAN tag. Any switch that strips off that tag is defective by design.

    Ethernet frame

    It is not nonesense. It happens. Maybe not in newer switches but older ones that don't know about VLAN's certainly do. I have 4 switches that if are used with VLAN's then the info does not survive and they don't work as they should. Yes they are older. They are not defective, just made before VLAN was thought of.

    Noyou don't need another NIC. Just attached the interface to the existing LAN. If you great the VLAN it should be available as an option when creating a new interface.



  • @nambi said in Setting up a Vlan for security,:

    Thanks for the reply, will I need another nic in the device or can they share the same nic?

    You normally create a VLAN on an existing interface. You will then see both the native LAN and VLAN(s) on the same wire comming from the NIC.



  • @veldthui said in Setting up a Vlan for security,:

    It is not nonesense.

    It is nonsense. As I mentioned, switches are supposed to pass all valid Ethernet frames. Here is a list of Ethernet frame types. Any switch that can't pass every one of those frame types is defective. A valid Ethernet frame consists of destination and source MACs, Ethertype/length, payload and CRC. The only thing that might cause a problem on ancient gear is an inability to handle more than 1500 byte payload. If you run into that, just reduce the MTU by 4 bytes to avoid the problem.

    BTW, frame type, other than special stuff such as spanning tree, is ignored by the switch. A switch only needs valid destination, source, payload and CRC for it to pass a frame. A switch most definitely should not tamper with a frame by stripping out anything, including VLAN tags.



  • Whatever. I know some switches loose the VLAN data. I have actual experience with it losing it. I was just warning others. What they are supposed to do and what they do is two different things. I am glad your un-managed switches don't chop out the VLAN info for you.


  • LAYER 8 Global Moderator

    If your trying to run vlans over a dumb switch your and idiot plan and simple..

    Be it the switch passes the vlan traffic or doesn't pass it means nothing.. It dosn't understand them so you have no isolation... Might as well just run all the layer 3 networks you want over that single layer 2 your dumb switch is..

    I personally do not think any modern switch will strip tags, but still something you shouldn't be doing.. You could prob do it in a pinch while your vlan capable switch is on order or something. But no you shouldn't be thinking running vlans over a dumb switch is a good idea or that its fine to do such a thing.

    Me and jknott bang heads about this all the time.. While I agree with him that it is highly unlikely that a dumb switch would actually strip the tags or not pass the traffic.. You should never be suggesting to someone that they can get by with using a dumb switch if they want to start using vlans.



  • @johnpoz said in Setting up a Vlan for security,:

    You should never be suggesting to someone that they can get by with using a dumb switch if they want to start using vlans.

    What about my original intention for using a VLAN. I have an access point that supports multiple SSIDs and I was planning on setting up a guest SSID & VLAN. It was the only device on my network, other than pfSense, that would use a VLAN. Was I supposed to toss a perfectly good Cisco unmanaged switch, just because I was running a VLAN to one device?

    However, I definitely recommend VLANs for security cameras, VoIP phones, etc.. In some cases, it makes sense to use a managed switch to keep LAN and VLAN separate. In others, maybe not. An example would be a network where most devices are VoIP phones, with computers plugged into the phones. (I've seen networks where there's nothing else other than VoIP phones & computers and the Internet connection) In that situation, what advantage would a managed switch provide? Due to the way switches filter traffic, there would be very few VLAN frame appearing at devices not configured for a VLAN. As always, look at the requirements and be guided accordingly. That said, there's not much reason to not buy a managed switch these days.

    BTW, my plan failed because our favorite manufacturer, TP-Link, didn't know how to handle VLANs properly.

    Me and jknott bang heads about this all the time.

    And you have horns on yours! 😉


Log in to reply