WAN on VLAN or internal switch port

thomas_n

Hi,

I have a router from my telco (Telenet) and they require that their appliances are connected to the WAN directly, not routed or NAT-ed in any way. My own network however is Firewalled and NAT-ed by my NETGATE SG-3100. However, I want to route the WAN traffic over a VLAN on my internal network. So, my questions is how can I bridge WAN with a VLAN while at the same time having a NAT-ed LAN?

ISP Modem
=> WAN
=> PFsense
=> TRUNK [ VLAN 100: LAN (firewalled + NAT) ] [ VLAN 200: WAN (firewalled NO NAT) ]
=> SWITCH

Thanks,

Thomas

marvosa

Need a little more info on the overall objective. Typically, you would just have the ISP configure their equipment in bridge mode and you move forward. What is the reasoning for trying to bridge the WAN interface to a VLAN on your LAN interface? What are you trying to accomplish?

thomas_n

The reasoning is as follows:

The ISP is also the provider of set-top boxes (STB's) which are placed in several locations on the site. These STB's need to be connected to the WAN directly and not NAT-ed or routed in any way. However, we need their data to run over our internal trunks.

As a result, a VLAN with the unrouted WAN on the trunk is what we need. But, at the same time we still need the firewall to provide NAT and routing for several internal networks also connected to the WAN.

Normally I could achieve this by plugging the WAN into ports on the switch assigned to this VLAN directly and then connecting the WAN port of the firewall also to this VLAN, but that gives me no control over what is happening on the WAN within the facility. I want to have the ability to transparently firewall this VLAN as well, so it does have to go through the PFsense box.

Is that more clear?

thomas_n

Anyone who could help me with this?

Thanks,

Thomas

Derelict

If you must do this yes you can bridge a VLAN interface with a physical interface. as long as pfSense is the only router available to that VLAN, it will be transparently filterable.

https://docs.netgate.com/pfsense/en/latest/book/interfaces/interfacetypes-misc.html#bridges

jahonix

@thomas_n said in WAN on VLAN or internal switch port:

The ISP is also the provider of set-top boxes (STB's) which are placed in several locations on the site.

So you need to distribute the raw WAN throughout your facility? The thought makes me shiver.

How many STBs are you talking about and what's the media output of those, probably 1080p or even 4k video on HDMI?

Before I distribute the WAN I would put all STBs in a suitable place and route the outputs (HDMI?) through my network. It's simple if you'll only have 1080p (aka Full-HD) signals but can get tricky (or expensive) if you have 4k content.
AV is my daytime job, I'd be happy to help.

Derelict

The last place I worked at would have used more fiber pairs and bought more switching gear to layer 1 segregate that kind of traffic from the company layer 2. Considerable cash flowing across the network there though.

jahonix

I don't get your point.

You/your client would throw in more expensive HW (fiber/switches) to get something done which in 2019 would usually be solved cheaper/differently?

The whole AV industry is moving to IP. Doesn't always make sense, though. But the technology is there and it's cheaper than distributing proprietary solutions (like HDBase-T, dedicated fiber runs, ...). The whole point of AV-over-IP is price. Have a look at SDVoE.org for example.

Derelict

How do you run the remote control on an STB on the other side of the campus? I guess I can see an IR receiver and an emitter at the STB.

I am not saying they would have done that instead of your solution, I am saying they would have done that before running unfiltered WAN through the company infrastructure.

thomas_n

@jahonix said in WAN on VLAN or internal switch port:

So you need to distribute the raw WAN throughout your facility? The thought makes me shiver.

Not quite, I don't see this as a problem for three reasons:

• First of all the provider only gives an IP to one device + the STB's. That one device is my router. So anyone getting on the WAN would have to do start messing around to even get an IP. It's not a case of just plugging in and getting unrestricted access.
• There is separation by using another VLAN. If you don't trust that, then you are basically saying that every company with a guest network has a major problem. I agree that this requires tight control over (access to) the configuration of the switches, but that is just common sense.
• Most importantly: the whole point of wanting to bridge the WAN to the VLAN in the fpsense box is to be able to filter it! Others would implement this by connecting the WAN directly to a switch port which is mapped to the VLAN and go from there.
  This is what I do not want to do and I am avoiding this by having pfsense filter the bridge transparently! The provider gives the STB's an address in a private range, so this is already a good start for filtering (more is to be done for sure).
  I should have been more clear on this earlier: unrouted (or un-NAT-ed) is not the same as unfiltered.

So yes, I do share your anxiety over freely distributing unfiltered WAN on internal infrastructure, but that is not what I am doing here.

Before I distribute the WAN I would put all STBs in a suitable place and route the outputs (HDMI?) through my network. It's simple if you'll only have 1080p (aka Full-HD) signals but can get tricky (or expensive) if you have 4k content.

Agreed. I currently manage installations where AV is distributed over HDbaseT or IP so I am aware of this possibility. However, in this case there are more things to consider which make it not the ideal choice.

One is that the STB also has the possibility to connect peripherals which make it very inconvenient to move it elsewhere. Example: the remote is RF and not IR which makes it a lot harder to extend over a network.

Secondly, I am not distributing all the video over the network. The STB's also have their own coax cable connection to the provider. Most of the time the network connection is only used to provide interactivity, not transmit video. The client has this infrastructure and this approach greatly reduces the load on the network as video is only going over the network when it is streamed "on demand".

I hope this makes sense to you.

That said, my problem is not yet resolved. One thing I thought of is that I am using one of the switched LAN ports on the Netgate SG-3100. I'm going to move my lan to the OPT port and see if that changes things, I have the feeling the internal switch may be messing with the VLAN's in a way I don't fully understand yet.

JKnott

@Derelict said in WAN on VLAN or internal switch port:

How do you run the remote control on an STB on the other side of the campus? I guess I can see an IR receiver and an emitter at the STB.

My PVR can be controlled by an Android app over IP, though it involves working through a server at the provider.

jahonix

@Derelict said in WAN on VLAN or internal switch port:

How do you run the remote control on an STB on the other side of the campus?

That's easy, lots of IR/serial over-IP solutions available. Or a dedicated control system that sends IR/serial/IP/... to the device and is remotely controlled itself (by whatever suits the application). Figuring that out and implementing it is part of my job.

jahonix

@thomas_n said in WAN on VLAN or internal switch port:

... the STB ... connect peripherals ... remote is RF and not IR

Agreed, makes it harder. Not impossible. ;-)

@thomas_n said in WAN on VLAN or internal switch port:

The STB's also have their own coax cable connection to the provider.

What kind of a wired STB is that?

• needs directly attached IP connection to provider
• has Coax run as primary source
• controlled by RF remote
• interactive with locally connected equipment (USB?)

That's either consumer stuff or not primarily built for such a use case.

@thomas_n said in WAN on VLAN or internal switch port:

Most of the time the network connection is only used to provide interactivity, not transmit video. ... reduces the load on the network...

Agreed, we oftentimes face situations where AV shall go over existing IP infrastructure. When communicating bandwidth requirements to IT they drop jaws and need to upgrade their stuff. Then projects get delayed for weeks/months at best.
Someone tell me the benefit of AV-over-(existing)-IP instead of using dedicated infrastructure...

jahonix

@JKnott said in WAN on VLAN or internal switch port:

My PVR can be controlled by an Android app over IP, though it involves working through a server at the provider.

• "my PVR" is consumer
• "an Android App" isn't available in a boardroom or company lounge or huddle space, that's on a personal device usually.
• "server at the provider" is an absolute no-go for commercial installs in Europe.

So how does your consumer PVR fit in here?

thomas_n

@jahonix said in WAN on VLAN or internal switch port:

That's either consumer stuff or not primarily built for such a use case.

It is - this project is a large residential installation.

Someone tell me the benefit of AV-over-(existing)-IP instead of using dedicated infrastructure...

In new installs which have been built for it it can result in a lot of flexibility. But not so much for brownfields, for all of the reasons you have mentioned.

*The discussion is interesting but getting quite OT from my original question. *

Thomas

Derelict

@JKnott That won't scale to, say, a hotel.

thomas_n

@Derelict said in WAN on VLAN or internal switch port:

@JKnott That won't scale to, say, a hotel.

Agreed; here (Belgium) providers have bespoke solutions for these cases with about 10+ screens. But this is not my current use case, so for me @JKnott ‘s remarks still hold true.

thomas_n

For the record and for people facing the same question: I have solved this issue.

I use the Netgate SG-3100 and the switch which is by default configured as the LAN added another layer of complexity which made things difficult. So, I changed the OPT1 and LAN assignments so now I have my LAN on a single port out of the device.

On this LAN I created a VLAN and bridged this with the WAN. That way (filtered) bridging works out of the box, so now I have my filtered WAN on a VLAN distributed in my infrastructure.

(PS. Yes, I am aware of potential security risks, but as you will find in this thread, I have considered and weighed these before proceeding.)

Thomas