Clarification on VLANS using different physical nic cards on SG2840
All the tutorials I have seen show VLANs created on the LAN physical nic.
I have to have a VLAN on physical Nic OPT1
My PfSense box has 3 nics WAN, LAN, OPT1. It services two desperate offices, so the network on LAN must be different from the network on OPT1.
Each has a ubiquiti AP.
So, if LAN is 192.168.1.1/24, the AP defaults with IP on that network, I create a VLAN for WiFi, calling it Office1 Guest. It passes through the LAN nic.
I do the same for the physical OPT1 nic to service the other office (192.168.2.1/24), the AP has IP on that network. Now I create a VLAN there. Will it work?
You don't have to put the other network/vlan you create on your lan physical nic - you can use your opt1 interface for this other network.. Be it native (untagged) or tagged (vlan)
@johnpoz Thank you! I will attempt to do tomorrow and let you know how it goes. Thanks again
You can uplink from your switch whatever vlan your using for this other office to your opt1 interface.. Or do they have their own switching infrastructure?
@johnpoz I got it working! Not sure what was wrong except it was a casualty of my missteps. I removed all VLANS, removed all rules except a global passthrough for all traffic. Made sure the appliance was allowing traffic. Then I began rebuilding some firewall rules for security and passing everything through PfBlocker-NG. That worked. Added 1 VLAN, set static IP, configured DHCP, and added a pass-traffic anywhere rule. It worked. Added the rest of basic protection rules and it works splendidly. Repeated the process for another VLAN on another NIC and it works great. Based on this, it appears my fingers not attached to my brain was the issue.
Thanks so much for your assistance! Now I have two main networks (office 1 and office 2) with wireless VLAN (restricted to staff only and a guest VLAN) The guest VLAN is set so it will not pass traffic to anything except WAN and no appliance can see another while connected.
Doing some more reading on specifics of this to ensure I am setting my rules correctly
so it will not pass traffic to anything except WAN
You understand that is not internet right, that is just the wan network whatever IP and mask is on your wan interface is the network you would be allowing access to...
@johnpoz Yes, sorry for poor communication skills on this