Tagged/untagged vlans creation and pfsense
-
Hello pfsense guys!
I need some oppinion about how to partitioning my network; I use two pfsense, one for shaper and another for proxy/nat, and it's working fine. But now I'd like to segment my network into some vlans, not allowing that laboratories can see administractive computers.
I'd like to use a layer3 switch, once I cannot use pfsense vlans because it still cant shaper propperly using more than 2 interfaces, in 1.2 version.
So I have a 3Com Baseline Switch 2226-SFP Plus, and it works setting tagging or untagging ports. I have done some tests, but have not yet got this to work: I need that my lan pfsense interface can be seen on all vlans, and I dont know how to do that; this would be what I'd like:
–---------
| pfsense | (seen from all vlans)|
------------ ------------
| 3com SW1 |---------------> | 3com SW2 | ---------> LAB1 (vlan2)
------------ ------------
| --------> LAB2 (vlan2 or vlan3)
-> Administrative pcs (vlan1)Sorry for the poor illustration, but SW1 and SW1 are the same 2226 model, that can manage vlans; the question is, how can I create a separated vlan for my labs?
How can I make pfsense visible into all my vlans using a tagged/untagged switch?
I hope you can understand this, any more information please ask.
Thanks in advance.
Srs ;)
-
@http://forum.pfsense.org/index.php/topic:
If it's just about making sure that the two clients cannot see each other, you can do that on the switch itself without going over the pfSense.
3VLANs.
VLAN999, pfSense
VLAN100, users1
VLAN200, users2VLAN999 member of all ports.
VLAN100 member of users1 port and pfsense port
VLAN200 member of users2 port and pfsense portpfSense PVID: 999
user1 PVID: 100
user2 PVID: 200 -
Thanks for your reply Gruens
But first I'd like to ask you: what's PVID (would that be vlan id??)?
When I'm creating a new vlan on the 3com switch I must first set it's id, I have used the same port number, as vlan1 (port 1), id 1.
Another question is: my switch works on the tagged/untagged concept, and I cant make it to work; for example: I have done this test:
port 9: pc 1 (vlan 9)
port 20: pfsense (vlan 20)As I could understand, I've done:
vlan 9:
port 9 untagged (one port should be untagged only in one vlan, so now that port belongs to this vlan)
port 20 tagged (as far as I understand this is how I can share one port with multiple vlans)vlan20:
port 9 tagged
port 20 untagged
other ports on switch tagged (share this port with all other pcs, as this is the pfsense one)but that doesnt work and I cant share pfsense with all other ports and port 9 at the same time.
Any help will be wellcome.
Thanks
-
I have a few of these (or similar) 3com switches and as far as I can tell they can't do this. A port can be either tagged or untagged, and untagged ports can only be a member of one VLAN. I've seen a lot of other similar switches that behave the same way.
You will probably have to do routing between the VLANs at the pfSense box.
-
Are you sure? :o
What you are telling is that I should add a 3rd nic on my pfsense box and plug it on my new vlan (and one nic per vlan)??? but as my pfsense facing the lan is my shaper box, so I cant add a 3rd NIC, or shaper stops working (pfsense 1.2), isnt?
thanks in advance
-
Just make the connection to pfSense tagged and use virtual VLAN interfaces. In that case you will indeed be unable to use the traffic shaper on both LANs, as far as I know.
I don
t think theres a way to do what you want without routing if your switch cant do the segmentation Gruens describes (which personally, as a purist, I take some issue with - but its a generally accepted setup). -
thanks for your reply; unfortunatelly I cant stop using traffic shaper, so I'll have to wait the upcoming version 2.0 that will shaper more than two interfaces, once I cant do the vlan trick only using my switch, what I suspected I could.
if any of you had any other information, I'll be glad. Thanks
-
Does anybody know if alpha 2.0 got the new shaper that can handle more than 2 interfaces?
I need to know before I go replacing the firewall with pfsense…
-
I have one more question: let's say that I create tree vlans into this 3com switch, does every vlan will work like if it was a separated switch?? if this is true, and vlan1 is pfsense, cannot I use a uplink cable to link vlan1 (pfsense) with vlan2 and another uplink from vlan1 to vlan3???
thanks
-
@srs:
I have one more question: let's say that I create tree vlans into this 3com switch, does every vlan will work like if it was a separated switch?? if this is true, and vlan1 is pfsense, cannot I use a uplink cable to link vlan1 (pfsense) with vlan2 and another uplink from vlan1 to vlan3???
thanks
Well technically yes, but then what's the point of having the VLANs at all, you've just gone and combined them into one broadcast domain, you may as well just use a dumb switch instead. pfSense can read the VLAN tags, so if you want all the VLANs accessible to pfSense, just set that port as a tagged port and make it a member of all the VLANs you're interested in. Then you can use the pfSense VLAN interface to connect to them.
-
@srs:
I have one more question: let's say that I create tree vlans into this 3com switch, does every vlan will work like if it was a separated switch?? if this is true, and vlan1 is pfsense, cannot I use a uplink cable to link vlan1 (pfsense) with vlan2 and another uplink from vlan1 to vlan3???
thanks
Well technically yes, but then what's the point of having the VLANs at all, you've just gone and combined them into one broadcast domain, you may as well just use a dumb switch instead. pfSense can read the VLAN tags, so if you want all the VLANs accessible to pfSense, just set that port as a tagged port and make it a member of all the VLANs you're interested in. Then you can use the pfSense VLAN interface to connect to them.
I would not mind about using pfsense interfaces to vlan, the problem is that my pfsense facing the LAN is also using shaper, and I cannot have more than two nics into this box… this is why I'm trying to use 'another' solutions... but thanks anyway.
-
In that case your only choice, as far as I know, is to only have one LAN segment anyway. VLANs will serve no purpose for you if your end goal is to get back to one segment so you can use the traffic shaper. Some switches will allow you to make the pfSense box a member of multiple untagged VLANs, which will let you segregate the client machines without actually using VLAN tagging, but I have sever 3Com 3226 switches and they're not capable of this as far as I can tell, so I'd assume the same is true of yours. That leaves you two options - either forget the traffic shaper and use tagged VLANs, or forget client segregation and put all the clients on the same VLAN.
-
That's the point, I really cant turn off my traffic shaper or our students would use 100% of bandwitdh in laboratories.
Do you know any 3com switch that can make pfsense be seen in more than one vlan? or which one would do that and what features do I search in a new switch if I want to buy a new one?? do you know Cisco SRW2024P 24-port?
thanks
