A tagged VLAN on WAN, carrying the LAN traffic?
-
On the WAN port of an SG-3100, placed in my study I want to set up a tagged VLAN, carrying the (NATed private) LAN traffic back to where the internet enters my house.
At that point there's a vlan aware but otherwise very cheap and simple switch, used to siphon off that VLAN to some telemetry devices.
(This is just to avoid laying an extra cat6 cable.)Can this be done?
-
Yes!
-
Yes.
But be aware that a VLAN on WAN is a different interface to a VLAN on LAN, even if they use the same VLAN ID.
If you need it to actually carry the LAN subnet you will need to bridge it to LAN which brings with it some other potential pitfalls. If you can, create a new internal subnet and use that on the new VLAN instead.Steve
-
@bob-dig, can you say somethimg about how, or point to some manual?
-
Do you not have switch port open on the 3100, which has a built in switch..
If your going to bring in vlans via the cable into this room.. Just plug it into 1 of the switch ports.. And then break out the vlans that are on it to what you need be it your wan vlan, or other lan side vlans.
Or just get another cheap vlan capable switch.
-
Yes that's a much better solution that bridging^.
Move your WAN to a VLAN on the switched ports and untag it at the managed switch at the other end.
That's only if you require the actual LAN subnet to be available on that remote switch.Steve
-
@stephenw10 what I thought to do, at first, was to lay a new cat6 cable from LAN2 on the SG-3100 to the basement space that houses the internet connection and a telemetry server.
Then I started to think maybe a tagged VLAN on the cable from the internet connection to the SG-3100 could replace that extra cat6.An unused vlan aware switch already exists at the telemetry server location.
What I wanted to achieve was to actually have the telemetry server on the same network as the LAN in my study.
That would have simplified things a lot. -
So do that. Your sg3100 has built in switch.. Leverage to split your vlans apart you want to carry on the cable.
You can use one of the switch ports as your wan on vlan X, and then other port(s) on the switch for your telemetry vlan Y..
-
Yes. But to do that you will have to put the WAN connection down the same cable so reassign that as a VLAN on LAN and then separate it again on the remote switch.
Or I supposed you could achieve that bu connecting the WAN to LAN switch....but don't!
Steve
-
@stephenw10
I'm quite sure I don't understand what actions I'm supposed to perform here...I'm.a pfsense novice, so I'll have to fiddle around a bit and see if I can find things out before asking more questions, but two q-s for starters:
Which physical port on the sg-3100 should I connect via the existing cat6 to the internet handover point in the basement?
What (virtual?) interface should be assigned to be the WAN port of the sg-3100?
-
The process will require a number if steps.
Configure a new VLAN to use in Interfaces > Assignments > VLANs. Say VLAN 100 for example. Create it on the internal LAN interface mvneta1.
Configure the switch to pass that VLAN.
In Interfaces > Switches > VLANs first enable 802.1q VLAN mode.
Now add a new tag for VLAN 100 and add to it ports 5 (the internal port) and whichever LAN port you want to use, 1 here, as tagged members. Like this:
At the other end configure your switch to have VLAN 100 tagged on the port linked the SG-3100 and untagged on a port to use as the WAN.
Remove the native VLAN as a member of that port so untagged traffic cannot ever be passed to it.
Depending on what sort of switch that is you may need to set the PVID as 100 on the port you will use as WAN. It may be set for you when you set that port as untagged on VLAN 100.Now connect the modem to that port on the remote switch. Connect the other end of the link cable to LAN 1 on the SG-3100.
In Interfaces > Assignments re-assign WAN as mvneta1.100.As long as everything else remains unchanged the untagged traffic on mvneta1 will still be LAN and that will be passed over the link and be available at all the other ports on the remote switch.
There are quite a few things that could easily be set wrong there so I would not expect to get it right first try!
Steve
-
@stephenw10
Would this affect the routing performance of the SG-3100, compared to using the original WAN port assignment?Currently, my SG-3100 routes at near wire speed, 0.9Gb/s, in single hop iperf tests, and I really like the feeling of knowing that it does a superb job.
-
No it shouldn't your switch ports have a 2.5gbps uplink..
But keep in mind that you would be hairpinning traffic on this 1 cable for your telemetry vlan.. So if something in the far room wanted to get to the internet they would be going over this same wire twice.. ie a hairpin to get to the internet.
-
Indeed. Moving the SG-3100 to the other end of the cable also seems like an option.
Steve
-
@stephenw10 this was a very useful tutorial for me, enabling me to get my head around vlans in the sg-3100 lan switch.
Thank you!However, all my router's LAN ports are already spoken for so maybe I'll just put in another cat6 cable to the control computer.
I have a 100m unused roll of cat6.
-
Or just get a cheap vlan switch to use if you have no more ports..
