Tagging Of Multiple VLANS

dma_pf

I have 4 different VLANs that I want to run off of the same pfSense interface. Two of the VLANs are wired devices and the two other VLANs are coming from a wireless access point. The VLANs are as follows:

vl165 - Guest Wifi (wireless devices)
vl166 - One VOIP phone (wired device)
vl167 - One cell phone signal booster (wired device)
vl168 - Media streaming devices (wireless devices)

I have the VLANs, interfaces, DHCP servers, NAT and firewall rules properly configured in pFsense, and the Unifi access point configured with 2 different SSIDs for vl165 and vl168.

The NIC card in pfSense is a 4 port NIC. EM1 is dedicated for use solely with the VLANs and is plugged into port 2 of a 24 port D-Link switch. The devices enter the switch as follows:

vl165 & vl168 - the VLANs are tagged by a single wireless AP and enter port 13 of the switch
vl166 - device is plugged into port 5 in the switch
vl166 - device is plugged into port 6 in the switch

I've bootstrapped my way through getting all of the tagging set up on my switch to the point where the devices are getting the correct IP address assigned to them and can access the internet. However, my knowledge of VLANs is very limited and I would appreciate it if someone could look over he following and let me know if what I have done is correct and within best practices. And of not, what I should do to get it right. Here is how I have the VLANs tagged in the switch so far:

vl165 - Untagged, none; Tagged, ports 2, 13
vl166 - Untagged, port 5; Tagged, port 2
vl167 - Untagged, port 6; Tagged, port 2
vl168 - Untagged, none; Tagged, ports 2, 13

Ports 2, 7, 8, have a PVID of 1.
Port 13 has a PVID of 163. (The wifi access point connected to this port has an additional untagged SSID to which trusted devices can connect to our 163 network.)

Thanks for helping me confirm that I worked my way through all of this correctly.

bingo600

@dma_pf

At first glance it looks fine.
Did you set your port 13 to untagged Vlan163 ?

dma_pf

@bingo600 Thanks for taking a look at this for me. It very reassuring to have a set of knowledgeable eyes on my work.

You are correct, port 13 is tagged in the vl163 network on the switch as untagged. The wifi access point (port 13) has a dedicated SSID for the 163 network which is untagged. There are other ports as well in the vl163 network on the switch which are all untagged. Including port 4 which plugs into pfSense on EM3 of the NIC which is dedicated to the trusted 163 network. There are no tagged ports on the switch for vl163. I should note that pfSense does not have the 163 network setup as a VLAN. It is a physical network on a dedicated interface (EM3).

bingo600

@dma_pf

That sounds fine ...
The EM3 as untagged in Vlan163 on the switch.

Are you doing AP mgmt via vl163 too ?

dma_pf

@bingo600 Yes all the management of the network is done from the 163 network. The only things connected to the 163 network is a Microsoft AD server and trusted computers in that AD domain. There is an additional physical 160 network set up just like the 163 network (physical ports on the switch and wifi) with the exception that it connects to pfSense on EM1 and it has port 13 assigned to it as a tagged port . There is an additional tagged SSID on the access point for devices to connect to the 160 network. This is also a dedicated interface with no other networks. It has various trusted devices, laptops, phones tablets etc that should not access the other networks. Those devices connect either by ethernet or wireless.

Every network (physical or vlan) has firewall rules that reject access to RFC1918 networks with the exception of a few select devices on the 163 network that are used to manage the full network.