Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How to assign same vlan tag with different network segment on two ports

    L2/Switching/VLANs
    4
    14
    148
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pwang99 last edited by

      We are going to migrate from the Sonicwall firewall to the Netgate 7100. On the Sonicwall firewall, there are two physical ports (X0 and X4) marked as EMP and GUEST. And phone company creates a vlan called VOIP tagged 11 on both GUEST and EMP's sub-interfaces as X0:V11 and X4:V11 and assigned a different network segment on each. On Netgate, I created vlan GUEST, EMP and VOIP; And EMP has been assigned to ETH2 and GUEST has been assigned to ETH3 on Netgear 7100. I can assign the VOIP vlan to both ports (ETH2 and ETH3). But how can I create a different network segment for the VOIP on both ports?

      johnpoz 1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator @pwang99 last edited by johnpoz

        @pwang99 said in How to assign same vlan tag with different network segment on two ports:

        assigned a different network segment on each

        You mean tagged vlan with ID 11, is 2 different networks? That is borked.. You would not ever do that..

        If you want 2 different L3 networks. 192.168.X/24 and 192.168.Y/24 for example. Those on the same switch shouldn't use the same vlan ID..

        The vlan isolates traffic at layer 2.. Using 2 different L3 networks on the same L2 doesn't provide for isolation..

        If you want ports on the same vlan on the 7100, use the switch ports. And then sure you can put as many ports as you have in the same vlan..

        P 1 Reply Last reply Reply Quote 1
        • P
          pwang99 @johnpoz last edited by

          @johnpoz Thank you! Totally agree with you. In theory, it should not configure this way
          On the Netgate 7100, can I configure this way?

          ETH2 – EMP (192.168.1.0/24)
          --> ETH2:V11 (ETH2’s sub-interface with vlan tag 11 and with 192.168.11.0/24)

          ETH3 -- GUEST (10.10.1.0/24)
          --> ETH3:V11 (ETH3’s sub-interface with vlan tag 11 and with 10.10.11.0/24)

          There will be physical separate switches connecting with each port of ETH1 & ETH2.

          Please make a note, we hope that we can keep the vlan tag 11 due to tons of the VOIP phones attached.

          bingo600 1 Reply Last reply Reply Quote 0
          • bingo600
            bingo600 @pwang99 last edited by

            @pwang99

            IMHO - Not a good idea.

            When the 7100 receives a packet tagged with VL11 , which of the two configured interfaces is it supposed to put the packet on ?

            /Bingo

            P 1 Reply Last reply Reply Quote 0
            • P
              pwang99 @bingo600 last edited by

              @bingo600 Thank you! I know that it is a not good idea. This configuration has been made on SonicWall firewall. I just want to copy the same configuration into Netgate. The phone system is a cloud based. So both interfaces (ETH2 and EHT3) receive the VOIP (VL11) package which will be forwarded to a PBX in the internet.

              Derelict 1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate @pwang99 last edited by Derelict

                @pwang99 No, you cannot do that because you can only tag VLAN 11 on lagg0 to the built-in switch once. You can only assign VLAN 11 on lagg0 (lagg0.11) to one pfSense interface.

                There is probably a better, more compliant way to accomplish what you look to do. Maybe this is a good time to re-design the network properly?

                P 1 Reply Last reply Reply Quote 1
                • P
                  pwang99 @Derelict last edited by

                  @derelict Thank you! much appreciate!!!

                  1 Reply Last reply Reply Quote 0
                  • bingo600
                    bingo600 last edited by

                    I agree w. Derelict , about maybe redesign the network.

                    But if all you need is a VL11 , that serves two ip networks at the same time.
                    I would look into using a single interface with "the most important ip lan as the interface ip/mask" , and then use a VIP (Firewall -> Virtual IP Address) as the 2'nd lan ip address/mask.

                    If you are handing out DHCP addresses on "both lans" , be prepared for issues, and even "not possible".

                    Maybe there are other issues lurking , but i think VIP is the "Cleanest" way to do a "Dirty thing".

                    /Bingo

                    P 1 Reply Last reply Reply Quote 1
                    • P
                      pwang99 @bingo600 last edited by

                      @bingo600 Thank you! Ya...We have to assign IP to those IP phones on both vlan 11...

                      bingo600 1 Reply Last reply Reply Quote 0
                      • bingo600
                        bingo600 @pwang99 last edited by bingo600

                        @pwang99

                        You could also connect an untagged (no VLAN) pfSense interface to a switchport that is already a member of VL11.
                        And get two ip lan's that way , but i think the VIP is "Cleaner".

                        The untagged way might enable you to give out DHCP from both lans.
                        But it would be a "lottery" in what phone will get a DHCP IP in which lan range.

                        And probably haunt you until you redesign , the setup.

                        /Bingo

                        P 1 Reply Last reply Reply Quote 1
                        • P
                          pwang99 @bingo600 last edited by

                          @bingo600 Thanks... Both vlan11 are a sub-interface of eth2 (EMP vlan) and eth3 (GUEST vlan), so I think it must be tagged.

                          bingo600 P 2 Replies Last reply Reply Quote 0
                          • bingo600
                            bingo600 @pwang99 last edited by bingo600

                            @pwang99

                            Ahh i didn't fully understand (read) the setup until now.

                            So you get 2 different lines in from the phone company , and both lines carry phone traffic tagged in VL11.

                            For that i would get two small vlan capable switches, connect an incomming tagged (trunk in cisco language) ISP input interface on each.
                            Do NOT connect the two switches together.

                            Then i would split out VL11 on both switches to an untagged "phone" switchport , that is a member of VL11. That would "get rid of the VL tagging", and convert it to untagged/normal ethernet.

                            Now that the "phone" switchport on each switch is a "normal untagged" ethernet port , that port can be connected directly to a pfSense ethernet interface , that has the corresponding lan ip/mask.

                            You could do with just one little switch for splitting out (untagging) just one of the phone VL11's , and run the other tagged VL11 into the pfSense.
                            But if i had the interfaces availabls in the 7100 , i'd prob. untag both phone VL11's , to get consistency in my setup.

                            Is any other traffic is carried on those ISP links ??

                            /Bingo

                            1 Reply Last reply Reply Quote 0
                            • P
                              pwang99 @pwang99 last edited by

                              @pwang99 Thanks.. I am with you. But how can I assign a different network segment to the ETH V11 vlan and ETH3 V11 vlan? See the diagram below:

                              ETH2 – EMP (192.168.1.0/24)
                              --> ETH2:V11 (ETH2’s sub-interface with vlan tag 11 and with 192.168.11.0/24)

                              ETH3 -- GUEST (10.10.1.0/24)
                              --> ETH3:V11 (ETH3’s sub-interface with vlan tag 11 and with 10.10.11.0/24)

                              bingo600 1 Reply Last reply Reply Quote 0
                              • bingo600
                                bingo600 @pwang99 last edited by

                                @pwang99
                                I'm starting to think you are a "Robot" , or totally miss the point here.
                                Always the same answer.

                                How much network/switch experience do you have ?

                                /Bingo

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post

                                Products

                                • Platform Overview
                                • TNSR
                                • pfSense
                                • Appliances

                                Services

                                • Training
                                • Professional Services

                                Support

                                • Subscription Plans
                                • Contact Support
                                • Product Lifecycle
                                • Documentation

                                News

                                • Media Coverage
                                • Press
                                • Events

                                Resources

                                • Blog
                                • FAQ
                                • Find a Partner
                                • Resource Library
                                • Security Information

                                Company

                                • About Us
                                • Careers
                                • Partners
                                • Contact Us
                                • Legal
                                Our Mission

                                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                Subscribe to our Newsletter

                                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                © 2021 Rubicon Communications, LLC | Privacy Policy