VLAN1 and the LAN
I have an installation that is working fine, just trying to improve it. I have a six port pfSense Box connected to Unifi equipment.
On the pfSense Box:
Port 1 WAN
Port 2 LAN
Ports 3,4,5 setup as a LAGG that hosts a group of VLANs such as IoT, Management, Guest etc.
Port 6 goes to another (small) physical switch used for a DMZ.
First question, I have assigned the LAN to it's own VLAN, is there any advantage to this as it has its own physical interface ?
Secondly, I am trying to control VLAN1 as it is required for adoption of new devices on the Unifi network. Consequently, VLAN1 is assigned to the same physical port as the LAN (port 2) and also to its own IP subnet so that the firewall can limit access to basically only the Unifi hardware (cloudkey, switches, access points).
Thoughts and suggestions are welcome (the attempt to control VLAN1 is new).
bingo600 last edited by
RE: Lan on own IF
It would make sense to have (spread) "High load interfaces" on several physical IF's.
If all Vlans were on the same IF , they would share the same IF bandwidth.
So having ie. Lan have it's own IF , would mean you could go Lan --> Wan wo affecting the "shared" Multi-Vlan IF.
My Unifi controller does not reside in Vlan1 , it just resides on "The untagged vlan (PVID vlan) for that specific IF".
Btw: I seem to remember that @johnpoz said the newer Unifi controllers could run on "all tagged vlans" , i haven't tried.
@bingo600 is correct - the only thing unifi needs is untagged vlan... I don't have mine on vlan 1 - its vlan 9 in my network.. Its just not a tagged network as far as unifi is concerned..
And they did add the ability to use tagged vlan for management a while back.. What version of the controller are you running, what firmware on your AP, etc.
Not a fan of that lagg group setup you have.. You have no control over what goes over what in that sort of setup.. Yeah it works and its easy enough to setup.. Just I would manually place my vlans on specific interfaces so that I know the vlans that talk to each other the most won't be using the same physical interface for the conversation. When you just throw them all on a lagg you don't really know.
Also the vlan could be tagged to pfsense.. Just not tagged to unifi devices..
I have the latest version of Cloudkey Software and firmware (Gen 2 CK), APs and switches on the latest firmware.
I received a fairly lukewarm reception on the Unifi support forums for the idea of putting each VLAN on a separate wire ...
e.g. "VLANs on one interface are no more or less secure than a single LAN on separate interfaces. How much bandwidth are you passing?"
There certainly seems to be a case for physically separating things like a DMZ to a different switch ...
For a 6 port pfsense box, how about:
Port 1: WAN
Port 2: LAN
Port 3: Wireless Network (VLAN a)
Port 4: IoT (VLAN b). Guest (VLAN c)
Port 5: Managment (VLAN d)
Port 6: To a small switch for a DMZ (VLAN e)