VLAN confusion

amrogers3

Hello @bingo600

Apologies if I am confusing the issue. Basically, I have a 192.168.1.x network with all my home devices. I bought a UniFi layer 3 switch and want to plug the IP cameras in it and assign the ports to a VLAN and prevent that VLAN from accessing anything outside of it. Cameras need to be blocked from accessing the internet as well.

However, I need to be able to manage the switch from the 192.168.1.x network.

What is the best way to implement this?

bingo600

@amrogers3

To recap:

You want 3 different L2 lans with just 2 phys. interfaces , right now WAN + Lan.

Wan : 10.x.x.x           
Lan  : 192.168.1.x   
Cam : 192.168.2.x     

Cam devices should be prevented from accessing anything but the local lan .. 192.168.2.x

The L3-Switch should have the management ip address in the Lan network.

I would keep Wan as "Phys IF 0" , and as you mention : Make "Phys IF 1" a Vlan capable interface.

1:
Personally i would make both Lan and Cam , a new Vlan , and change the ip addresses to reflect the Vlan ie:
Vlan 10 - Lan - 192.168.10.x/24
Vlan 20 - Cam - 192.168.20.x/24

Most decent managed switches would allow you to set the "Management Vlan" , and here it would be set to Vlan 10.

This setup could be a bit "tricky" to migrate too , if you don't have any networking/switch experience , as it would be easy to lock your self out.

2:
You could continue with your "existing" setup , and have "Lan" being "Native Vlan / Untagged".
Then Lan would be on "every port" in the switch assigned to Vlan1
I assume Vlan1 is the default Native/Untagged Vlan on a UBI switch , have newer worked with one.

Make a Vlan enabled uplink interface on the UBI switch , allowing for Vlan1 (Untagged) , and Vlan10 Tagged.

Then you would add Vlan10 to pfSense Phys IF1 (Old Lan IF), maybe see .
https://forum.netgate.com/post/944383

/Bingo

bingo600

@amrogers3

Assuming you will go with 2 , from the above.

If you haven't done so already , you might want to connect your Lan interface to the Switch now , and connect your Lan devices to the switch (on Vlan1 ports),
That should work right out of the "Box", i would assume.

Now you should enable "tagged" Vlan10 on the Switch port you have connected the Lan interface to. I have no experience with UBI switches.

Then you should enable Vlan10 on the pfSense Lan interface.

Set it up , enable DHCP , and the appropriate rules.

Make some Vlan10 ports on the switch, connect the cameras.

Done.

/Bingo

amrogers3

@bingo600

Thank you very much @bingo600 ! I realized something reading your reply.

You are correct, VLAN1 is the default untagged VLAN on UBI.

I set up pfSense similar to what you suggested and I can post screenshots but I believe the issue lies with the UBI switch. It is advertised as Layer 3 but it doesnt do true layer 3 routing.

Please correct me if I am wrong but I dont think I need to set up VLANs in pfSense. Let me explain. The L3 switch does the routing and doesn't need pfSense to route traffic. Lets say I create a VLAN3 for cameras and a VLAN1 profile for the pfSense port. Then VLAN1 should be able to reach VLAN3 but VLAN3 will not be able to reach anything outside of VLAN3. Is this correct?

Could you recommend a L3 switch? 24 GB + PoE + layer 3 with good throughput and switching capacity. A couple 10GB ports would be a bonus!

bingo600

@amrogers3

Layer2 (L2) Vlan IP data can not communicate with any other L2 Vlan , without the help of a Layer3 (L3) device (Router/Firewall etc) , to route the IP (L3 data) from VlanX to VlanY.

So i recommend NOT to enable ANY L3 routing features on the UBI Switch.

That way the only L3 device that can transport IP data between Vlans is the pfSense , where you have filtering capabilities.

I would expect your UBI SW to be ok , so give it a try.
Just make sure NOT to enable routing (L3) etc ... Then only pfSense can transport packages beween Vlans.

Btw: What is the "ISSUE" ??
You haven't described it with a single word.

Edit:
If you enable L3 routing on the switch , it would "default" work "both ways".
IMHO you would want to let the pfSense be the L3 device , as it is has the "best" filtering capabilities. But it is your setup
You decide.

/Bingo

amrogers3

@bingo600

The "issue" is this particular switch, the USW-24-PoE. It allows inter-VLANs traffic by default. From the ui.com website it says:

Inter-VLAN routing is enabled by default between all Corporate LAN networks. 

In this example, I can ping between VLAN2 <<--->> VLAN3. Even with blocking firewall rules.

https://imgur.com/a/APps8Nh

Therefore, I need to buy a different switch, maybe Cisco, I am not sure. I would like the switch to route traffic in particular situations so I am looking to keep routing on the switch and get a layer 3.

bingo600

@amrogers3
Maybe you could buy a "cheaper L2" switch, and connect your pfSense Lan , and Lan devices to that one. Then on that switch make an Untagged "Vlan3 / CAM" port to connect to the UBI.

And thereby still Re-Use the Ubi for Cams (leave all ports on Ubi in "Vlan1" or "Vlan 3").

Now the L2 switch will see All UBI ports via Vlan3 , and the UBI will just have 1 vlan , hence L3 routing won't be an issue.

Maybe @johnpoz can recommend a switch that's "payable in the US" , it seems my favourite D-Link DGS-1210-28 is quite expensive over there.

@johnpoz
Would a refurb. C200 do ?
Cisco 200
https://www.amazon.com/Cisco-Mini-GBIC-SLM2024T-NA-Certified-Refurbished/dp/B07F6HGNLX/

I have no experience with "Non Enterprise Cisco's"

/Bingo

johnpoz

@bingo600 said in VLAN confusion:

Would a refurb. C200 do ?

Sure why not - there are plenty of cheap switches that can do vlans.. SG200 for sure can do them.

If you don't need a lot of ports you can get say multiple different brands 8 port gig that can do vlans. Like $40

amrogers3

@johnpoz

Thank you @bingo600 and @johnpoz

Appreciate the recommendation. I need a bit more PoE though, around 24 PoE ports. Any recommendation for a L3, 24x PoE, with PoE budget => 200W.

johnpoz

@amrogers3 hmmm - what is your budget? That is not going to be $40 ;)

Maybe something off ebay.. But problem with highend enterprise stuff off ebay is NOISY!! and power hungry.. You really need 24 POE ports?? That many? That is a lot of poe stuff.. You have that many cameras? Or would like 12 or 8 poe ports out of 24 work?

unifi prob cheapest option - but I really don't think any of their stuff actually does L3, even though they have been talking about it for years. My sg300-28 does L3, and I got it new under 200, but it not any poe.

If you really want L3, and poe (how many ports really need) - if cameras you could prob just break them out downstream to your L3 on their own poe switch.. Camera's don't really need all that much bandwidth.

amrogers3

@johnpoz said in VLAN confusion:

unifi prob cheapest option - but I really don't think any of their stuff actually does L3, even though they have been talking about it for years. My sg300-28 does L3, and I got it new under 200, but it not any poe.

yep, that has been my unfortunate experience with Ubi and L3.

The "L3" 24 PoE I bought from Ubi was $800 so a Cisco for a bit more with better functionality will be worth it.