Setting up a pfSense box with only 1 nic, utilizing VLANs
-
Has anyone here setup a pfsense box using only 1 nic, but utilizing VLANs? I want to tag 5 VLANs to a port on an HP switch, and plug that into a single port on a pfsense box. The VLANS will be LAN, 3xWAN, and a DMZ. Are they any considerations besides bandwidth that I need to think about? It will be a 10/100/1000 fxp or rl NIC.
-
Yes i did such a setup once.
Just make sure that you use VLANs only, and dont assign the "real" interface as well.Avoid realtek NICs if you want to save yourself a lot of headaches.
-
Yes, I can only echo GruensFroeschli's comments. I have this setup and it works very well. The best bit is being able to redesign the network without even unplugging any cables, you just change the VLAN allocation. You can see my implementation in the link of my sig.
Cheers
-
Thanks for the replies guys.
What type of throughput are you guys getting, or what type/speed connections?
Here is what I'll have:
LAN: 10/100/1000
WAN1: 88m
WAN2: 50m
WAN3: 88m
DMZ: 10/100I'm thinking that I'll use one NIC just for LAN, and the other for the other four connections/VLANs. Do you think one NIC will be sufficient to handle these four?
-
Yes i did such a setup once.
Just make sure that you use VLANs only, and dont assign the "real" interface as well.Why is this? I have done this and it seemed to work okay. Is there some particular problem with it?
-
The link doesnt work in IE8…. On my 6 machines at the office :)
Yes, I can only echo GruensFroeschli's comments. I have this setup and it works very well. The best bit is being able to redesign the network without even unplugging any cables, you just change the VLAN allocation. You can see my implementation in the link of my sig.
Cheers
-
Why is this? I have done this and it seemed to work okay. Is there some particular problem with it?
Usually it works.
But there are cases where it can go horribly wrong.
The one setup where i encountered such a case was:Client in subnet_A on VLAN_A.
Server in subnet_B in no_VLAN –> untagged and communicating with the pfSense directly over the assigned parent interface.The client made an ARP request which should not have reached the server. But since it was on the same switch on the untagged interface (and on the same collision domain as the client) it was able to respond to it.
(This is also due to the bad thing of mixing multiple subnets on the same wire).
Now the client added an ARP entry into it's table pointing to an IP which is not directly reachable because in a different subnet.I dont remember anymore what exactly went wrong, since the VLAN-capable switch should have made sure that these two devices cannot talk on layer2 to each other, but the bottom line is:
If the two devices where on separate VLANs it would not have happened.Another thing is that there seem to be VLAN-capable switches that treat untagged traffic internally as VLAN1(default) tagged traffic.
If you dont make sure that VLAN1 isnt allowed to all other ports (which it usually is) you could break the intent of separating traffic. (At least in one direction).edit: this thread also shows problems with mixing tagged and untagged
http://forum.pfsense.org/index.php/topic,17620.msg95010.html#msg95010
also what ktims describes.The link doesnt work in IE8…. On my 6 machines at the office :)
Works here with FF 3.5.2
-
The link doesnt work in IE8…. On my 6 machines at the office :)
Yes, I can only echo GruensFroeschli's comments. I have this setup and it works very well. The best bit is being able to redesign the network without even unplugging any cables, you just change the VLAN allocation. You can see my implementation in the link of my sig.
Cheers
You have to wait a bit (under ie) as it is a M$ Visio Web doofa (its a bit fat) alternat link (quicker)
http://wan2.cheesyboofs.co.uk/home.htm
