Moving VLAN data to another interface at the pfSense host device.
-
A few months back I was getting frustrated with a VLAN issue on Dumb APs behind my pfSense router. StephenW10 jumped in and helped me get that sorted even though the trouble really lay with OpenWRT... That's all working fine now.
I hope I can explain this clearly, please ask if you are unsure what I am doing or need. (Thanks)
Next step. For logistics reasons, I only have a single Ethernet connection to one building on my property so I needed the LAN connection to feed (back haul) to one of several OpenWRT Dumb APs in my system and carry aVLAN for a guest account for WiFi as well. I also have a couple of devices that need to be on the LAN. But, I also have some devices in this building that need to be on a hardwired connection on an IOT/DMZ type network. No problem, a bit more work on the TAGing side of the "Bridge VLAN filtering" tab in OpenWRT and pfSense now delivers the proper network and DHCP to the hardware devices in the out building via the single physical Ethernet connection to the Dumb AP.
Now, AT the pfSense box (SG-4860) I am using an option port to isolate an IOT/DMZ type network away from my LAN using a managed switch and tagging the appropriate ports on the switch keep those devices isolated from the LAN.
Can I now take the data stream coming back on the primary LAN connection from the out building via a VLAN connection and dump it on the physical interface port for IOT/DMZ originating on the pfSense/SG-4860??
-
Can I now take the data stream coming back on the primary LAN connection from the out building via a VLAN connection and dump it on the physical interface port for IOT/DMZ originating on the pfSense/SG-4860??
This is a very poorly worded question.
What data stream?
Primary LAN connection? Didn't you say you only have one cable going to the other building? What's the secondary LAN connection? If you have a primary, there must be a secondary. Otherwise, it's just the connection.
I'm gonna guess you have all 3 networks (LAN, IOT and DMZ) on one port to pfSense now, And you want to move the IOT and DMZ to the optional port?
If so, you can do that in your switch very easily. Just Trunk a port on the switch and connect it to the OPT port. You'll either tag both vlans on it or have on as the PVID and the other tagged.
If you tag both, add both vlans to the OPT interface. Don't assign an IP on the OPT port, put them on the vlans instead. You don't even need the Parent port assigned technically.If you want one untagged and one tagged, assign one to the OPT interface, this will be the untagged vlan, and add the other as a vlan on that same port.
Your choice. If that's what you're looking to do that is.
-
@jarhead Thanks, Jarhead (I was squid aviator). I was trying not to get too verbose and turn this into a TL;DR.
I'm using 2 OPT ports (besides WAN & LAN) in the house for my IPphones and IOT/DMZ type traffic because I prefer hardline over WIFI when possible. All segregated/isolated at the managed switch.
I only have one ethernet cable to the shop. Most (98%) of the traffic is LAN and associated WiFi.
I transport my Guest account (almost unused in the shop) via VLAN 10 to the shop. Works fine. Guest account used most often and most extensively at the house. Also works fine (Thanks to StehpenW10)
I also transport an IOT/DMZ network to the shop via VLAN 20 and TAG it on a physical port of the OpenWRT device (Linksys WRT3200ACM). Works fine.
What I'd like to do, and I don't know if it's even possible (or rational), is strip the VLAN 20 data coming from the shop device delivered to the LAN port on SG-4860 and hang it on the pfSense OPT interface used for IOT/DMZ and be able to use the DHCP instance running on that physical interface as well.
-
@ramosel Definitely possible.
Just need to verify some things.
You have another physical OPT interface available on pfSense?
Vlan20 is your IOT/DMZ vlan? Not sure because of this:is strip the VLAN 20 data coming from the shop device delivered to the LAN port on SG-4860 and hang it on the pfSense OPT interface used for IOT/DMZ
You have the LAN from pfSense going to your switch?
If those are all yes, then it's easy to do.
Interfaces/Assignments. Change the assign interface for vlan20 to the physical OPT interface.
Plug a cable in from the OPT to your switch. Whichever port you use, untag vlan20 on it.
You can then delete the vlan from the LAN interface.This will then still use the trunk port to openwrt which is carrying the vlan to the other building.
-
@jarhead said in Moving VLAN data to another interface at the pfSense host device.:
Just need to verify some things.
You have another physical OPT interface available on pfSense?
Vlan20 is your IOT/DMZ vlan? Not sure because of this:Yes to both
You have the LAN from pfSense going to your switch?
Yes
If those are all yes, then it's easy to do.
Interfaces/Assignments. Change the assign interface for vlan20 to the physical OPT interface.
Plug a cable in from the OPT to your switch. Whichever port you use, untag vlan20 on it.
You can then delete the vlan from the LAN interface.I'll try it in the morning, Thanks.
I'm missing a concept here, but I'll try to sus it out.This will then still use the trunk port to openwrt which is carrying the vlan to the other building.
-
@jarhead So, I didn't get to that issue the next morning... life gets in the way sometimes. But I did finally get on it and once I realized what you were saying, I felt like an idiot. Easy to do at the switch using the untag and PVID. Just wanted to say thanks for the help... albeit a bit late.