Subnetting vs vlan confusion
- 
 I dont understand your question. 
 The point of having multiple subnets is, to be able to route.
 Otherwise you would have to set up afiltering bridge between the two VLANs.What is your definition of a layer3 switch? (for me a switch is ALWAYS layer2. As soon as it knows layer3 its no longer a switch, but a router) Why would you want to use more than one switch? 
 The point of using VLANs is, that you only need one physical interface to one physical switch.
 The VLANs allow you to carry the traffic of multiple separate networks over one cable to the switch.
 The switch then internally separates these subnets/networks to different ports.
 Essentially the one physical switch becomes multiple logically separated switches.Ok I got it, so now instead of buying a very expensive layer 3 switch, I could build another pfsense computer that acts as a vlan right? I am not too sure about this, someone just told me this. 
- 
 This might help you further, If you look at this map of my network http://wan2.cheesyboofs.co.uk/home.htm you will see that I have three cable modems and various LAN devices all connected to the same switch. Logically the modems are outside my network and the LAN is inside, but physically they are all connected to the same switch. The modems are all in separate vlans and the router (pfsense) is policing the routes between all the separate networks. The beauty is you can achieve quite a sophisticated setup with just one switch and a half decent router. If I weren't using vlans all my LAN equipment would actually be outside with only a bit of "sub-netting" to protect them. GruensFroeschli explanation is quite thorough, you'd do well to read it over a couple of times it will click eventually ;) 
- 
 This might help you further, If you look at this map of my network http://wan2.cheesyboofs.co.uk/home.htm you will see that I have three cable modems and various LAN devices all connected to the same switch. Logically the modems are outside my network and the LAN is inside, but physically they are all connected to the same switch. The modems are all in separate vlans and the router (pfsense) is policing the routes between all the separate networks. The beauty is you can achieve quite a sophisticated setup with just one switch and a half decent router. If I weren't using vlans all my LAN equipment would actually be outside with only a bit of "sub-netting" to protect them. GruensFroeschli explanation is quite thorough, you'd do well to read it over a couple of times it will click eventually ;) :o That is one serious network setup. 
 I'm still a bit confused, what is the pfsense router doing in your setup? It's in its own vlan with no devices connected to it, because it looks like your layer 3 switch is doing the job of the router and handling the vlans. Also what are the xbmc and mce connected to, directly into the switch? If so they're not part of any of the vlans right? (I am hella new to vlans :( don't scold me D: )
- 
 I think your confusing yourself about layer 2 & 3 switches! A layer 3 switch is a layer 2 switch witch some additional capabilities. vlans (802.1q) are part of the data link layer of the OSI model this is LAYER 2. Layer 3 is the networking layer where IP, OSPF, ICMP, IGMP, IPsec kick in, my switch has none or these capabilities. Please look at the bottom of this wiki page on the OSI model, 
 http://en.wikipedia.org/wiki/OSI_model <-Google "layer 2 wiki"The only thing my switch is doing (with the help of vlans) is presenting 1 switch as several smaller switches, and giving my 1 port Gb router and extra 7 GB ports. It really is that simple… 
- 
 I think your confusing yourself about layer 2 & 3 switches! A layer 3 switch is a layer 2 switch witch some additional capabilities. vlans (802.1q) are part of the data link layer of the OSI model this is LAYER 2. Layer 3 is the networking layer where IP, OSPF, ICMP, IGMP, IPsec kick in, my switch has none or these capabilities. Please look at the bottom of this wiki page on the OSI model, 
 http://en.wikipedia.org/wiki/OSI_model <-Google "layer 2 wiki"The only thing my switch is doing (with the help of vlans) is presenting 1 switch as several smaller switches, and giving my 1 port Gb router and extra 7 GB ports. It really is that simple… I thought you needed a layer 3 switch to create vlans? 
- 
 You need a managed switch to create vlans. 
- 
 You need a managed switch to create vlans. Now I'm a bit confused, what would you use a layer 3 switch for then? Would you need a router if you had a layer 3 switch? Because from what I can see it can address ips and stuff. 
- 
 The term "layer3 switch" was invented by marketing. 
 In the past a router was, compared to a switch, a big box with lots of fans.
 Marketing people tried to prevent any association with these old big routers.A layer3 switch is nothing else than a (simple) router with a lot of ports. 
 But in this case we have a layer2 device (a switch) which is not capable of routing, but manageable (you can create 802.1Q VLANs on it),
 –>We need the pfSense for the routing part.
 Most current switches offer a simple webinterface with some monitoring and configuration options.I try to put what cheesyboofs said into other words. 
 With VLANs your able to connect the pfSense over a single port to the switch, and separate the single physical switch into multiple separated switches.
 Each of these "separated switches" is still contained within the physical switch.
 But they are not able to "talk" to each other.
 But each of these switches is connected to the pfSense.
 Each VLAN appears as a separate interface on the pfSense
 --> You can route between the VLANs.I'm not sure if we can describe it better to you. 
 May i suggest you contact an university where you live, where they teach basic networking classes.
- 
 The term "layer3 switch" was invented by marketing. 
 In the past a router was, compared to a switch, a big box with lots of fans.
 Marketing people tried to prevent any association with these old big routers.A layer3 switch is nothing else than a (simple) router with a lot of ports. 
 But in this case we have a layer2 device (a switch) which is not capable of routing, but manageable (you can create 802.1Q VLANs on it),
 –>We need the pfSense for the routing part.
 Most current switches offer a simple webinterface with some monitoring and configuration options.I try to put what cheesyboofs said into other words. 
 With VLANs your able to connect the pfSense over a single port to the switch, and separate the single physical switch into multiple separated switches.
 Each of these "separated switches" is still contained within the physical switch.
 But they are not able to "talk" to each other.
 But each of these switches is connected to the pfSense.
 Each VLAN appears as a separate interface on the pfSense
 --> You can route between the VLANs.I'm not sure if we can describe it better to you. 
 May i suggest you contact an university where you live, where they teach basic networking classes.That made a lot more sense, I actually think I understand it, thanks ;D 
- 
 Switch = layer 2 = vlan 
 Router = layer 3 = subnetA vlan is a "physical" separation between ports. So if a 8-port switch had ports 1-4 on one vlan, and 5-8 on another, they could not talk to each other without going through a layer-3 device. That could be pfSense or a router with two NIC's, for instance, in ports 1 and 5. Or it could be a 802.1q trunk going to a trunked port, which can carry both vlans (although they both cross that port as ships in the night) A layer-3 network, which in TCP/IP is a subnet (192.168.1.x /24 or 10.10.10.x /24 in the above examples) is a logical delineation, not a physical one. You need a router to go between different networks, not accounting for various hacks, etc. It is possible to have two or more IP networks on the same vlan/switch, but it's not best practice. There is nothing stopping you from creating a 192.168.1.0 and 10.10.10.0 network on your home switch, living together as roomates on the same switch. However, for security it's best if they get their own house. :D Ideally, you should setup one IP network per vlan, although in certain circumstances that's not always possible. You can have more than one IP network on a vlan or unmanaged switch, but you can't have a network in more than one vlan, unless don't want them to talk to each other. 
 (This excludes two way NAT and the obvious point that another network somewhere else can have the same RFC1918 range)
- 
 I'm going to jump in here and ask if using one physical interface on your router (pfSense, or anything other router for that matter) for all your VLANs a performance bottleneck: i.e. is there an practical/theoretical limit to the number of VLANs/nodes per VLAN on a single physical interface? I'm asking because I had planned on using two of the interfaces (vr1 and vr2) for parent VLAN interfaces (a 1:1 ratio of VLANs to interfaces i.e. VLAN10 = vr1 and VLAN20 = vr2), simply because I don't have a VLAN-capable switch and assumed that all nodes physically linked to vr1 (via an unmanaged switch) would be tagged as VLAN10, ditto for vr2/VLAN20. Is this incorrect? Basically I'm hoping to make up for a lack of VLAN-capable switches by using my OPT1 port on my ALIX 2D3 for VLAN20 duties. 
- 
 I'm going to jump in here and ask if using one physical interface on your router (pfSense, or anything other router for that matter) for all your VLANs a performance bottleneck: i.e. is there an practical/theoretical limit to the number of VLANs/nodes per VLAN on a single physical interface? You're limited by the bandwidth of the parent interface. 
- 
 I'm going to jump in here and ask if using one physical interface on your router (pfSense, or anything other router for that matter) for all your VLANs a performance bottleneck: i.e. is there an practical/theoretical limit to the number of VLANs/nodes per VLAN on a single physical interface? This is why I'm waiting with baited breath for v2 so that I can BOND (Lagg) additional ports/links together between the router and the switch. ATM I have no real 'need' as the vlans serve between WAN/Wireless segments and the LAN. 
 If I were routing between say three GB enabled vlans up just one GB enabled trunk and one vlan was being twatted the other two would obviously suffer. Saying that rarely is one network running at flat out for long but you would notice a performance hit.
 If however you could bond three 1GB links together for the vlan trunk from the switch back to the router you should see little impact on the three individual LAN segments, obviously subject to router horse power and configuration.
- 
 Hmm. Old thread but it gave me some insite to VLAN implimentation and such as i'm studying this. You talked about v2 ability to bond VLANs which brings this thought into question. If a 1:1 Vlan was setup between two interfaces and a single computer hosting PFSense had 3 interfaces could it be possible to that each VLAN has it's own external connection to the internet and have those vlans bonded so that inteface 3 which is the phsical network, could take advantage of dual WAN/Internet speeds. I'm assuming that since bonding is in v2 (havnt confirmed it yet), that pfsense will be able to handle packets arriving at differnet times etc and put them all together again in the proper order? 
- 
 I think I get where your going with this but I think the answer is no! 
 Bonding only works if the device doing the 'packet splitting' is splitting them in such an 'ordered' fashion that the device doing the joining (switch/router) knows and expects how to re-join them.
 If the packets are coming from completely different souses they will arrive in a shot-gun fashion. bonding requires order and harmony and the internet is anything but.Cheers 



