ALIX with 3 NICs: VLAN options?
-
Have an ALIX.2D3 and am wondering what my options are for the NICs, specifically VLANs.
Haven't done anything as of yet, but am thinking about the following:
vr0: WAN
vr1: VLAN1
vr2: VLAN2VLAN1 (192.168.1.0/24)
VLAN2 (192.168.2.0/24)This is for a small office (< 10 machines including two servers). They don't have any VLAN-capable switches, so if I put a "dumb" switch (i.e. Linksys 4-port el cheapo) in vr1, will all machines on that switch get tagged as VLAN1? Same with the vr2 interface?
I'd like to put the workstations on VLAN1 to do some isolation from the two servers (on VLAN2), but going through the setup, pfSense wants a LAN interface, an OPT1, and a WAN interface, and I'm not sure if/how I can define what I've described above. Can the LAN interface also serve as a VLAN parent interface?
TIA
-
You pretty much need VLAN capable switches to use the pfSense VLAN support. A VLAN capable switch would allow segregation of systems connected to the switch so they are effectively isolated from one another. For example, an 8 port switch with two groups of three systems each group using a separate VLAN. Another port on the switch "trunks" the two VLANs to a pfsense box single physical interface configured with two VLAN interfaces, each VLAN interface effectively being an interface on the two VLANs in the switch. The two groups of systems are isolated from each other and can communicate only through the pfSense box where the communication will be subject to firewall rules.
-
I'm a bit confused as to why I need a VLAN-capable switch: I could see if I had all the machines in the same switch and was trying to segregate them into separate VLANs, but if I make vr1 the VLAN1 parent, and put all the VLAN1 machines in an 8-port switch that's physically connected to vr1, and the same for VLAN2 with the vr2 interface for the VLAN2 machines, wouldn't that work? By not having both VLANs on the same parent/physical interface, I should be able to achieve separation by virtue of two separate physical interfaces.
-
I'm a bit confused as to why I need a VLAN-capable switch: I could see if I had all the machines in the same switch and was trying to segregate them into separate VLANs, but if I make vr1 the VLAN1 parent, and put all the VLAN1 machines in an 8-port switch that's physically connected to vr1, and the same for VLAN2 with the vr2 interface for the VLAN2 machines, wouldn't that work?
If you have one interface plugged into one switch and another into a different switch, you aren't using VLANs. You can do that and it'll work fine, but it's not VLANs.
-
Ok, so since my proposed setup is "not VLANs" then any VLAN-specific firewall rules are not going to apply?
-
Correct, you only need a VLAN capable switch if you are, or are planning to, use VLANs.
-
Thanks for clearing that up. So basically there's no tagging going on prior to hitting the VLAN'ed port on the pfSense, so it treats everything as untagged.
-
Thanks for clearing that up. So basically there's no tagging going on prior to hitting the VLAN'ed port on the pfSense, so it treats everything as untagged.
If you configure a pfSense network interface as a VLAN interface pfSense will probably expect to see VLAN tags in incoming frames and will put VLAN tags in outgoing frames.
Based on the preceding discussion, it seemed external constraints prevented you using VLANs so its just confusing when you now talk about VLAN'ed ports on the pfSense box. Have those constraints changed? Why would you make the pfSense port a VLAN'ed port?