Five lan ports and nine vlans.
-
I have a Netgate FW-7541 which has five interface ports.
I have nine vlans that I wish to provision over these ports. The vlans are:vlan 10 - house vlan
vlan 20 - lab
vlan 30 - security cameras
vlan 40 - servers
vlan 50 - guest
vlan 60 - IOT
vlan 70 - dmz
vlan 80 - storage (SAN)
vlan 99 - managementCan I double up (tag) some of these on the same interface?
-
@stampeder Your firewall is a router, not a switch.. I'd purchase a switch that supports LACP and use that instead.
-
@rcoleman-netgate
I have several Netgear GS116Ev2 switches that can do trunking of multiple vlans. I can tag several vlans in the netgear switches, I'm just not sure how to handle these when I get to the Netgate router.
Thanks.
Glenn... -
@stampeder Additionally, I am currently using a Ubquiti Edgerouter X to do my routing and I want to swap it out for my Netgate FW-7541 as it has FAR more capabilities than the Edgerouter.
Thanks. -
@stampeder said in Five lan ports and nine vlans.:
I can tag several vlans in the netgear switches, I'm just not sure how to handle these when I get to the Netgate router.
The same way -- if the port the Netgate connects to is tagged then they need to be tagged on pfSense as well.
-
@rcoleman-netgate So then each of the lan ports can be treated as an independent trunk port, similar to a Cisco router?
-
@stampeder They're not switch ports -- they're discrete interfaces. LACP a couple together to a switch that supports LACP. Put everything on the LACP interface.
https://docs.netgate.com/pfsense/en/latest/interfaces/lagg.html
-
@stampeder Yes. I have a 7100 and I use one 10Gb NIC to my switch with 5 VLANs. Setup your switch correctly and it works well. My goal was to use as few switch ports as possible.
You may find your network usage is low enough on some VLANs that you can decrease the ports you are using by going beyond doubling up..
-
Yes, you can tag as many VLANs as you like on each interface. Within reason.
What you can't do is put the same VLAN on two interfaces. I.e. em3.20 is not the same VLAN as em4.20 even if they use the same tags.
But it sounds like you're doing the first thing so that should be OK.
I would also look at using two interfaces in an LACP lagg to the switch and putting all the VLANs on that.
Steve
-
@stephenw10 Thanks for the reply.
What I am actually trying to accomplish is VLAN routing on the FW 7541. As it has six opt ports I thought I could put say my vlan 60 and vlan 99 vlans on the same "trunk" port from my managed switch.
Since you point out that it is possible, my issue now is how to actually do it within the device? -
@stampeder said in Five lan ports and nine vlans.:
my issue now is how to actually do it within the device?
What are you asking how to put more than 1 vlan on a physical interface?
-
@johnpoz Cool! So, I can also apply FW rules to each of these vlans separately?
Is there a document or writeup on this whole procedure from Netgate?
Sorry, I'm too used to Cisco........ -
@stephenw10 One more thing. I don't need to aggregate any ports as the traffic on the ones I want to "trunk" is low and the interfaces are already 1G. But thanks.
-
@stampeder no you don't need to create a lagg, not really a fan of laggs to be honest because you don't have control over what physical interface traffic might flow. lagg is good if don't care about that and your goal is redundancy of physical ports.
Yes once you create a vlan on pfsense - it would have its own firewall rules.
-
Yeah the VLAN interfaces are treated exactly like any other interface; you can apply firewall rules to them individually.