Best approach to tie LAN and Opt1 together on a 4100?
-
So, I'm migrating a friend from a 3100 to a 4100 (mostly because the 3100 is EOL). I know the port labels are purely cosmetic and can be re-assigned at will. I also know that the 4100 has discreet NICs for each port compared to the "switched" ports on the 3100. So, I have the basic understandings of the differences in hardware understood. Now, my question is relating to migrating from the 3100 to the 4100; mostly in how her network is set up: She has a basic, untagged LAN AND an 802.1Q tagged VLAN sharing ports "lan1" and "lan2" on her 3100 since she routes each port to a different external ethernet switch on her top and ground floor home. Both external switches are tagged for her A/Ps so her IoT stuff is segregated on the Tagged VLan, and all other devices like laptops, tables, etc. are on her untagged network.
Given how she has her switched plugged into the 3100, she's using 2 ports on the back; both set up to handle tagged and untagged traffic, and this has been working well for her. So, switching to the 4100 hardware, how can she "bind" or "bridge" two of the discreet lan ports together to maintain what should be a single LAN network? Is this where a "bridge" group comes into play? ...effectively bridging the two NIC ports in the 4100 into a single virtual port? OR, is she mostly destined to re-congure her LAN into 2 segments on two discreet ports in the 4100?
And apologies if this has been answered before; my search-foo is weak. If so, please feel free to point me at the posts where it might have been answered before.
Or is it as simple as enabling the Opt1 port and giving it a sequential static IP address on the same LAN network as LAN1 is coming through?
Thanks in advance!
-
The best way is with a switch. You don't want to have pfSense do switching - it's a firewall, not a switch.
You can set up another network and have them be two different segments and open them completely to communication (helps all but broadcast traffic) that works, but a $15 switch would be better than a bridge.
-
Facepalm! Not sure why I didn't think of that! I guess I assumed that routing two managed switches through an unmanaged one might have caused issues; but now that I think about it, it wouldn't make any difference.
I'm gonna blame that lack of thought on aliens... yeah, aliens came and stole my brain. Yeah, definitely aliens!
-
@SkippyTheMagnificent said in Best approach to tie LAN and Opt1 together on a 4100?:
that routing two managed switches through an unmanaged one
Huh? if you are using vlans - while normally a dumb switch will not strip tags or anything, it doesn't understand the tags and you will have no isolation. Broadcast and multicast can be seen by anything connected to that switch.
You can safely use a dumb switch downstream of a managed one, where all things on the dumb switch are in 1 vlan. But its not good practice to run vlans over a dumb switch.
-
So, instead of using a dumb switch, I should pass through a managed switch in order to maintain VLan tagging? I thought that the tag was applied to the actual packet and was maintained by down-stream switches since they shouldn't be manipulating IP packets... Or, am I completely misunderstanding how VLANs work? I AM new to this level of networking, so maybe I understand it wrong.
Or, are you saying that by going through an unmanaged switch, virtually anything on the upstream could potentially read those tagged packets and be able to bypass the VLAN tags in the packets?
-
Yes broadcast is going everywhere because the the switch doesn’t know oh this is only broadcast multicast vlan X also anything can just jump and be on any vlan they want by just adding a tag. You loose all actual isolation of your vlans
-
Thanks for that info! I'll put in a managed switch in between the 4100 and the 2 other managed switches, then.
