VLAN's, what to do with "default LAN" ?
-
Hi guys
My PFSense network before learning VLANS consisted of 3 seperate "physical" networks.
- WAN
- LAN
- DMZ
As PFSense is virtualised in ESXi, the DMZ network hasn't got a physical connection, all DMZ servers are connected internally trough a ESXi virtual switch.
But now I'm transferring to a VLAN based setup, to make things easier in our new home, as you can change physical network connections in different rooms to other VLANs, to suit your needs.
The only question I'm having at this point is: what do you guys do with the "default LAN" network, that hasn't got a VLAN tag, this was my default network, with almost all internal devices connected and also most firewall rules.
Do you move everything over to a new "VLAN LAN" and create new firewall rules or do you keep this default LAN on "VLAN1" ?
Thanks
-
I'll give you some ideas to start you off. It all depends on your security level.
There is quite a lot of this already around the 'net but if it helps your research, i think what you refer to as default lan is actually known as native vlan. In this case, say you moved all your devices to a new VLAN, this becomes the default vlan for those devices. The native vlan is where untagged traffic goes - the "default LAN" you described.
So what you do with it depends on your required security level. Some don't use it at all for (security reasons), others are not so stringent and use it, say for their untagged traffic. For example, you can move all your devices to dedicated and separate VLANs and only use the untagged/native vlan for rogue device discovery: by not allocating a gateway and installing the appwatch package, you can monitor this subnet for devices that are plugged into the network without permission. They will get an IP within that subnet and being unroutable, will ultimately go nowhere. This helps if say you forget to shutdown a port (which is frankly the best measure).
-
I am running on a 7100, LAN is on the switch and I use it when I screw up and lock myself out, no devices on LAN. All other networks are VLANs.
-
hey there,
same here:- default VLAN is VLAN1 (all that untagged stuff)
Now, I read that (as mentioned above) for security reasons it ist not recommended to have clients or productive data running on that default VLAN.
So, everything is in its VLAN here.
But wait...if someone is rogue pulling the TRUNK LAN cable...then it is on VLAN1. But I do not want that.
So I created another VLAN (iE vlan66), defined that one as NATIVE VLAN on my cisco switches and now...every one entering unwanted is sent to vlan 66 where there is no gateway, no dhcp no nothing. Like standing in the corner, face to the wall.
Default VLAN is always VLAN1, native can (depending on your hardware) be something else. So you keep unwanted clients off your default VLAN (1) and sent it to hell (native > vlan66, well almost hell).
I tried that by disconnecting the trunk cable between switches (which transport all VLAN infos between switches or router) and hung my notebook there...landed in vlan 66, had no fun at all. So it works for me...in my home network. -
@the-other said in VLAN's, what to do with "default LAN" ?:
Now, I read that (as mentioned above) for security reasons it ist not recommended to have clients or productive data running on that default VLAN.
So, everything is in its VLAN here.If you're sending different VLANs to the various rooms, then you're using a managed switch to make the VLAN the native LAN to that room. Users in that room will never see the original native LAN from pfSense.