Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tagging VLANs in pfSense

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    6 Posts 4 Posters 913 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      Nyetwerk
      last edited by

      I have a pfSense Netgate 1100 router. Connected to the LAN port is a little dumb eight port switch, going to various local devices, one of them being a TP Link WA801N AP (a cheap temporary solution until I get a more proper and serious wireless device). But that thing does have this Multi SSID mode and you can associate VLANs with SSIDs.

      However, I am wondering if I can correlate the VLANs on the pfSense router to those on the TP Link wireless device. I don't know if there is a way to tag multiple VLANs (trunking) on a port so they can flow through the (dumb) switch to the AP. From what I understand of networking, tagging doesn't work across dumb switches because that information is lost as new L2 frame headers are made. And it seems that I can't associate more than one VLAN with a port on the pfSense. By default, each physical interface has its own VLAN associated with it on the Netgate, like mvneta0.4090, mvneta0.4091, mvneta0.4092.

      I want to do all this because I want to create a separate wireless network for certain IoT devices, without them being able to get to the rest of my network, but still have internet access on their own (yes I know this will involve setting up some firewall rules later).

      Alternatively to bypass the switch, could I activate an OPT port and connect the AP straight to there without a switch and trunk those VLANs through to it? But then it wouldn't be on the same LAN segment since I would've already assigned the main LAN VLAN to the LAN port that the switch is attached to... I want at least one of the SSIDs on the AP to correlate to the main LAN (which is otherwise ethernet), as not all wifi will be that separate IoT network.

      I'm also not sure if the VLANs on the TP Link device are just self contained on it and don't link to those on the rest of the network.

      Thanks

      johnpozJ JKnottJ 2 Replies Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @Nyetwerk
        last edited by

        @Nyetwerk said in Tagging VLANs in pfSense:

        flow through the (dumb) switch to the AP

        While that is possible - its not good practice.. Its quite possible and prob likely that this dumb switch your flowing through will just not do anything to the tags.. But it doesn't understand them - if there is a broadcast or multicast in your vlans - they will end up going to all the ports on this dumb switch.

        Its best that all your switches your going to pass vlans over - that they actually understand them. Even if none of the clients on this switch will actually be on any of the vlans.

        It would be better if you can connect the AP directly to pfsense, but then if you put all the vlans X to go to your AP, you can't easy have any other clients on any of these vlans you send to your AP.

        Do yourself a big favor, if you want to play with vlans get a vlan capable switch.. You can for sure leverage a dumb switch off the smart switch to add more ports for clients in a specific vlan..

        You don't need an enterprise class switch to do vlans - a "smart" switch with 8 port gig interface is like 40 bucks.. new!

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

        N 1 Reply Last reply Reply Quote 1
        • JKnottJ Offline
          JKnott @Nyetwerk
          last edited by

          @Nyetwerk said in Tagging VLANs in pfSense:

          one of them being a TP Link WA801N AP

          While the dumb switch should pass VLAN tags, that AP may cause problems. I used to use a WA901N and found it leaked multicasts between the main LAN and the VLAN. This made it impossible for me to run IPv6 on my guest WiFi. After replacing the AP with a Unifi AC-Lite, it now works properly.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          N 1 Reply Last reply Reply Quote 1
          • N Offline
            Nyetwerk @JKnott
            last edited by

            @JKnott Thanks. Yeah I was actually thinking of getting a Unifi next to be honest.

            1 Reply Last reply Reply Quote 0
            • N Offline
              Nyetwerk @johnpoz
              last edited by

              @johnpoz Ok, that shouldn't be too bad, I can look for a smarter switch. But there is a way to tag multiple VLANs through a physical port on the pfSense router? How do I do that when the interface name itself is based on a VLAN (for example mvneta0.4090). It's almost like there is just one real port and they are only logically segmented via VLAN on the pfSense, despite various physical ports... I'm a bit confused.

              And yeah needless to say I'm not getting internet connectivity on the IoT wireless network it seems.

              Also, semi-related: why is it that I can only create a DHCP server for my LAN interface on the pfSense? You can't create other pools for other interfaces, which use different network schemes (172 vs 192 for ex.)?

              J 1 Reply Last reply Reply Quote 0
              • J Offline
                Jarhead @Nyetwerk
                last edited by

                @Nyetwerk https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/configuring-the-switch-ports.html

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.