Network segmentation with 6-port CWWK box and no switch
-
Greetings. I'm a newbie in networking trying to set up my network with segmentation in mind. Guides, that I've checked, are all about ROaS concept, which implies having a managed L2 switch (which I don't, and have no option to buy one atm). I am aware that my box should be a router, not a switch and doing it comes with performance penalty, but with no money one has to improvise. So, I did my research, read the docs and that's what I've come up with. It is probably wrong, and I have some questions, so I need your help.
TL/DR: Some broke guy tries to do some VLANs and switching without a switch and learn some networking in the process.
Here is a network diagram of a desired state (sanitized):
No IPv6 at all.And that is how it all connects (feel free to ask if something isn't clear) :
(Click for large version, it doesn't fit in the post)Note: vlan interfaces placed under their parents.
Interfaces igc2, lagg0, igc5 are not assigned (see question 1)igc0 - WAN
igc1 - Access port (vlan 20)
igc2 - Trunk port (vlans 10, 20, 30) for AP
igc3 + igc4 = LAGG Trunk port (vlans 10, 100, 200) for Proxmox Server
igc5 = Access port (vlan 10)Now to the questions:
-
I don't understand which interfaces should just be created, which should be assigned (but not enabled), and which should be enabled with no config (IPv4 Configuration Type = None)? Only thing I know for sure is that static IP and DHCP should be configured on the last interface in the chain (Physical -> LAGG -> VLAN -> Bridge).
-
Which is the right way to create access ports? As in igc1, where the interface itself is added to bridge with corresponding vlan? Or like igc5, where vlan-subinterface is created and added to the bridge?
-
Native network. I've read that it is good security practice to avoid using vlan 1 for data transfer, but it might stay on the network for system-lvl communications between network devices (discovery protocols etc.). I don't really understand where vlan 1 is in my setup. I believe it is disabled since no nets are configured on igcX interfaces, am I right?
So, that's where I'm stuck and appreciate some help.
-
-
@alirx Pretty sure you can't bridge vlans like that..
Save yourself a lot of grief - and pony up for a 20$ switch that supports vlans for gosh sake.
-
@johnpoz Those igc's are 2.5Gb ports, which asks for 2.5Gb managed switch. Which is around 275$ (incl. taxes) in case of one of reasonable priced CRS310-8G+2S+IN by Microtik. I know buying a switch is a right thing to do and can save lot's of headache, but this i can't afford rn.
About bridging that way - those vlans are three interfaces in the same broadcast domain, why cant they be bridged? Or i misunderstood bridging section of the PFsense docs?
-
@alirx you can bridge 1 vlan.. but you have have multiple vlans on the same bridge.. I am pretty sure it doesn't work that way.
You seem to have some money to setup such a network.. bite the bullet and get a switch. Or redo your vlans or add interfaces so you can run your 2.5ge on their own connection
