• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Using Managed Switch for Company and Private Networks

L2/Switching/VLANs
lag
4
51
2.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    Gblenn @bookie56
    last edited by Gblenn Aug 30, 2024, 2:10 PM Aug 30, 2024, 2:09 PM

    @bookie56 Under Firewall > Rules you have the LAN_COMPANY and WIFI_COMPANY tabs.

    Create new block rules above the allow all rule that look similar to this. In my case it's my GuestVLAN that I don't want accessing e.g. the IoT-network.

    🔒 Log in to view

    Select Block and the interface is your LAN_COMPANY, protocol any and source any.
    Then it's a matter of selecting the destination you want to block, in this case you would pick LAN_PRIVATE and click Save.

    🔒 Log in to view

    Then you create one more looking exactly the same but select WIFI_PRIVATE as the destination you want to block. Make sure they end up above the allow rule.

    To test that it works you can try pinging anything on your PRIVATE netwórk from one of your COMPANY PC's.

    B 1 Reply Last reply Aug 30, 2024, 2:48 PM Reply Quote 1
    • J
      johnpoz LAYER 8 Global Moderator @bookie56
      last edited by Aug 30, 2024, 2:22 PM

      @bookie56 said in Using Managed Switch for Company and Private Networks:

      Can we leave at it is for now

      sure.. whatever you feel comfortable with doing, its your network..

      So your lan private and lan company are working now.. depending on what port you plug them into on your switch? That switch config looks correct to me for just splitting the switch into 2 virtual switches.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 1
      • B
        bookie56 @Gblenn
        last edited by Aug 30, 2024, 2:48 PM

        @Gblenn said in Using Managed Switch for Company and Private Networks:

        @bookie56 Under Firewall > Rules you have the LAN_COMPANY and WIFI_COMPANY tabs.

        Create new block rules above the allow all rule that look similar to this. In my case it's my GuestVLAN that I don't want accessing e.g. the IoT-network.

        🔒 Log in to view

        Select Block and the interface is your LAN_COMPANY, protocol any and source any.
        Then it's a matter of selecting the destination you want to block, in this case you would pick LAN_PRIVATE and click Save.

        🔒 Log in to view

        Then you create one more looking exactly the same but select WIFI_PRIVATE as the destination you want to block. Make sure they end up above the allow rule.

        To test that it works you can try pinging anything on your PRIVATE netwórk from one of your COMPANY PC's.

        Sorry not understanding this....I have fire rules implemented from LAN_COMPANY and WIFI-COMPANYnot having contact with my private network....but don't I need a rule for the VLAN? Or does that automaticaly fall under the rules for LAN_COMPANY and WIFI_COMPANY

        bookie56

        J 1 Reply Last reply Aug 30, 2024, 4:16 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @bookie56
          last edited by johnpoz Aug 30, 2024, 4:20 PM Aug 30, 2024, 4:16 PM

          @bookie56 said in Using Managed Switch for Company and Private Networks:

          but don't I need a rule for the VLAN?

          what vlans - you didn't create any vlans on pfsense - did you? The vlans are only on your switch.. to keep those networks at layer 2 isolated from each other. At layer 3, pfsense would filter any traffic trying to be routed across pfsense.

          I thought you only had 4 networks on pfsense on your quad port nic, your lan private and company, and then wifi private and company that you plug your AP into.

          So 4 interfaces, for these 4 networks.. This is where you would create rules.. There are no rules you would put on your switch.. The very act of creating a vlan on the switch isolates those ports in vlan X from vlan Y ports at layer 2.

          But if you don not want lan private to talk to any of your 3 other networks, then you would need rule(s) to do that. You could do it in 1 rule if you wanted with alias that contains the networks you don't want to talk to.. When your creating rules that block access to your other networks its common to just create a alias that contains all of the rfc1918 space. 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12 this way you can use the alias in your block rule, and this network would not be able to talk to any other networks that you currently have or in the future might add.

          You just need rules above this block rule that allows what you want.. Here is an example of a locked down network that can not talk to any other network I have on pfsense, nor any of pfsense other IPs, like say its public IP..

          🔒 Log in to view

          Rules are evaluated top down as traffic interfaces the pfsense interface from the network that interface is attached too, first rule to trigger wins and no other rules are evaluated

          These rules allow devices on my "test" network to ping pfsense IP on the test interface, use dns and ntp to this test interface IP. It then makes sure clients on the test can not talk to any other IPs of pfsense, say the want public IP - or devices on this network would be able to access the pfsense web gui for example on its wan IP which is public. The use of the alias helps if that IP might change in the future to some other public IP.

          They then block access to any other rfc1918 addresses - ie my other networks.. And then the last rule is what allows devices on this network to talk to any other IPs, ie the internet.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          B 1 Reply Last reply Aug 30, 2024, 4:24 PM Reply Quote 1
          • B
            bookie56 @johnpoz
            last edited by Aug 30, 2024, 4:24 PM

            @johnpoz so I don't need a vlan on pfsense?

            bookie56

            G J 2 Replies Last reply Aug 30, 2024, 6:05 PM Reply Quote 0
            • G
              Gblenn @bookie56
              last edited by Gblenn Aug 31, 2024, 7:09 AM Aug 30, 2024, 6:05 PM

              @bookie56 said in Using Managed Switch for Company and Private Networks:

              @johnpoz so I don't need a vlan on pfsense?

              bookie56

              No you don't since you are instead reusing your existing setup. VLAN is only used here as a way of splitting the switch into two logical and separated portions.

              My example sais GUEST_VLAN and IOT_VLAN but those are simply names, and I happen to have VLANs...

              In your case though, we use my example FROM GUEST, which you simply replace with your existing LAN_COMPANY network interface. And IOT_VLAN in this case is replaced with LAN_PRIVATE for one of the rules, and WIFI_PRIVATE for the other rule.

              You need a block rule for each of the other networks you do NOT want LAN_COMPANY to be able to access.
              And of course you need to do the exact same thing on WIFI_COMPANY.

              It's easy to copy a rule in pfsense. Click the Copy symbol and a new rule opens up. Now you can simply change the Interface it relates to and it will end up on WIFI_COMPANY instead of LAN_COMPANY for example.

              1 Reply Last reply Reply Quote 1
              • J
                johnpoz LAYER 8 Global Moderator @bookie56
                last edited by Aug 30, 2024, 6:09 PM

                @bookie56 said in Using Managed Switch for Company and Private Networks:

                so I don't need a vlan on pfsense?

                no you only need vlans on pfsense when you want to carry more than one network over the same physical interface.. But since your plugging in 2 different physical interfaces into your switch to 2 different ports then no pfsense does not need to send or understand any tags for these networks.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                B 1 Reply Last reply Aug 31, 2024, 9:30 AM Reply Quote 1
                • B
                  bookie56 @johnpoz
                  last edited by Aug 31, 2024, 9:30 AM

                  @johnpoz ok...I will reconnect my other switches to this one and test things....
                  I mentioned earlier about the fact I have a server that I use for cloning computers..
                  This server has two network cards one for my LAN_PRIVATE and the other for Clonezilla...
                  If I change the LAN_PRIVATE to just Port 1 to 12 and 13 to 16 for Cloning...where 13 would be the feed from the 2nd network card on my server...can I set it up in the same way as you guys have shown me ?
                  Would that work in the same way?

                  bookie56

                  J 1 Reply Last reply Aug 31, 2024, 11:12 AM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @bookie56
                    last edited by johnpoz Aug 31, 2024, 11:13 AM Aug 31, 2024, 11:12 AM

                    @bookie56 you could set up whatever ports you want on whatever vlans you want.. You could setup say 12 on this switch you wanted with just 2 ports in each vlan. I mean the switch can do more than that - but if your not going to tag, kind of need atleast 2 ports in each vlan ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    B 1 Reply Last reply Aug 31, 2024, 2:37 PM Reply Quote 1
                    • B
                      bookie56 @johnpoz
                      last edited by Aug 31, 2024, 2:37 PM

                      @johnpoz thanks for all your help...
                      Dare I ask about tagging?

                      bookie56

                      J G 2 Replies Last reply Aug 31, 2024, 6:01 PM Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator @bookie56
                        last edited by johnpoz Aug 31, 2024, 6:03 PM Aug 31, 2024, 6:01 PM

                        @bookie56 tagging vlans is when you want to carry more than one vlan/network over the same physical connection

                        see in my above post where show my interfaces - I have multiple networks going over that 1 physical interface igb2

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 1
                        • G
                          Gblenn @bookie56
                          last edited by Gblenn Aug 31, 2024, 6:04 PM Aug 31, 2024, 6:02 PM

                          @bookie56 said in Using Managed Switch for Company and Private Networks:

                          @johnpoz thanks for all your help...
                          Dare I ask about tagging?

                          bookie56

                          With the setup you now have, all ports are set to Untagged. Which still means packets have tags whilst inside the switch, moving between ports. Like going from 20 to 17 to reach pfsense LAN_COMPANY. The switch then knows to send any of those packets only to ports 17-24 because only those ports belong to VLAN 10.
                          All packets are however stripped of the tags as soon as they leave the switch to get to pfsense or a PC/server. Hence you are not tagging...

                          Tagging on the other hand, means maintaining the VLAN ID also outside the switch, throughout the network, so packets can pass along towards the correct endpoint.

                          In my first suggestion, where I was assuming VLANs for your networks instead of the physical ports you now use. All of them were on one physical port. Packets then need to be tagged so they can be separated and end up in the right "VLAN-network" in pfsense, as well as the right ports in the switch.

                          Port 1 was then a TRUNK port (set to Tagged) which would maintain any tags already attached to packes coming from pfsense or the respective ports in the switch. If you had more managed switches you would typically connect them together using TRUNK ports that allow most or all your VLAN's to pass between the switches.

                          B 1 Reply Last reply Aug 31, 2024, 6:06 PM Reply Quote 1
                          • B
                            bookie56 @Gblenn
                            last edited by Aug 31, 2024, 6:06 PM

                            @Gblenn wow now this is why I love this forum....
                            You guys are amasing....
                            Thank you so much for all your help...
                            I will run with the setup as is for now and look into changing things later...

                            bookie56

                            1 Reply Last reply Reply Quote 0
                            48 out of 51
                            • First post
                              48/51
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.