Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New to VLAN - Use same VLAN on multiple pfSense ports

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    3 Posts 3 Posters 623 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      randydeb
      last edited by

      I have my pfSense (custom HW) running for a while not at home/office, but want to start using VLANs.
      The pfSense device has 6 ports

      Current situation:
      igc0: WAN (DHCP)
      igc1: MGMT (10.10.1.1/24)
      igc2: OPT1 (192.168.10.1/24) => Wifi AP
      igc3: OPT2 (192.168.20.1/24) => Powerline adapter
      igc4: OPT3 (192.168.30.1/24) => unused
      igc5: OPT4 (192.168.40.1/24) => Home Assistant

      There is also a powerline in living room and office, so basicly splitting my wifi & lan capable devices into 2 ip ranges.

      So this setup is not as it should be and i want to start using VLANs
      1000: Home
      1001: Office
      1002: IoT
      1003: TV/Digibox
      1004: IP Cameras

      Now i see a VLAN can be on only 1 interface.
      Seen some solutions where u can bridge interfaces or create LAGG interface to use a single VLAN on multiple ports.

      From what i found on these forums, bridge interfaces to make pfSense ports function as a switch is slow.
      What makes it slow? Requires more CPU/RAM?
      If so, is this still an issue on 4x 2Ghz / 16 GB ram?

      For LAGG, should both ports go to the same device to load balance / double troughput?
      Or can both ports go to another device and make both ports work as normal switch?
      igc2/igc3 = LAGG interface with VLAN
      igc2 => Wifi AP
      igc3 => Powerline

      3the option is to use just 1 port on pfSense, connect it to a switch and more to the different devices from there.
      This makes the other 3 ports pretty much useless.

      Looking forward to hear your idea on whats best setup.

      Kind regards,
      Randy

      johnpozJ 1 Reply Last reply Reply Quote 0
      • T Offline
        Tzvia
        last edited by

        I wouldn't mess with bridges/LAGGs, what I did was use a vlan capable switch (a 24 port Netgear and a couple of their 8 port switches downstream in my case) with a 6 port 'industrial' mini PC for PFSense. One port on the PFSense box is WAN, another is the default LAN. I then configured three of the other ports to carry VLANs only, and connected all but the wan to my switch which was configured for those vlans as tagged. So 4 ports on my PFSense box go to my Netgear switch, default LAN, and 5 VLANs tagged . I then configured the rest of the switch ports for whatever I am connecting to it. I have the flexibility as my needs change, to just reconfigure the Netgear switch ports for whatever I am connecting. These days, VLAN capable gigabit switches can be had quite reasonably. It's not worth messing with bridges and LAGGS.

        Tzvia

        Current build:
        Hunsn/CWWK Pentium Gold 8505, 6x i226v 'micro firewall'
        16 gigs ram
        500gig WD Blue nvme
        Using modded BIOS (enabled CSTATES)
        PFSense 2.72-RELEASE
        Enabled Intel SpeedShift
        Snort
        PFBlockerNG
        LAN and 5 VLANS

        1 Reply Last reply Reply Quote 2
        • johnpozJ Online
          johnpoz LAYER 8 Global Moderator @randydeb
          last edited by johnpoz

          @randydeb as @Tzvia mentions switch or switches how you do this.

          And using switches does not make your other ports on you router useless.. You could use them as other network interfaces.. But trying to make a switch out of discrete interfaces waste good interfaces and makes for a horrible switch!

          Not sure I would use those vlan IDs - those are quite often reserved or special in the cisco world.. You could use lagg if you want for more bandwidth and redundancy. You could put your other vlans/networks on their own interfaces connected to your switch so your not hairpinning traffic.. I for sure would put your IP cameras on their own interface.. Normally cameras are always streaming data.. While it not normally a huge amount.. I wouldn't share this on same physical interface with other networks/vlans if I had the interfaces to use.

          1002-1005 Cisco defaults for FDDI and Token Ring. You cannot delete VLANs 1002-1005.

          I like to use a vlan ID that matches up with the network, so for example 192.168.9.0/24 the ID is 9, my 192.168.3.0/24 the ID is 3, 192.168.7.0/24 is ID 7, etc..

          If you have network/vlans that will do a lot of talking between them - its normally good to put them on their own physical interfaces vs all on the same interface where the traffic will hairpin.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.