• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Very basic VLAN Setup (newb question)

Scheduled Pinned Locked Moved Hardware
9 Posts 2 Posters 5.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    kuhsay
    last edited by Feb 2, 2010, 12:17 AM

    Hello,

    I have 3 NICs.  I want to setup my network so I have 2 different networks: we'll name one network "public" and the second network "restricted".

    xl1: WAN
    xl0: public
    re0: restricted

    I want both networks to be completely separated from each other.  Computers on the public network should not know the restricted network exists and computers on the restricted network should not know the public network exists.  I might want to have a printer on the restricted network available to both networks.

    Both NICs will be attached to cheap switches which will be attached to computers.  A few ports will be forwarded to a few computers on the public network, and a few different ports will be forwarded to the private network.

    So… what's the best way to set this up?  Do I need to use VLANs or will basic firewall rules be sufficient?  I originally thought I needed VLANs and one NIC per VLAN, but I am no longer sure if this is the case...  I guess I'm just confused as to what to do next.  There isn't much documentation on VLANs in the wiki, and trying to search the forums have left me a little more confused then when I started.

    Thanks

    1 Reply Last reply Reply Quote 0
    • W
      wallabybob
      last edited by Feb 2, 2010, 1:00 AM

      Unless I've missed something, you have no need for VLANs. Configure your "public" network as the pfSense LAN network and your "restricted" network as pfSense OPT1. Default firewall rules will separate the LAN and OPT1 networks and you can enable access between OPT1 and LAN as required by adding firewall rules.

      VLANs would be useful if you had more networks you wanted to keep separate than you have physical interfaces. A particular example might be trying to do what you describe but using a small form factor computer with only two LAN interfaces and no expansion capability.

      1 Reply Last reply Reply Quote 0
      • K
        kuhsay
        last edited by Feb 2, 2010, 2:03 AM Feb 2, 2010, 1:58 AM

        Thanks for clearing that up.  Out of curiosity, I saw in another thread that you need a special VLAN capable switch to use VLANs.  Is this true, or is it possible to just tag a packet based on its MAC address?  For example, lets say I had 2 devices, 01:01:01:01:01:01 and  FF:FF:FF:AA:AA:AA, both plugged into the same switch.  Can I assign one of those devices into the public VLAN and one into the restricted VLAN using pfSense?

        1 Reply Last reply Reply Quote 0
        • W
          wallabybob
          last edited by Feb 2, 2010, 2:25 AM

          @kuhsay:

          Thanks for clearing that up.  Out of curiosity, I saw in another thread that you need a special VLAN capable switch to use VLANs.  Is this true,

          Generally but not necessarily.

          or is it possible to just tag a packet based on its MAC address?  For example, lets say I had 2 devices, 01:01:01:01:01:01 and  FF:FF:FF:AA:AA:AA, both plugged into the same switch.  Can I assign one of those devices into the public VLAN and one into the restricted VLAN using pfSense?

          No, thats not how it works. If VLANs are enable in pfSense then incoming traffic on the corresponding physical interface(s) must be already tagged with the VLAN ID (this would normally be done by a VLAN capable switch).

          A common use of VLANs would be a VLAN capable switch which adds VLAN ID tags to incoming traffic on specified ports and strips out the VLAN ID tags on outgoing traffic. For example, switch port 1 is configured as a "trunk port" (connected to a pfSense NIC with VLANs enabled) belonging to VLANs 10 and 20, switch ports 2 and 3 are configured as belonging to VLAN 10, port 4 is configured as belonging to VLAN 20. The switch will add VLAN ID 10 to traffic from port 2 and 3 and VLAN ID 20 to traffic from port 4. Because ports 2 and 3 are on the same VLAN they can communicate directly. Because ports 2 and 4 are on different VLANs they cannot communicate directly but MIGHT do so through pfSense if pfSense is configured to allow that.

          1 Reply Last reply Reply Quote 0
          • K
            kuhsay
            last edited by Feb 2, 2010, 4:08 AM

            Thank you for taking the time to explain it… I think I get it.

            So VLANs provide the features I wanted, but it is really just a lot more complex way of doing things than is necessary for my situation?  I assume the added complexity is so that you can easily change the VLAN that a port is connected to without physically moving the Ethernet cable to a different switch... is that all a VLAN really does?  I'm just curious BTW, I plan on adding an OPT1 network and going with what you suggested.

            1 Reply Last reply Reply Quote 0
            • W
              wallabybob
              last edited by Feb 2, 2010, 7:38 AM

              It might help to look at http://en.wikipedia.org/wiki/Vlan

              This article mentioned Cisco  software to assign VLAN IDs based on source MAC address so my earlier answer to your question about that facility wasn't entirely true. I haven't seen an equivalent facility on the cheaper and smaller VLAN capable switches I have looked at.

              1 Reply Last reply Reply Quote 0
              • K
                kuhsay
                last edited by Feb 2, 2010, 10:14 PM

                Thanks for the info.

                I have set up my router with the three NICs.

                WAN: xl1
                LAN: re0 (restricted)
                HOMELAN: xl0

                LAN gets DHCP address from 192.168.10.10 - 192.168.10.255
                HOMELAN gets DHCP addresses from 192.168.1.10 - 192.168.1.253

                I've set up my firewall rules like so:
                LAN:
                Rule 1:
                Rule: Block (I tried reject too - not sure which one to use)
                Proto:Any
                Source: HOMELAN Subnet
                Port: Any
                Dest: Any
                Gateway: Any
                Schedule: [blank]

                Rule 2:
                Rule: Allow
                Proto:Any
                Source: LAN net
                Port: Any
                Dest: Any
                Gateway: Any
                Schedule: [blank]

                HOMELAN:
                Rule 1:
                Rule: Block (I tried reject too - not sure which one to use)
                Proto:Any
                Source: LAN Subnet
                Port: Any
                Dest: Any
                Gateway: Any
                Schedule: [blank]

                Rule 2:
                Rule: Allow
                Proto:Any
                Source: HOMELAN net
                Port: Any
                Dest: Any
                Gateway: Any
                Schedule: [blank]

                However, I can still ping a box on the LAN network from a box on the HOMELAN network but not vice-versa.  Any idea why this is?

                1 Reply Last reply Reply Quote 0
                • W
                  wallabybob
                  last edited by Feb 2, 2010, 10:30 PM

                  Block quietly discards packets, Reject returns a response to the sender.

                  Firewall rules are applied to incoming packets.

                  Thus, your HOMELAN rules probably should be:

                  Rule 1:
                  Rule: Block (I tried reject too - not sure which one to use)
                  Proto:Any
                  Source: Any
                  Port: Any
                  Dest: LAN subnet
                  Gateway: Any
                  Schedule: [blank]

                  Rule 2:
                  Rule: Allow
                  Proto:Any
                  Source: HOMELAN net
                  Port: Any
                  Dest: Any
                  Gateway: Any
                  Schedule: [blank]

                  The rules are processed in the order they appear on the screen. First rule that matches a packet terminates rule processing.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kuhsay
                    last edited by Feb 3, 2010, 3:32 PM

                    This worked.  Thank you.

                    1 Reply Last reply Reply Quote 0
                    7 out of 9
                    • First post
                      7/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received