Just a quick question, suppose I have a very simple VLAN implementation: a VLAN (802.1Q) capable switch, port 1 is VLAN01, port 2 is VLAN02 and port 10 is the port that goes to Pfsense. So let's use the classic example I've seen many times here before: port 1 is untagged VLAN01, port 2 is untagged VLAN02, and port 10 is tagged VLAN01 and VLAN02. My question is, do the downstream switches of VLAN01 and VLAN02 have to be VLAN capable? Or can they just be normal unmanaged switches? Also, do the client PCs need to be setup for VLAN?
I know these are n00b questions, just trying to learn this VLAN stuff.. thanks!
If you only want to use vlan 01 on the downstream switch to port 1, then it can be a "dumb" switch, since the traffic is untagged.
You really only need a VLAN capable "downstream" switch if you want to do proper trunking and have multiple VLANs on the "downstream" switch.
Ok, that's what I thought.. But what about the 2nd part? Do the PCs connected to the dumb switch need to be configured for vlan?
Also suppose I wanted to do your scenario, would the source switch still need to untag the port with downstream managed switches?
If a PC is connected to an untagged port (or a dumb switch connected to an untagged port) it doesn't need to know anything about VLANs.
If you do trunking to another VLAN-capable switch, you still need to set untagged ports as-needed for client PCs.
I see… thanks for the help!
one more thing, if I setup a simple VLAN01 and VLAN02 (like in my example). Do I still need a LAN interface? Can I access pfsense web admin through a VLAN?
In pfSense, you make VLAN interfaces and then assign them however you like. They work like any other interface at that point.
So you could have VLAN tag 01 and VLAN tag 02 setup in pfSense, and assign VLAN 01 as LAN, and VLAN 02 as OPT1.
It's not recommended to mix tagged and untagged traffic on a single interface though, so if your "LAN" interface is plugged into the tagged/trunk port on the switch, it should only use VLAN-tagged interfaces there.