Can I use tagged and untagged VLANs on one interface?



  • If my network card is em0, can I have the following setup:  (?)

    LAN:  em0  [untagged]
    Public Servers:  VLAN 1 on em0
    Game Servers:  VLAN 2 on em0
    Wireless:  VLAN 3 on em0

    Thanks!



  • Yes, this is working for me on pfsense 2.0RC-2



  • While it works i would not recommend it!
    Mixing tagged and untagged traffic can lead to unexpected behaviour if you don't know exactly what you're doing.

    Also using VLAN1 can be unwanted because this is the default VLAN.
    What i would do:

    em0 - don't assign
    VLAN100 on em0 : LAN
    VLAN200 on em0 : Public Servers
    VLAN300 on em0 : Game Servers
    VLAN400 on em0 : Wireless



  • Thanks for the advice and information.

    Right now my setup is like you described (everything is tagged):

    VLAN 1 - LAN
    VLAN 2 - Public Servers
    VLAN 3 - Game Servers
    VLAN 4 - Wireless

    The problem is that my new switch (Dell PowerConnect 2816) forces VLAN 1 to be UNTAGGED for every port and cannot be changed.  Furthermore, the web interface for the switch is only accessible on VLAN 1.

    Given that information, how would you suggest I set it up?  I was thinking like this:

    em0 - Management LAN (untagged/vlan 1)
    VLAN 2 - LAN
    VLAN 3 - Public Servers
    VLAN 4 - Game Servers
    VLAN 5 - Wireless

    That way I could use the router and still access the web interface, etc.



  • Can't you remove all ports from the VLAN1 group?

    But yes, the list you've just posted seems good.



  • No, VLAN 1 cannot be modified.  I have no idea why this limitation exists.

    Why would I want to remove all the ports from VLAN 1 one anyways?

    Given my above post, I'm thinking about making the default VLAN ID (PVID) 2 so everything is on my LAN except for certain ports which are tagged.



  • usually default vlan is always sent without a tag, so it doesn't have a meaning which number you choose (1-4096), but if it's decided as default then it is untagged.



  • On this switch (and my previous one), you can set a different default VLAN ID for each port.  (ie. so if a port isn't tagged, it will automatically be assigned to VLAN XX)

    That's why I'm thinking of skipping VLAN 1 and using VLAN 2 (with each port having a default PVID of VLAN 2).  The only problem is that I won't be able to access the web GUI since everything will be on VLAN 2 and the web interface is only accessible on VLAN 1.



  • Are you meaning default vlan, or making that port as access mode?


Locked