Hello everyone VLAN



  • can we implement an access mode vlan in pfsense without a managed switch present? Thanks :D



  • What is an access mode vlan?



  • Looks to be a Cisco term meaning that it is an end point (single VLAN), not a trunk. Is that what you mean kirlox_kitoy?



  • Ports is automatically in access mode, if you don't tell em any vlans



  • yes its basically  like 192.168.10.0 –-VLAN 1 so automatically this network will be member in vlan1 and 192.168.20.0--VLAN2  will be in vlan 2 respectively can this be possible without having a managed switch on your setup.



  • i basically tried it but when i say one of my client is member of vlan 1 which is part of 192.168.10.0 network, and i assigned 192.168.10.2 to my vlan in pfsense and then 192.168.10.3 on one of my client, i cant be able to ping the 192.168.10.2 is there any other configuration to be made?



  • You need a VLAN capable switch to use VLANs.


  • Netgate Administrator

    You can only use vlans without a managed switch if your clients support vlan tagging. This is easy enough with freebsd or Linux but harder with windows. You would probably also require nics that correctly support vlan tagging, mostly Intel.
    However why would you want to do this? It offers almost nothing by way of security.
    Also you should bare in mind that you should not have tagged and non tagged traffic on the same interface, it can produce unexpected results.

    Steve



  • tnx for the enlightment steve, I was curios about the vlan capability of pfsense.



  • A switch port in access mode in Cisco is a Switch port with no VLAN tags. A trunk would be a switch port allowing Tagged traffic to ingress and egress the port. I have had both tagged and untagged traffic on the same port without any issue at all, on both NIC cards and managed switches. When I worked in a Cisco only environment I didn't really have a concept of tagged and untagged traffic because Cisco just handles everything for you, but if you want 802.1q traffic talking with equipment other than Cisco then you have to understand VLAN Tags. If you set the PVID of a port this will put all untagged traffic entering and leaving that port on that VLAN. If you add a VLAN to a port then it will put that VLAN tagged traffic on that port. Most PCs if not configured for tagged traffic will just drop those frames and just accept the untagged traffic (PVID). If a managed switch is then connected to the same port it will be able to except the untagged/tagged traffic. It is a good idea that once you add tagged VLAN to a port that you remove VLAN 1 (untagged traffic) from that port, or change your native VLAN.

    In windows if you want to set your NIC for VLAN traffic, just go to properties of your NIC and click on the configure button. Then go to the advanced tab and you are looking for priority or VLAN or IEEE 802.1q if you don't have that option then your NIC doesn't support it or you don't have a driver that supports VLAN traffic in Windows.

    I would like to see GVRP support in PfSense.



  • I do have that option in a realtek lancard but the options are just priority and enable vlans, is this what you are talking about? or anything else cause i have played with it and nothing happens.


  • Netgate Administrator

    Not using tagged and untagged traffic on the same interface is specific to pfSense and even then it's only a problem with some drivers/NICs. You may find you can do that with no trouble.

    Steve



  • A "smart" switch is probably what you are looking for. They can be had for well under US$400.

    They have some limitations over a full managed switch, but I find these limitations acceptable at 10% of the cost of the latter solution.


Locked