Multiple Vlans on same Lan



  • Hello everyone,

    So it's possible to have multiple Vlans on the one interface having a DHCP ?

    I want to do this to isolate every customer on the switch.
    Cause i can do port isolation with my 2 switchs but computer on the switch A can see  computer on the switch B.
    So i'm thinking to do Vlans and every switch got a different Vlans.

    Is it possible ?

    Thanks for your answers.



  • Yes, so long as the switch and pfsense are setup correctly. Each VLAN will need its own subnet to route properly.



  • Thanks for your answers.

    In my case i want every Vlans got the same unique server DHCP of my Lan interface.

    Si it's possible to do this ???

    I think it's a MacGyver issue ;-)



  • @myke:

    In my case i want every Vlans got the same unique server DHCP of my Lan interface.

    You need just to enable dhcp relay on each vlan and configure all dhcp scopes on this lan server server.

    Not that MacGyver stuff! ;)



  • You need just to enable dhcp relay on each vlan and configure all dhcp scopes on this lan server server.

    Not that MacGyver stuff! ;)

    Hello,
    But my DHCP is my pfense box. So i can't use the DHCP relay to do this.



  • does this pfSense has all these vlans configured?



  • It will be.

    I want to this to give every switch a vlan different with the unique DHCP of my pfsense box Lan.

    Thanks.


  • Netgate Administrator

    How many VLANs/customers are you routing?
    I see no reason you couldn't simply enable a dhcp instance on each VLAN other than inconvenience if you have a very large number.

    Steve



  • @stephenw10:

    I see no reason you couldn't simply enable a dhcp instance on each VLAN other than inconvenience if you have a very large number.

    Like Steve, I can't see why you would want to have a single dhcp serving all the VLANs. Perhaps there is some limitation of your system you haven't told us about or perhaps you have some concern you haven't expressed. I guess if I had 2 switches of 48 ports each and needed to put every port on its own VLAN and was running on an Alix and had no money to upgrade and was running off a flash card I might get concerned about the swapping/paging that might be involved in running that many separate DHCP processes.



  • Hi,
    I have 4 switch on my network.
    Switches are HP 1910V.

    I've got one subnet for my unique pfsense lan ( 172.16.0.0/16 )

    I want all computers can't see others computers on my whole network.

    So with this switch, computer can't see other computers on the same switch but as i cascading my switch, computers on the switch A can see computers on the switch B.

    That's my MacGyver stuff ;-)

    I think if i can assign on my 172.16.0.0/16  4 Vlans and attribute a vlan by switch the computers can't see each other.

    Switch 1 : Vlan 100 -> Port 1, Vlan 101-> Port 2, Vlan 102->Port 3 , Port 24-> my lan pfsense Tag 100 to 102
    Switch 2 : Vlan 100->Port 24 Vlan 100 to Port 1 switch 1
    Switch 3 : Vlan 101->Port 24 Vlan 101 to port 2 switch 1
    Switch 4 : Vlan 102->Port 24 Vlan 102 to port 3 switch 1

    It's possible ?

    Sorry for the mastermind ;-)



  • @myke:

    I've got one subnet for my unique pfsense lan ( 172.16.0.0/16 )

    You can carve that up into multiple smaller subnets.

    @myke:

    I want all computers can't see others computers on my whole network.

    It is not clear if you want ALL computers invisible to ALL other computers OR you want ALL computer's outside a "group" to be invisible to members of the group.

    @myke:

    So with this switch, computer can't see other computers on the same switch but as i cascading my switch, computers on the switch A can see computers on the switch B.

    I am not familiar with the capabilities of your particular switch , but it is normal that computers on a switch see other computers on the same VLAN on that switch. What mechanism are you using to prevent computers on switch A seeing other computers on switch A?

    @myke:

    I think if i can assign on my 172.16.0.0/16  4 Vlans and attribute a vlan by switch the computers can't see each other.

    Switch 1 : Vlan 100 -> Port 1, Vlan 101-> Port 2, Vlan 102->Port 3 , Port 24-> my lan pfsense Tag 100 to 102
    Switch 2 : Vlan 100->Port 24 Vlan 100 to Port 1 switch 1
    Switch 3 : Vlan 101->Port 24 Vlan 101 to port 2 switch 1
    Switch 4 : Vlan 102->Port 24 Vlan 102 to port 3 switch 1

    It's possible ?

    What you have described is possible but it is not clear how it would achieve the stated objective of "computers can't see other computers on the same switch".

    Also, you haven't discussed why you are looking for a single DHCP server. Is that because you think you have only one subnet available to you?



  • Hi,

    Question 1 :It is not clear if you want ALL computers invisible to ALL other computers OR you want ALL computer's outside a "group" to be invisible to members of the group.

    Answer 1 : I want ALL computers invisible to ALL other computers. Computers on the switch 2 can't see all computers on the switch 1 and 3 and 4, Computers on the switch 3 can't see all computers on the switch 1,2,4 etc…

    Question 2 : I am not familiar with the capabilities of your particular switch , but it is normal that computers on a switch see other computers on the same VLAN on that switch. What mechanism are you using to prevent computers on switch A seeing other computers on switch A?
    Answer 2 :In my swtch,i will use the mode port isolation to prevent computers on switch 1 seeing others computers on the switch 1.

    Question 3 : What you have described is possible but it is not clear how it would achieve the stated objective of "computers can't see other computers on the same switch".

    Also, you haven't discussed why you are looking for a single DHCP server. Is that because you think you have only one subnet available to you?

    Answer 3 :I tag my port and i give one tag each switch to  have one vlan access. switch 1 -> Vlan 100 access, switch 2-> Vlan 101 access, switch vlan 102 access.
    I want to use a single DHCP cause i've got the portal captive and it will be more easier to manage.

    Thanks.

    PS: By the way, sorry for my english cause i'm french guy ;-)



  • @myke:

    Question 2 : I am not familiar with the capabilities of your particular switch , but it is normal that computers on a switch see other computers on the same VLAN on that switch. What mechanism are you using to prevent computers on switch A seeing other computers on switch A?
    Answer 2 :In my swtch,i will use the mode port isolation to prevent computers on switch 1 seeing others computers on the switch 1.

    I'm not familiar with that mode. I presume it blocks forwarding from non-trunk ports to non-trunk ports.

    You will probably need firewall rules in place to block attempts to get around the switch restrictions by manually configuring IP address and/or netmask.

    @myke:

    I want to use a single DHCP cause i've got the portal captive and it will be more easier to manage.

    How will single DHCP make captive portal easier to manage? Is that pfSense captive portal?

    @myke:

    PS: By the way, sorry for my english cause i'm french guy ;-)

    No need to apologise. I haven't written much French since I was in high school so I expect your written English would be way better than my written French.


  • Netgate Administrator

    From the HP manual:

    Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN
    resources, port isolation is introduced to isolate ports within a VLAN, allowing for great flexibility and
    security.
    The switch series supports only one isolation group that is created automatically by the system as
    isolation group 1. You can neither remove the isolation group nor create other isolation groups on the
    switches.
    There is no restriction on the number of ports assigned to the isolation group.
    Layer 2 traffic is isolated between ports from different VLANs. Within the same VLAN, Layer 2 data
    transmission between ports within and outside the isolation group is supported.

    I'm unsure how to read that. It could mean that ports added to a VLAN are excluded from the isolation group, though this would seem counter productive.  :-\ I have no experience with those switches.

    If I were doing this, assuming that the ports are isolated, I would use 4 VLANs, one for each switch. Pass through the trunk connections from the cascaded switches as you have suggested. Then create the 4 VLAN interfaces in pfSense and use a separate instance of DHCP on each interface. I don't know if 4 captive portal instances would be too many for you.

    Steve



  • @myke:

    Hi,
    I have 4 switch on my network.
    Switches are HP 1910V.

    I've got one subnet for my unique pfsense lan ( 172.16.0.0/16 )

    I want all computers can't see others computers on my whole network.

    So with this switch, computer can't see other computers on the same switch but as i cascading my switch, computers on the switch A can see computers on the switch B.

    That's my MacGyver stuff ;-)

    I think if i can assign on my 172.16.0.0/16  4 Vlans and attribute a vlan by switch the computers can't see each other.

    Switch 1 : Vlan 100 -> Port 1, Vlan 101-> Port 2, Vlan 102->Port 3 , Port 24-> my lan pfsense Tag 100 to 102
    Switch 2 : Vlan 100->Port 24 Vlan 100 to Port 1 switch 1
    Switch 3 : Vlan 101->Port 24 Vlan 101 to port 2 switch 1
    Switch 4 : Vlan 102->Port 24 Vlan 102 to port 3 switch 1

    It's possible ?

    Sorry for the mastermind ;-)

    I think you're just unable to explain what you need.

    Correct me if I'm wrong but what you want is this:

    Multiple computers split into multiple VLANs for isolation.  Some of the computers on the same VLAN are on different switches.

    You want to have DHCP issue out IP addresses to the computers but you can only work with the given subnet of 172.16.0.0/16.

    To do this, you need to use VLAN trunking on your switches and setup VLAN interfaces on your pfSense.

    Basically, you must set all the VLANs to trunk on the ports used to connect the switches.  In this way, a computer on say VLAN 10 in switch 1 can communicate with another computer on Switch 2 VLAN 10.
    The Port on Switch 2 that connects to Switch 1 must be set to VLAN trunk mode and be a member of all the VLAN IDs that you are using.  This goes for the other end port at Switch 1 as well.
    Replicate this for each additional switch.

    Now, you must also set the port that connects to pfSense 'LAN' adapter to trunk mode and member of all the VLAN IDs used in the network as well.  On pfSense, you must setup the 'LAN' NIC with VLANs.  Add all the VLAN IDs to this NIC.  Each VLAN will be considered an interface in pfSense although it's 'virtual' rather than a physical port.

    Each of this virtual interfaces acts like a 'LAN' port for the respective VLAN computers.  i.e.  You can have LAN1, LAN2, LAN3 etc. each for one VLAN.

    Now break down your original 172.16.0.0/16 subnet into smaller subnets as required.  Google for Subnet mask calculator and use it to calculate the best fitting mask you need.  You ideally need a subnet mask that holds enough IP addresses for the maximum number of computers in any of the VLANs + 1 IP for pfSense virtual interface.
    You also need to ensure that splitting the /16 into that mask gives you enough smaller subnets to cover the number of VLANs you need.

    Since each of this VLANs show up as an actual 'interface' in pfSense, you can now configure the DHCP server to issue out the individual DHCP IP scope per subnet per interface.

    i.e.  If you use a /28 for each subnet, you get 14 usable IPs.  But one is used by the pfSense virtual interface so that VLAN can only hold up to 13 computers/ devices.



  • correct me if i'm wrong here but it sounds like you are just after "wired client isolation" judging from the first post. possibly something used in a hotel for example.
    wireless isolation is easy with the correct access point. wired is another matter. the only way i can see it happening is to have a vlan for each port of the switch.
    bit of a pain to setup but once it's done, it's done.
    and with so many vlans on the go, i would also imagine you wouldn't want that many dhcp servers hanging around hence the request for 1 dhcp server leasing to every vlan.



  • I do/did such a setup for LAN-parties.

    • On the switch each and every port is in it's own 802.1Q VLAN (untagged). (eg. switch1, port1 has the vlan 101; switch 20, port 17 has the vlan 2017)
    • One "trunk-port" which has all VLANs tagged to the pfSense.
    • Create as many VLAN-interfaces on the pfSense as you defined on your switch(es). Yes this will generate a LOT of OPTs. I suggest using the "pfsense" theme or you will run into displaying problems with the menu at the top ;)
    • Bridge all VLAN-interfaces together.
    • Assign the bridge as interface.
    • Enable the DHCP server on the bridge
    • Create an alias containing your local subnet(s)
    • Create a floating rule allowing access to <not your_alias="">- Create a floating rule allowing access to the pfSense itself.

    The floating rule to the pfSense itself allows access to DHCP/DNS/etc.
    The floating rule with the <not your_alias="">allows access to the internet but not to anything local (aka. your other VLANs)</not></not>



  • Hello everyone,
    Thanks for all the answers!!!!

    I will try the solution of GruensFroeschli ! And i will tell you if i success.

    Again thanks for everything.



    • Create an alias containing your local subnet(s)
    • Create a floating rule allowing access to

    probably the most critical parts otherwise you might find that they can all talk to each other!



  • hi,
    I don't test it because i need some time.

    I tell you when i've done.

    Thanks.
    Myke.


Log in to reply