One NIC Install (VLAN Configuration)

  • I did my first pfsense install yesterday which is on a machine with only one network port (only option would be to add a USB NIC for more ports). I am using a VLAN capable switch (HP 1810G-8). I wanted to make sure my VLAN setup correctly to make sure I am not exposing myself with a incorrect setup. My LAN is setup on the default VLAN the default VLAN. On pfsense my WAN interface is em0_vlan3 and LAN interface is em0. On my switch the LAN is connected to port 1, pfsense is connected on port 2, and the WAN (modem) is connected to port 8. On port 8 (WAN) it is untagged on VLAN 3. On port 2 (pfsense) it is untagged on VLAN 1 and tagged on VLAN 3. On port 1 (LAN) it is untagged on VLAN 1. I have attached my VLAN configuration if I did not explain my setup good enough.

  • It seems to be correct. Are you having any problems passing traffic?

  • It looks like it is passing traffic without any problems. I just wanted to check since I could not find much information on one NIC installs other then that it could be done and that you needed a VLAN capable switch. It appears everything is working good but one thing I have noticed since putting the box in place is that it shows activity between the pfsense box and the WAN every second even when no devices are active on the network. On my previous router it did not show this activity. How would I go about seeing what this activity is? I have looked at pftop and I can see my WAN IP as the source contacting a IP (destination) belonging to my ISP but I am not sure if that is it and if so way is it showing the constant activity when it did not before I had the pfsense box in place. Thanks

  • @Netxhp:

    I have noticed since putting the box in place is that it shows activity between the pfsense box and the WAN every second even when no devices are active on the network.

    Pfsense has gateway polling check. You can disable it if you want.

    A tcpdump on console/ssh can show you what traffic is going to your router.

  • I think marcelloc is talking about gateway polling which is a ping every second to check for latency and packet drop. Basically line quality. You can disable it in the Gateway setting under Gateway monitoring.

  • I am not sure if this is the setting (see attached). By default  it was unchecked and I put a check on that setting but it did not make a difference. Is this setting somewhere else?

  • The gateway monitoring that you are seeing is from a 1 second ping. It is set in System:Routing, Gateways tab. You can disable it completely, or change the probe interval (called Frequency Probe on the GUI - it is actually an interval (sec), not a frequency (/sec)).
    Don't pay attention to all the other parameters I have set there - this screen shot is from a system that has very slow internet and so ping latency goes really high when a couple of ordinary downloads are happening, the latency/loss parameters are set way high to prevent it thinking the gateway is down.

  • You should never use the default/native VLAN - VLAN 1
    Switch communication protocols/functions run on default/native VLAN

    Its a security issue!

    I use:
    VLAN 10 = WAN
    VLAN 20 = LAN

    10 could be rationalized as Port 1
    20 as port 2 and higher
    10 port 1
    20 port 2
    30 port 3 and so on….if you need a different vlans for each port.

    Name your VLAN's anything you like between 2-4095, but default/native VLAN-VLAN 1 is a security risk. Change your admin default VLAN to 20 for example.

    Many security issues with switches.....
    Youtube Video

  • Netgate Administrator


    You should never use the default/native VLAN - VLAN 1

    Normally I would agree with you but in this case they are using it as untagged, rather than tagged as VLAN1.
    If it is working I wouldn't worry about it.

    What specific security issue were you thinking about?

    However it is recommended that you not use tagged and untagged VLAN traffic on the same NIC in pfSense and that is the case here. This is because some combinations of NIC and driver will reject untagged traffic when hardware VLAN tagging is used. That doesn't seem to be happening here.

    It would be better to use 2 VLANs rather than VLAN and untagged to avoid any problems in the future. You may just need to be aware of this fact should trouble arise.


  • I changed the frequency probe to 60 and the constant activity has stopped.. Should I have it set to something lower. I had read about VLAN hopping and from what I read I was not sure if it only applied to local devices and if they had to be on the default VLAN (could something come over the VLAN that the WAN is on?). I have three other switches in my network setup for VLANS and the majority of my devices are on the default VLAN. The resolutions I saw were to move all devices on the default VLAN or to tag all VLANS. On what you mentioned on not having tagged and untagged VLAN traffic on the same NIC for pfSense so to setup up that I would need to setup a vlan for the port the pfSense is connected to and then tag that VLAN on the port it is connected to. Then change the LAN interface from em0 to emo_VLANX. After those changes to connect to the web interface would I need my computer untagged on that new VLAN or does the pfSense need to be untagged on some VLAN to be accessible? Thank you for your help.

  • Netgate Administrator

    The pfSense webgui listens on all interfaces so you would be able to access it from a VLAN interface as long as you have firewall rules to allow it (which LAN does by default).
    The difficulty would be accessing the webgui for the switch which is usually on the default vlan only. You need to make sure you don't lock yourself out of it which I can tell you from personal experience can be very frustrating!


    Edit: That linked youtube video is informative. It would seem that the main reason for not using the default vlan is that it exposes the management interface to the general LAN network. I guess it depends how much of a concern that is to you.