Can VLANs do that? Some advanced stuff…

  • I have 2x DSL modems and a SG300 L2+ Cisco switch.

    Connecting a modem directly to PF is easy, i.e.:
    em0 - LAN
    em1 is modem_interface_access
    em1_VLAN35 is PPPoE WAN (ISP mandated and impossible to bridge within the modem)

    but i only have 2 ports, and need 3.

    Can i connect both modems on a single pf port using VLANs given the VLAN35 PPPoE requirement ?

  • Does your other modem support VLAN tagging? If not you can still do it.

    em0 - LAN - untagged, VLAN 1 (or whatever the default VLAN is unless you have reason to change this)
    em1_VLAN30 - modem 1 (can use any VLAN other than 1 or 35 here actually)
    em1_VLAN35 - modem 2

    Plug em0 into port 1 on your switch and leave all switch settings for this port at default unless you have reason to change them.

    Plug em1 into port 2 on the switch and configure it for tagged membership in VLAN 30 and 35.

    Plug modem 1 into port 3 on the switch and configure the switch for UNTAGGED membership in VLAN 30 (in other words, this port will not be a member of VLAN 1, default VLAN and instead VLAN 30 will be it's default).

    Plug modem 2 into port 4 on the switch and configure the switch for TAGGED membership in VLAN 35. I assume tagged anyway, as they are forcing VLAN 35, they are likely tagging it; if not set it to untagged 35 instead.

    That should be all you need to do. You can of course use different ports on the switch, just adapt the instructions above to the new ports you chose.


  • hey Joel,

    the 2 modems are identical, both require PPPoE to be on VLAN35,
    i also need access to each modem's management interface,
    so it would be something like:

    em0 - LAN

    Switch port #1 TAGGED > pfSense em1

    • em1_VLAN30 modem1 management
    • em1_VLAN31 modem2 management
    • em1_VLAN35 modem1 PPPoE
    • em1_VLAN36 modem2 PPPoE

    Switch port #2 UNTAGGED30 > modem1
    Switch port #2 TAGGED35 > modem1

    Switch port #3 UNTAGGED31 > modem2
    Switch port #3 "VLAN36 to TAGGED VLAN35" > modem2  this is the part that i don't know how to do, because modem1 also needs VLAN35

  • Hmmm, that does make things more complicated. I'm honestly not sure if you can do that with both modems expecting to be on VLAN 35. Can you change the VLAN on one of them? If not your best bet is likely going to be using a separate NIC for each modem. I'm still learning VLANs myself and I'm not sure if a switch can re-tag the packets to something different from what the device sends the packets out as.


  • Netgate Administrator

  • I think the difficulty with using the switch for both physical connections is keeping two VLANs with the same ID separate.

    If you can't change the VLAN on one of the modems,
    1. Get another NIC and have two NICs directly connected to the two modems; OR
    2. Have one NIC directly connected to a modem and on the other NIC have LAN (as a distinct VLAN) and the modem connection.

  • QinQ sounds interesting, can't clearly tell if it will work.

    I'm running Supermicro X7SPA-HF in a M350 chassis,
    I haven't see a compatible riser card / IO Panel so a third nic isn't in the cards.
    Currently have em0/em1 dedicated to the modems and LAN via a USB adapter which is very dirty.

    wallabybob's #2 looks to be the only solid option at this point.