LAN and VLAN on same interface, how to solve with switch?

  • Thanks to a lot of helpful threads on this forum I managed to set up a separate VLAN20 on my network, that I am using for Wireless traffic.

    However, recently I see a lot about it being no good practice to have LAN and VLAN on the same interface, but I don't fully understand the implications of this.
    First I was confused by "same interface" because in Pfsense LAN and VLAN are both listed as interface. Now I think I understand that with "interface" is meant the parent interface e.g. em0, or em1, etc (so a port on the pfsense machine). Do I understand correctly?

    If so, then I have a problem, because my LAN and VLAN20 are both on em0. This is the setup:
    My pfsense machine is connected to a managed switch, to which are connected some workstations and data-storage (all on LAN), a WAP (with WLAN on VLAN20), as well as another switch on a different floor. This switch is unmanaged, but does transmit tags. To this little switch are also connected some workstations (LAN) and another WAP (again with WLAN on VLAN20).

    Now, if I were to add another port/NIC to my pfsense machine, especially for the VLAN, this would need to connect to the managed switch. So then there would be 2 connections between pfsense and switch, one for LAN and one for VLAN. Would this be the correct setup?
    Then I wonder, do the two switch-ports that are connected to pfsense need to be trunked or not (which LAN/VLAN tagged/untagged?), and will the switch know which traffic coming from the switch on the other floor (that can be LAN or VLAN) needs to go to which port to the pfsense? Or how can I let the switch know?
    Does it matter that the other ports on the switch are trunked, with LAN untagged and VLAN tagges?

    Maybe it would be better to have the workstations and datastorage on another VLAN, so that the LAN is reserved for management of the pfsense machine, switch etc? However, will I then still be able to do this management using a workstation in one of the VLANs, or would I need to have a dedicated machine on a separate port on the switch?

    I hope I made my confusion understandable and would be very happy with any pointers.

  • To use the terminology used on the 'assign network ports' menu, one should not assign the raw network port to an interface if you are using vlans on that port. e.g. you should not have LAN-em0 and WLAN-vlan 20 on em0.
    In such a case, you would want to create a vlan for LAN on the switches and in pfSense. For example, you could have LAN-vlan 10 on em0 and WLAN-vlan 20 on em0. Vlan 1 is the default vlan, but it is considered bad practice to use vlan 1.
    In the configuration of consumer switches, such as Netgears, you would set the port connected to pfSense as tagged for both vlans(trunk), then set the LAN ports untagged for vlan 10 and the WLAN ports untagged for vlan 20. On these switches, you would also set the PVID to 10 for LAN ports and 20 for wlan ports.

  • Thanks for your reply. :D

    I have been reading it three times, and I think I understand the following:
    Under Interfaces:VLAN I create VLAN 10 on em0.
    Then under Interfaces: assign network ports, I assign "VLAN 10 on em0" to LAN instead of em0 (which it is now).
    I do not need another port/NIC for LAN.
    Did I understand correct so far?

    Sorry if I am being a total idiot  :-[

  • Yes, that correct.
    The main thing is, minimise risk of being locked out of the webGUI. Make sure you have webGUI access from VLAN20 first. Then mess with the LAN device assignment. Because you are also going to have to change the VLAN switch to trunk VLAN10 to pfSense and put some ordinary switch ports into VLAN10… and it can get messy if you have made changes on pfSense then can't get the VLAN switch to cooperate.

  • In addition to what Phil said, make sure you leave a port on the switch at default settings. You will need to change the management vlan to 10 to manage the switch from the LAN, if you lose connectivity to the switch when you are changing settings, the port may allow you to get back into the switch.

  • Also note that a bunch of not-so-high-end switches (e.g. Dell PowerConnect 2xxx) won't allow you to move the management interface to a VLAN other than 1, and require VLAN 1 to be untagged.

