Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using a VLAN to isolate a vendor

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 903 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Lou57
      last edited by

      I want to setup a VLAN on our network to isolate a specific PC.

      I added VLAN 10 to the firewall following the instructions in the 2.1 manual. Well done.

      I added VLAN 10 to the two Cisco 3560 switches, one in BldgA, one in BldgB. They are connected by an underground 1Gb CAT6 line.

      I can ping the firewall from both switches. The routing works.

      I cannot ping nor access the PC from the switch it is connected to. It is a Broadcom NetXtreme running on a WinXP box. There are no utilities on the PC to enable VLAN tagging. Let's assume there are none available.

      I setup the port:

      interface FastEthernet0/4
        switchport access vlan 10
        switchport mode access
        spanning-tree portfast

      This did not work. I added
        switchport trunk encapsulation dot1q
      but that didn't help.

      So I changed to trunk mode, which is how the rest of the ports are configured except that they use port 20 for voice (voip).

      interface FastEthernet0/4
      switchport trunk encapsulation dot1q
      switchport trunk native vlan 10
      switchport trunk allowed vlan 10
      switchport mode trunk
      spanning-tree portfast

      Now I am reading something about using native vlan affecting all of the ports.

      The goal is to enable traffic to come to a specific IP address on pfSense, be isolated to a VLAN and sent only to this box.

      Any help?

      1 Reply Last reply Reply Quote 0
      • N
        nothing
        last edited by

        The PC port should look like this:

        interface FastEthernet0/4
          switchport access vlan 10
          switchport mode access
          spanning-tree portfast

        The Ports between the switches and the port where the firewall is connected should look like this:

        interface FastEthernet0/x
          switchport trunk encapsulation dot1q
          switchport trunk native vlan 1
          switchport trunk allowed vlan 1,10
          switchport mode trunk

        It will work, but following best practices, the ports between the switches and the port where the fw is connected should look like this:

        interface FastEthernet0/x
          switchport trunk encapsulation dot1q
          switchport trunk allowed vlan 1,10
          switchport mode trunk

        Which means you should have two VLAN tagged interfaces on pfsense, and not use the native one.

        1 Reply Last reply Reply Quote 0
        • L
          Lou57
          last edited by

          Thank you.

          I had to resolve that one right away, so we opened up access to the consultant's static IP address and NATed him to that specific box using an obfuscated port.

          I will test this soon so that I can have it in my arsenal. Thanks again!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.