Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Using a VLAN to isolate a vendor

    Firewalling
    2
    3
    650
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Lou57 last edited by

      I want to setup a VLAN on our network to isolate a specific PC.

      I added VLAN 10 to the firewall following the instructions in the 2.1 manual. Well done.

      I added VLAN 10 to the two Cisco 3560 switches, one in BldgA, one in BldgB. They are connected by an underground 1Gb CAT6 line.

      I can ping the firewall from both switches. The routing works.

      I cannot ping nor access the PC from the switch it is connected to. It is a Broadcom NetXtreme running on a WinXP box. There are no utilities on the PC to enable VLAN tagging. Let's assume there are none available.

      I setup the port:

      interface FastEthernet0/4
        switchport access vlan 10
        switchport mode access
        spanning-tree portfast

      This did not work. I added
        switchport trunk encapsulation dot1q
      but that didn't help.

      So I changed to trunk mode, which is how the rest of the ports are configured except that they use port 20 for voice (voip).

      interface FastEthernet0/4
      switchport trunk encapsulation dot1q
      switchport trunk native vlan 10
      switchport trunk allowed vlan 10
      switchport mode trunk
      spanning-tree portfast

      Now I am reading something about using native vlan affecting all of the ports.

      The goal is to enable traffic to come to a specific IP address on pfSense, be isolated to a VLAN and sent only to this box.

      Any help?

      1 Reply Last reply Reply Quote 0
      • N
        nothing last edited by

        The PC port should look like this:

        interface FastEthernet0/4
          switchport access vlan 10
          switchport mode access
          spanning-tree portfast

        The Ports between the switches and the port where the firewall is connected should look like this:

        interface FastEthernet0/x
          switchport trunk encapsulation dot1q
          switchport trunk native vlan 1
          switchport trunk allowed vlan 1,10
          switchport mode trunk

        It will work, but following best practices, the ports between the switches and the port where the fw is connected should look like this:

        interface FastEthernet0/x
          switchport trunk encapsulation dot1q
          switchport trunk allowed vlan 1,10
          switchport mode trunk

        Which means you should have two VLAN tagged interfaces on pfsense, and not use the native one.

        1 Reply Last reply Reply Quote 0
        • L
          Lou57 last edited by

          Thank you.

          I had to resolve that one right away, so we opened up access to the consultant's static IP address and NATed him to that specific box using an obfuscated port.

          I will test this soon so that I can have it in my arsenal. Thanks again!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy