VLANS in same IP Subnet?



  • Hello,

    we have over 200 devices in the same IP net (192.1.99.1). Now we build vlans to separate it.
    192.1.10.1 = vlan 100 with 20 clients works fine
    192.1.20.1 = vlan 101 with 15 clients works fine

    rules, nat, hp switch port tagging, after many learn hours all ok and it works

    but now i want separate the servers each others and i read the german article for better perfomance( http://www.crn.de/netzwerke-tk/artikel-81480.html )

    the question, we dont want for every server an extra ip subnet. is there a way in pfsense for the same ip subnet and same gateway?
    Server 1 = IP 192.1.99.2 = VLAN 200
    Server 2 = IP 192.1.99.3 = VLAN 300



  • Well you can create a bridge and assign the IP to the bridge.
    Then add all the VLANs you have to this bridge.
    You can still have rules per VLAN but all are on the same subnet.



  • thanks for the reply

    ok we "Bridges" the two Test Vlans.
    i tested it with Win 1 Client on vlan id 110 net and Win 2 Client on vlan 111 net.
    IP Win 1 (vlan 110) = 192.1.99.50
    IP Win 2 (vlan 111) = 192.1.99.60

    but can't ping from Win 1 to Win 2.

    which Gateway must i set, tested it with 192.1.99.1 (PFSense IP)

    • Well you can create a bridge and assign the IP to the bridge. = which IP and where can i assign it?
    • Then add all the VLANs you have to this bridge.  = OK
    • You can still have rules per VLAN but all are on the same subnet. = OK








  • After you create the bridge you can assign it as if it were a real interface.
    –> You can set an IP on the bridge interface.

    Since the two devices on their VLAN can't talk to each other:
    Did you create rules on the VLAN interfaces which actually allow traffic?
    By default all traffic on new interfaces is dropped.
    You can create interface groups to apply a specific set of rules to all interfaces which are in this group.

    To start it might make sense to create a group containing all your VLAN interfaces and allow all traffic from all.
    Start limiting access after the basics work.