How many NIC's?



  • I have two computers and a server that I want to be on VLAN1
    I have two computers that I want to be on VLAN2

    I have a dedicated pfSense box and a Cisco SG-300 10 port "Managed Switch" + Comcast Business Class SMC Modem

    For security reasons I believe it better to have pfSense manage the VLAN's than to set them up in the Cisco Managed Switch.

    I should know the answer to this question but had to drop out of the Advanced Cisco Router class, because of a death in the family.

    Question: How many NIC's should I install in the pfSense box?


  • LAYER 8 Netgate

    You really only have two choices, create VLAN interfaces and tag them to the switch or use the switch's layer 3 capabilities and have multiple subnets/segments behind one pfSense LAN.

    All the defaults work better and it's easier to firewall between the segments if you create the VLAN interfaces and tag to the switch.

    Three good NICs is a good place to start, but you can do what you describe with one for WAN and one for your VLANs.



  • @incurablegeek:

    For security reasons I believe it better to have pfSense manage the VLAN's than to set them up in the Cisco Managed Switch.

    You are mixing up things here.
    I assume your switch is in L2 "switch" mode.
    On the SG300 you want to create static VLANs. Don't bother with auto-created voice-, protocol- or multicast-vlans and such.
    Define the same VLAN IDs in pfSense. Putting them on one physical trunk interface is widely used.
    You have to define VLANs on both sides individually, they are not automatically created for you.

    And to answer your question: two.
    1x WAN, 1x trunk



  • Derelict and Jahonix, than you very much. The answer is so very obvious.

    1. Use the SG-300 Layer 3 capabilities
    2. Static VLAN's

    Define the same VLAN IDs in pfSense. Putting them on one physical trunk interface is widely used. - This is most helpful.
    You have to define VLANs on both sides individually, they are not automatically created for you. - This I of course knew, but then I did not frame my question as if I knew anything at all, so Thanks!

    All the defaults work better and it's easier to firewall between the segments if you create the VLAN interfaces and tag to the switch. - Hugely helpful. Thanks!

    Fact of the matter is Mama, for whom I have cared for 9 years, just passed away so I am in a combination of shock and idiot mode. When you lose your parents, the "period of grief" lasts forever.

    Thank you both for tolerating my rather simple minded question.  :)



  • My condolences to you.
    I know that pushing your head in a totally different direction helps to get over it.

    Why do you use the switch in L3 mode?
    Doing it that way means pfSense shouldn't do the routing and thus can't do filtering if needed. And you will want to use a single interface to your pfSense only, no Trunk/Etherchannel/whatever_vocabulary_Cisco_uses. Routing is done by the switch and has to be defined there!
    You cannot use pfSense's DHCP server on a second subnet then (without hassle, that is), as well as DNS and whatever pfSense offers.

    Putting the switch in L2 mode probably is way easier for you!
    It can be done with the switch in L3 mode. Better start simple and evolve from there if need be.


Log in to reply