Dynamic vlan



  • Hello, I wonder if it is possible to perform the following pfsense surrounding network:

    I want to put 3 LAN ports on pfsense that go receive no manegement switch. So I created a bridge on the 3 LAN ports (re1, re2, re3) and this bridge I create five Vlans in this way I like to create a dynamic network such that the user 1 could connect your PC at any network point and its radius by authenticating via its MAC was always assigned the same vLAN.

    Leave an explanatory drawing

    I will be thinking correctly? Some other solution? The aim is to create a dynamic network, I have to have three entries in pfsense it is a network of 50 users with a lot of data flow, and I think we are a network entry is little and can collapse



  • i would advise the following:

    • get a managed switch that supports dyn vlans
    • remove the bridges (even if you don't get a managed switch)
    • get rid of the realtek NICs (even if you don't do any of the above)

  • LAYER 8 Global Moderator

    At a loss here to what the point of the bridge is??  If you want to leverage 3 ports in pfsense for connectivity to your switching then setup a lagg..

    If your going to want to play with vlans, then yeah you need switches that support vlans.  If you want to use dynamic vlans, then yeah you really need a switch you can do what with.  I would take a look at packetfence - here is a list of switches and AP what are known to work with it http://packetfence.org/about/supported_switches_and_aps.html



  • The bridge I put to the gateway in pfsense be comun all switch.

    I understand, in this case so your advice would be to have the entire management of VLAN in swith and pfsense be only firewall?

    My initial idea CUSTOMER - simple SWITCH pfsense RADIUS MAC AUTH - VLAN is not at all the best?


  • LAYER 8 Global Moderator

    Yes the the switch has to put the port in a specific vlan, would be done at the switch… How would you do it anywhere else???

    I plug into a port on a switch, what vlan is that port in??  Pfsense does not control that port on that switch..

    I think maybe your confused to what a vlan is at a basic level and what a dynamic vlan is..

    When you do it at a AP, the traffic is tagged with the vlan your putting the user on..  Even if you wanted to just send tagged traffic over dumb switches --- how is radius going to change the users machine to tag the traffic??



  • Yes, it is the reason, I really was a little confused because I thought I could reach pfsense by a normal switch and be the pfsense that made all the management of the network. I've been researching a little more and have sinned in the example I have set up business Wirelless and guests and see that of course it is in VLAN AP pfsense I so do the management permits the network.

    Forum of much help your interventions.

    Left me a doubt, I'll necesitar two configurable switch 48 ports, and wanted to perform the authenticating for Mac to assign a VLAN, that is, if I connect my PC to any switch port I will always have the same VLAN if another PC will have its vLAN, however the link to pfsense wanted to divide into 4 NICs, how can be made this management? or pfsense receive only all links in there is no network card problem?



  • Hello, and all that I have only a small doubt, you think having only one entry in pfsense for about 50 users is enough to handle the traffic?

    I'm thinking of having two configurable switch with dynamic support for RADIUS, a 48-port and another 24 for my necessities is enough


  • LAYER 8 Global Moderator

    "you think having only one entry in pfsense for about 50 users is enough to handle the traffic?"

    Huh??  one entry of what?  A nic??  What is the speed of the nic, what are the clients doing?  How much data are they moving?  Where are they moving this data to and from… Only time traffic would go through pfsense would be if getting off their own network and pfsense is the gateway for the network they are on.

    If you need more bandwidth to and from pfsense to your network, that is what a lagg connection would before if 1 gig card is not enough.  Not a bridge for damn sure!!!  Or go to 10ge on pfsense to your network..



  • Sorry if I did not explain myself properly at the moment my plan is:

    INTERNET - pfsense - SWITCH x2 - USER

    Then, the pfsense will make the control of all the permissions on the network and connect VLANs and LAN

    In short, all incoming traffic, outgoing and intranet passes pfsense.

    Right now I'm just switch without management (24ports) each connected to a plate in pfsense and can handle the traffic, have 4 boards, 4 separate networks


  • LAYER 8 Global Moderator

    You have 3 different networks running over the same Layer 2 sounds like to me if your bridged the 4 nics in pfsense..  That is BROKE setup!!! plain and simple.

    You can still use the 4 nics each on their own network/vlan or you can lagg them together and connect 4x1g to your switch and then run your vlans on this lagg connection.

    Since you running different Layer 3 over the same layer 2 you have no real idea if the client are talking to pfsense and then hairpinning to talk to client, or if the traffic is just sent to them directly because they find out the the mac is and just put the traffic on the wire..

    Sounds like you have a complete MESS on your hands if you ask me..  If you want to run multiple networks, then these networks need to be different layer 2..  Be it on their own hardware or using a switch that does vlans.  If you want users to be on different networks/vlans based upon their username and password, etc. etc..  Then need to have a switch that can do dynamic vlans, and AP that support this as well.  Not all AP support dynamic vlans based upon auth.

    Heading out the door - but be happy to post a typical drawing for you to look at.


Log in to reply