Netgate SG-1000 microFirewall

Author Topic: Create access interface (member of a vlan but not tagged)?  (Read 209 times)

0 Members and 1 Guest are viewing this topic.

Offline asimov-solensan

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Create access interface (member of a vlan but not tagged)?
« on: December 07, 2017, 05:37:04 pm »
Hello,

First message here. I'm testing a pfsense as a home firewall, and right now I miss a feature that I have seen in other firewall and would solve the problem I have got.

Basically I have got a trunk with all the vlans I want to use. What I need right now is a way to configure secondary interfaces as members of this vlans but not tagged, I want them just share broadcast domain. Think of them as access ports.

I expect this traffic to be read as the vlan interface created and same firewall rules applied.

I know for sure that other firewalls can manage this but can't find any option in pfsense. Is this even possible?

I'm running 2.4.2 by the way.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14460
  • Karma: +1338/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Create access interface (member of a vlan but not tagged)?
« Reply #1 on: December 07, 2017, 09:09:38 pm »
You can run as multiple layer 3s on the same layer 2 if you want.. It's a BORKED config.. If you want to do that on pfsense just create a vip on the interface - there you go multiple layer 3 on the same layer 2 without any tags..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Online JKnott

  • Hero Member
  • *****
  • Posts: 983
  • Karma: +36/-4
    • View Profile
Re: Create access interface (member of a vlan but not tagged)?
« Reply #2 on: December 07, 2017, 09:39:04 pm »
Quote
You can run as multiple layer 3s on the same layer 2 if you want.. It's a BORKED config..

You keep saying that, but with IPv6, it's expected.  For example, you'd likely have at least a link local address and at least one global address network on each interface and you may also have Unique Local Addresses as well.  A single layer 3 on an interface is IPv4 thinking.


Here's what it says in IPv6 Essentials, 3rd ed., pg. 19 by Silvia Hagen:

Quote
Some General Rules

IPv6 addresses are assigned to interfaces as in IPv4, not to nodes as in OSI, so each interface of a node needs at least one unicast address. A single interface can also be assigned multiple IPv6 addresses of any type (unicast, multicast, and anycast).

Quote
IPv6 supports addresses of different scopes. There are global and nonglobal (e.g., link-local) scopes. Operationally, the use of nonglobal addresses has been introduced with IPv4 by using IP addresses from the private range or administratively scoped multicast addresses. The design of IPv6 includes the address scope in the base architecture. Every IPv6 address other than the unspecified address has a specific scope, which is a topological span within which the address may be used as a unique identifier for an interface or set of interfaces. The scope of an address is encoded as part of the address. You can find a description of scopes in the section “Multicast Address”, and refer to RFC 4007, “IPv6 Scoped Address Architecture” for an explanation of scopes.

So yeah, multiple layer 3s are normal with IPv6.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14460
  • Karma: +1338/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Create access interface (member of a vlan but not tagged)?
« Reply #3 on: December 08, 2017, 03:53:11 am »
"You keep saying that, but with IPv6, it's expected.  "

NO its is NOT... All of the IPv6 are in the same prefix...  Please do not tell people its ok to run multiple ipv4 networks on the same layer 2 and think that is good design...

freaking link local and your normal prefix are NOT the same thing... Arrggh......

Why should I vlan... I will just put 192.168.1, .2, .3 all my networks on this 1 layer 2... Does that sound like a good idea to you... Link local and your IPv6 prefix is NOT the same freaking thing as that sort of BORKED config...

Running IPv4 space and IPv6 space on the same layer 2 because they are meant to be the SAME network....  Just different addressing of what is suppose to be 1 network.. Not what I am talking about....  In your network seems ok to just use dumb switches and other networks.. So can understand why you think there is nothing wrong with just all running on the same wire...
« Last Edit: December 08, 2017, 03:58:12 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Online JKnott

  • Hero Member
  • *****
  • Posts: 983
  • Karma: +36/-4
    • View Profile
Re: Create access interface (member of a vlan but not tagged)?
« Reply #4 on: December 08, 2017, 06:02:53 am »
Quote
All of the IPv6 are in the same prefix...  Please do not tell people its ok to run multiple ipv4 networks on the same layer 2 and think that is good design...

That info I quoted mentioned multiple scopes.  Well, what scopes are there?  Ignoring the interface only scope, we have link local, Unique Local Address and Global Unicast Address, not to mention multicast.  They are all valid and can all be on the same interface at the same time, because that was intended by the IPv6 designers.  As for link local and normal prefix not being the same, other than scope, what is the difference?  Both can be used to carry packets between devices and that's all IP does.  ULA work just the same as global, but with a limited scope, but other than that works the same way.  It carries packets, no more no less.  Different scopes were created because there was a need for them.  On IPv4, there was originally only one scope, with multicast, RFC 1918 and 169.254.0.0/16 link local added later, because there was a need for them.  IPv6 allows multiple scopes on the same interface, IPv4 doesn't.  We're moving on and a lot of what applied to IPv4 no longer holds true with IPv6.


Here's what RFC 4291 says:

Quote
2.1.  Addressing Model

   IPv6 addresses of all types are assigned to interfaces, not nodes.
   An IPv6 unicast address refers to a single interface.  Since each
   interface belongs to a single node, any of that node's interfaces'
   unicast addresses may be used as an identifier for the node.

   All interfaces are required to have at least one Link-Local unicast
   address (see Section 2.8 for additional required addresses).  A
   single interface may also have multiple IPv6 addresses of any type
   (unicast, anycast, and multicast) or scope.

https://tools.ietf.org/html/rfc4291

Sure looks to me like multiple address types/ranges were intended.

Offline asimov-solensan

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Create access interface (member of a vlan but not tagged)?
« Reply #5 on: December 10, 2017, 04:22:32 am »
Pretty interesting discussion but I'm not really sure it's related to my problem.

Given the answers and the documentation I found It's simple no possible create "switch like" interfaces in pfsense.

The only solution I got was to create on the host system (I'm testing pfsense virtualized) a virtual interface for every vlan and then add interfaces to pfsense. On pfsense I bridge those interfaces with it's correspondent vlan interface.

It's the only way I got it working

This would be a nice feature for pfsense. Note aside: wouldn't solve the problem the inclusion of openvswitch as a core packet in pfsense?

Offline kpa

  • Hero Member
  • *****
  • Posts: 1188
  • Karma: +132/-6
    • View Profile
Re: Create access interface (member of a vlan but not tagged)?
« Reply #6 on: December 10, 2017, 05:27:59 am »
PfSense was never intended to be used like a switch and most likely you'll never see the kind of features you'll see in managed switches in it such as PVID, those belong squearly to managed switches. Separation of concerns.

Online JKnott

  • Hero Member
  • *****
  • Posts: 983
  • Karma: +36/-4
    • View Profile
Re: Create access interface (member of a vlan but not tagged)?
« Reply #7 on: December 10, 2017, 05:59:17 am »
Quote
Pretty interesting discussion but I'm not really sure it's related to my problem.

With VLANs, you have 2 choices, individual access ports, each configured on a single VLAN or a trunk port,which carries tagged VLANs.  Otherwise, you have no way to separate the VLANs.  It doesn't make any difference what equipment you use, that's the way VLANs work.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9236
  • Karma: +1051/-308
    • View Profile
Re: Create access interface (member of a vlan but not tagged)?
« Reply #8 on: December 10, 2017, 11:19:35 am »
Quote
So yeah, multiple layer 3s are normal with IPv6.
That might be pertinent had OP mentioned IPv6.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM