pfSense English Support > General Questions

Create access interface (member of a vlan but not tagged)?

(1/2) > >>


First message here. I'm testing a pfsense as a home firewall, and right now I miss a feature that I have seen in other firewall and would solve the problem I have got.

Basically I have got a trunk with all the vlans I want to use. What I need right now is a way to configure secondary interfaces as members of this vlans but not tagged, I want them just share broadcast domain. Think of them as access ports.

I expect this traffic to be read as the vlan interface created and same firewall rules applied.

I know for sure that other firewalls can manage this but can't find any option in pfsense. Is this even possible?

I'm running 2.4.2 by the way.

You can run as multiple layer 3s on the same layer 2 if you want.. It's a BORKED config.. If you want to do that on pfsense just create a vip on the interface - there you go multiple layer 3 on the same layer 2 without any tags..


--- Quote ---You can run as multiple layer 3s on the same layer 2 if you want.. It's a BORKED config..
--- End quote ---

You keep saying that, but with IPv6, it's expected.  For example, you'd likely have at least a link local address and at least one global address network on each interface and you may also have Unique Local Addresses as well.  A single layer 3 on an interface is IPv4 thinking.

Here's what it says in IPv6 Essentials, 3rd ed., pg. 19 by Silvia Hagen:

--- Quote ---Some General Rules

IPv6 addresses are assigned to interfaces as in IPv4, not to nodes as in OSI, so each interface of a node needs at least one unicast address. A single interface can also be assigned multiple IPv6 addresses of any type (unicast, multicast, and anycast).
--- End quote ---

--- Quote ---IPv6 supports addresses of different scopes. There are global and nonglobal (e.g., link-local) scopes. Operationally, the use of nonglobal addresses has been introduced with IPv4 by using IP addresses from the private range or administratively scoped multicast addresses. The design of IPv6 includes the address scope in the base architecture. Every IPv6 address other than the unspecified address has a specific scope, which is a topological span within which the address may be used as a unique identifier for an interface or set of interfaces. The scope of an address is encoded as part of the address. You can find a description of scopes in the section “Multicast Address”, and refer to RFC 4007, “IPv6 Scoped Address Architecture” for an explanation of scopes.
--- End quote ---

So yeah, multiple layer 3s are normal with IPv6.

"You keep saying that, but with IPv6, it's expected.  "

NO its is NOT... All of the IPv6 are in the same prefix...  Please do not tell people its ok to run multiple ipv4 networks on the same layer 2 and think that is good design...

freaking link local and your normal prefix are NOT the same thing... Arrggh......

Why should I vlan... I will just put 192.168.1, .2, .3 all my networks on this 1 layer 2... Does that sound like a good idea to you... Link local and your IPv6 prefix is NOT the same freaking thing as that sort of BORKED config...

Running IPv4 space and IPv6 space on the same layer 2 because they are meant to be the SAME network....  Just different addressing of what is suppose to be 1 network.. Not what I am talking about....  In your network seems ok to just use dumb switches and other networks.. So can understand why you think there is nothing wrong with just all running on the same wire...


--- Quote ---All of the IPv6 are in the same prefix...  Please do not tell people its ok to run multiple ipv4 networks on the same layer 2 and think that is good design...

--- End quote ---

That info I quoted mentioned multiple scopes.  Well, what scopes are there?  Ignoring the interface only scope, we have link local, Unique Local Address and Global Unicast Address, not to mention multicast.  They are all valid and can all be on the same interface at the same time, because that was intended by the IPv6 designers.  As for link local and normal prefix not being the same, other than scope, what is the difference?  Both can be used to carry packets between devices and that's all IP does.  ULA work just the same as global, but with a limited scope, but other than that works the same way.  It carries packets, no more no less.  Different scopes were created because there was a need for them.  On IPv4, there was originally only one scope, with multicast, RFC 1918 and link local added later, because there was a need for them.  IPv6 allows multiple scopes on the same interface, IPv4 doesn't.  We're moving on and a lot of what applied to IPv4 no longer holds true with IPv6.

Here's what RFC 4291 says:

--- Quote ---2.1.  Addressing Model

   IPv6 addresses of all types are assigned to interfaces, not nodes.
   An IPv6 unicast address refers to a single interface.  Since each
   interface belongs to a single node, any of that node's interfaces'
   unicast addresses may be used as an identifier for the node.

   All interfaces are required to have at least one Link-Local unicast
   address (see Section 2.8 for additional required addresses).  A
   single interface may also have multiple IPv6 addresses of any type
   (unicast, anycast, and multicast) or scope.
--- End quote ---

Sure looks to me like multiple address types/ranges were intended.


[0] Message Index

[#] Next page

Go to full version