Netgate SG-1000 microFirewall

Author Topic: would it be better to use VLan or just another interface? Noob needs Advice.  (Read 224 times)

0 Members and 1 Guest are viewing this topic.

Offline timmiet

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-1
    • View Profile
I haven't really used VLANS much.

I want 3 main networks.

1. General (UnTagged)(192.168.11.x)
2. Accounting (VLAN or new Nic?  2016 Server Essentials runs from Hyper-v)(192.168.10.x)
3. Ubiquiti  (VLAN10 on HyperV)(192.168.100.x)

I would like to setup so
General can access Ubiquiti and net.
Accounting can access General, and net.
Ubiquiti (VLAN10)can only access the net.
This seems ok with my current setup.

I have a PF Sense router with 3 nics  Wan, Lan and Opt(only 10/100 and not currently used).  The lan goes to 24 port managed switch via Trunk.  Connected to the switch via another trunk line I have a Hyper-V core server.  On my Hyper-v server I have 4 untagged servers running and one VLAN10 running for a Linux based Ubiquiti Server(For APs).  Also connected to  the switch is a very very old sonicwall router(192.168.10.x) for our accounting pc's.  I would like to remove the sonicwall and only have one router.

As is, I have 2 24 port Managed switches and a handful of unmanaged switches.  I have unmanaged switches behind the sonicwall and behind the managed switches.

I'm thinking it might be better to just use another nic in the router and also in the hyper-v server, then I could use all the other existing equipment other than the sonicwall.

If anyone makes it this far thanks for the help.
As a side note I tried to setup another VLan for my server2016 on the hyper-v and when I enabled dhcp on the VLan it stopped my untagged DHCP server from working.  Is it bad form to have tagged and untagged on the same virtual switch?

Offline alanbaker

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
I have a similar setup by where my vdsl modem is in the house and in the garden man cave the server running hyper v had pfsense and several other windows server vm's running, with two managed switches in-between.

Modem==                            /
               house               Cabin
               Switch======Switch======Server (Hyper V, Pfsense, Windows VMguests).
Lan====             Trunk               Trunk
                                                  to the server NIC

Now the trick is the configure the windows server host to accept tagged packets.

This can only be achieved through powershell and should be run on the hyper V host, to query the nic run
Code: [Select]
Then the command I ran for my network was
Code: [Select]
Get-VMNetworkAdapter -VMName "PFSense" | Where-Object -Property MacAddress -eq "00155d0061f" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "1-10" -NativeVlanId 99
Hope this helps.

Any more help let me know.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15499
  • Karma: +1437/-207
  • Not a pfSense employee, they cannot fire me...
    • View Profile
" Is it bad form to have tagged and untagged on the same virtual switch?"

As long as there is never more than 1 untagged vlan on port then its not a problem.  This is just considered a native vlan on say a trunk port that carries tagged. 
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-3100 Delivered 3/19 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline timmiet

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-1
    • View Profile
"Get-VMNetworkAdapter -VMName "PFSense" | Where-Object -Property MacAddress -eq "00155d0061f" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "1-10" -NativeVlanId 99"
is this different from setting VLAN ID in the Hyper-v VM Network GUI?

"As long as there is never more than 1 untagged vlan on port then its not a problem.  This is just considered a native vlan on say a trunk port that carries tagged. "
So many VLANs as well as 1 Untagged on 1 Port and the switch and 1 Port on hyper-v server is ok?

When I tried to setup this way it killed my dhcp server on my untagged network( stopped working ).  (maybe just need to isolate with firewall rules)
Thank you both for the help, and sorry for the late response.

Offline moikerz

  • Full Member
  • ***
  • Posts: 147
  • Karma: +7/-0
    • View Profile
The only real downside is that if you're using traffic graphs, the interface will show the total of untagged+tagged; there is no way to show untagged only. Purely a graphical consequence. Otherwise, everything else works as desired.

Offline SammyWoo

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +3/-0
    • View Profile
Unless u are running an embedded box and it's hard to add another NIC, they are relatively inexpensive, why go into the complication of doing VLAN if u don't have to I say. Plus ur 1 gig NIC is gonna share bandwidth between the VLANs.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10012
  • Karma: +1136/-312
    • View Profile
Well, you have no choice but to VLAN from something to get the Wireless AP behavior you desire. But that does not have to be done on pfSense. A switch could do it. pfSense would have two physical interfaces to two untagged ports on the different VLANs in that case. But why not just VLAN it?

If you don't want to mix tagged and untagged traffic on a physical interface, don't. Just leave the untagged interface unassigned.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!