Mayak, This is *great* to know. Thank you for your answer!
So, knowing that it technically will work, I have a few more questions. This is more inline to what I really want the network to look like: http://i.imgur.com/yGghcOb.jpg The reason the second device is serving as the firewall is that it has much higher processing capabilities. The first one is a low powered embedded device. Because of where the WAN comes into the house, a high-powered device won't work (cooling and noise issues). So, what I'm essentially proposing is to trunk unfiltered WAN traffic across the same wire which has sensitive LAN traffic. Questions regarding this layout: 1. Is this a security risk? 2. Is there the possibility of bleed-over between VLANs? 3. In this setup, I think that all LAN traffic to LAN Switch A will be routed across the Pfsense box labeled A. This is also the box which is routing unfiltered internet traffic to Pfsense box B. To me this just feels risky, but maybe I'm being paranoid? 4. I assume because of the scenario described in #3, if someone were to compromise Pfsense box A, they would then gain access to all traffic bound for LAN Switch A, correct? This wouldn't necessarily be the case in a normal switched network, right? \ 5. Would I be safer, then, to opt to buy managed switches which would be (I assume) more difficult to compromise, as it they have much less in terms of capabilities at the shell? Am I over thinking this? Final question...I have two quad port cards, as I mentioned before. One is an HP, which I know supports vlans. The other is an older 10/100 Intel, which I can't seem to find the model number. If this device's interfaces show up as available under the VLAN tab, does it mean it natively supports vlans? Or, if not, how can I verify that it does? Thanks so much for your patient help. John ----- Original Message ----- From: "mayak" <[email protected]> To: [email protected] Sent: Monday, December 30, 2013 4:36:13 AM Subject: Re: [pfSense] pfsense <-> pfsense vlans and trunking without the aid of switches hi john, yes, your schema is possible: - set individual ports to be members of their vlans -- on the right side, make port 1 member of vlan 10, port 2 member vlan 20, and port 4 of type trunk. same concept on the left -- port 1 member vlan 10, port 2 member vlan 20, port 4 trunk. the two pfsense connect together using port 4 on a rolled ethernet cable. all of this accomplished on the `Interfaces -> Assign -> VLANs` VLAN tag for port 4 would be 1,10,20 (1 is the administrative vlan) cheers m On 12/30/2013 04:36 AM, John Wells wrote: > Guys, > > I have a situation similar to what's shown here (http://imgur.com/b3Hbzd3). > > I have two pfsense 2.1 boxes on my home network and two different sections of > the house connected by one cable. It's not possible to run another cable > without *great* effort. > > Each of these pf boxes have quad-port nics which support VLANs. I have three > networks in play on the home network...a local lan, a DMZ, and then WAN > itself. What I was hoping to do is to create VLANs for each of these (one for > WAN traffic inbound, one for LAN traffic and one for the DMZ) and be able to > trunk each of these VLANs across that single cable (the placement of DMZ > boxes can vary at different times). Additionally, what I'd hoped to do is use > non-vlan capable switches on each side. > > I have the Definitive Guide, but everything in it is related to using Pfsense > with an external switch. I'm not sure how to about doing this in pfsense > itself. > > What I've done at the moment is created all three vlans and then added them > all to the same parent port (dm2) which is not assigned in any way within > pfsense. Is this enough to "trunk" these vlans? Would what remains simply to > be assigned three other physical ports on each card to the separate vlans, > and then dropping the appropriate switches off these ports? > > Any help you can offer will be *greatly* appreciated. > > Thanks! > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
