> WAN can connect to anything in the LAN directly (would have to be > allowed by firewall rules). Am I right? Presuming your switch's method of isolating ports is properly implemented, yes. On many [admittedly older] switching fabrics, there was a vulnerability whereby an attacker could overflow the CAM table, forcing the switch to usually turn itself into an expensive hub, rebroadcasting *all* packets to *all* ports.
> To make it a little more complex, let's say I would like to have some > hosts not protected by pfsense. In this case, I'd extend your "internet VLAN" to the ports those hosts are on, assuming you have the public IP space to assign them. > If this is all right? Then when does vlan numbers important? When you > want to have 1 interface in multiple vlans? Overly complicated: Yes-ish. Vernacular 'VLAN' typically refers to 802.1q VLANs, which are implemented as an extension to the 802.3 ethernet frame. What you probably have currently implemented are 'native' VLANs, which means that, without further instruction, ethernet frames are segregated to that virtual network (or switch). Where the [12-bit] numbers become significant is when you want to do 'trunking', or have more than one of those networks on a given physical port. In that case, the host sets an additional 2 bytes on each frame, 12 bits of which designate the numeric VLAN, or tag. If untagged, the frame is presumed to be destined for the native VLAN of the port, and if tagged, most switch hardware will compare the number of the tag to the allowed tags for that port, then forward it accordingly. *SO* what all this means is that you could conceivably implement your pfSense box with a single physical interface/switchport by configuring it to tag internet traffic with one VLAN and private-network traffic with another, or tag one and native the other. You could then add another tag for DMZ traffic, another for... Clear as mud? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
