Brian, I'm going to set vnetid 100 to tag VLAN and connect physical em0 to L3 switch "uplink" port (port 10 in my case) with "Tagged" mark.
# /etc/hostname.vlan100 description 'Untrusted' inet 192.168.155.1 255.255.255.240 192.168.155.15 lladdr 32:f6:02:c4:1A:88 vlandev em0 vnetid 100 Ports 1-3 on L3 switch will be used for IoT connection and marked as "Untagged". Do you think will it be right? Denis On 2/5/2020 10:19 PM, Brian Brombacher wrote: > The OP’s hostname.vlan* files never specify a vnetid. I get an error trying > to configure and bring up the second vlan interface the same way without > vnetid specified. Regardless of my error, the ifconfig(8) man page says > without vnetid specified, vlan tag 0 will be used. You need to specify two > different vlan tags. > > All of that aside: VLANs don’t give you any more security. If the client > host is on the same physical network as your two VLANs, the only thing > stopping them from jumping between VLANs would be physical devices (switches, > etc.) configured to prevent that. From what I gathered, you don’t have this > level of control. Therefore, you gain nothing by segmenting the networks > with VLANs. > > -Brian > >> On Feb 5, 2020, at 11:58 AM, Christian Weisgerber <na...@mips.inka.de> wrote: >> >> On 2020-02-05, Janne Johansson <icepic...@gmail.com> wrote: >> >>>> # /etc/hostname.vlan101 >>>> description 'WLAN attached untrusted hosts' >>>> inet 192.168.156.0/24 255.255.255.0 vlandev run0 >>> VLANs and wifi sounds like a non-starter. >> >> Yep, if you're building your access point with OpenBSD. >> >> More generally, though, any AP in the business segment has support >> for multiple SSIDs that can be assigned to different VLANs on the >> Ethernet side. >> >> -- >> Christian "naddy" Weisgerber na...@mips.inka.de >
