Michel Servaes wrote:
One management port (when things start to go wrong, I could just hook
up a laptop or something)
One uplink port (to be seen as a trunk, with the default VLAN1 for the
settopbox - and VLAN1001 for normal LAN)
One port for the cable modem (on one end, the other end would be
hooked up to the settopbox)
One port for the LAN side of the PFSENSE (I gather, that I here change
the VLAN to something else, and that all other ports are tagged for
that VLAN port ?)
Bear with me, this might become a long explanation. :-)
I think you are making this overly complicated. VLANs are really easy to
config once you get the hang of it. That said, there are a few different
ways to set up VLANs, depending on the make and series of the managed
switch you are using.
There's also a terminology problem here with the definition of the word
trunk I think.
The trunking you are referring to is actually 'bonding' which is
combining several (more than 2) ethernet ports into one big virtual
ethernet port, for the purpose of failover or greater bandwidth (or both).
You don't really _need_ that kind of trunk in your case. VLANs and
trunks are two completely different things, but to make things confusing
the setting you need to set on VLAN ports to 'tag' packets with the VLAN
ID (We'll get to that later) is called 'trunk' on cisco switches. (the
other trunking is called bonding on cisco switches)
You _could_ use it, but for the sake of simplicity I would first test it
without bonding and see whether you get that running. Afterwards, the
setup with bonding is similar, since the bonding interface acts as a big
virtual interface anyway.
For my own network, I usually use VLAN 1 (the default vlan) for my LAN
since most switches have their management IP address in VLAN 1 by
default. This way you can manage your switches from your LAN, and this
means you don't loose a switch port just for managing the switch. On
your home LAN, where you usually trust your clients, the security risk
is neglectable.
Another side note: From your explanation, I'm guessing you have telenet
and the telenet digicorder settop box. The 10.x.x.x address for the
settop box you are referring to is assigned by the ISP based on MAC
address. They have the list of MAC addresses for the settop boxes since
they sell them themselves. They feed this list into their DHCP servers
to assign non-public IP addresses and different gateways to the settop
boxes. Any non-settopbox MAC address is considered as an internet device
and is assigned a real public IP address. This is the way they keep both
kind of devices apart. This also means you cannot use a 1:1 mapping on
your pfsense to assign a 'public' 10.x.x.x IP to your settop box without
messing with fake MAC addresses and such.
What I would do in your case:
(And I have a more or less similar setup running great at home with 7 VLANs)
Switch 1 is at your cable modem. Switch 2 is under your television.
If not set already, give both switches an IP address in your LAN range,
and attach it to VLAN 1 (normally the default)
Set up 2 VLANs on both switches.
VLAN 1 = LAN
VLAN 2 = WAN
Connect both switches to eachother using port 1 on both switches.
Connect the cablemodem to port 2 on switch 1
Connect pfsense to port 3 on switch 1
Connect settop box to port 2 on switch 2
All other switch ports on both switches are LAN ports and can be used
for any LAN device.
Set port 1 on both switches to 'trunk' mode, sometimes also called
'tagged' mode.
Set port 2 on switch 1 to 'untagged' mode IN VLAN 2 (!!!) (switchport
'mode access' on cisco switches)
Set port 3 on switch 1 to 'trunk' mode
Set port 2 on switch 2 to 'untagged' mode IN VLAN 2
Set all other ports to 'untagged' mode IN VLAN 1
There are 2 port settings you need to know when using VLANs. The first
being 'trunk' or 'tagged' mode, the second being 'untagged' mode.
'tagged' mode is for switchports attached to devices that also know how
to speak 'VLAN' (other switches, firewalls, ...)
'untagged' mode is for switchports attached to devices that don't know
what VLANs are and only need access to 1 VLAN.
The 'tagging process' means the switch will set a header in each packet
with the ID of the VLAN, so that the device attached to the other end of
the cable can then separate all packets again into the correct VLAN. In
this mode, the switches will send all packets for all VLANs to the
device attached to this port. This means that you should not connect
devices to this port that do not have the same VLAN configuration, since
they will get packets sent to them they will not understand.
When setting the 'untagged' ports, these ports will be assigned to ONE
specific VLAN. The VLAN ID will not be written in the headers of the
packets, and only packets for that specific VLAN will be sent to the
attached device. That device will only be connected to that VLAN.
Important step: setup the VLAN 1 and 2 on your pfsense, assigning your
LAN and WAN interface to the correct vlan interface. Maybe add another
interface (not vlan) with another subnet for management purposes in case
you mess up your VLAN config and can't reach pfsense anymore.
If you think setting up VLANs on your pfsense is too complicated, let me
know, I can explain it in another email or on IRC if you want.
Or you could just run 2 cables from your pfsense to switch 1 to avoid
having to set up VLANs on pfsense.
In that case, in stead of setting port 3 on switch 1 to 'trunk' you
would then just set it to 'untagged' mode IN VLAN 2, and connect that to
the WAN port of your pfsense.
Connect a second cable from the LAN port of pfsense to port 4 on switch
1, setting it to 'untagged' mode IN VLAN 1.
Using this setup, your settop box and your pfsense will be virtually
directly connected to your cable modem, using VLAN 2 (WAN).
All the other ports are LAN ports using VLAN 1.
Disclaimer1: I'm leaving out several other VLAN settings and modes you
don't need in this case, for simplicity's sake.
Disclaimer2: Some people might argue that this setup is unsafe since
someone might be able to hack into your switch since your VLAN2 is
transporting packets from your ISP. On the other hand, as long as you
make sure your switches don't have a management IP in the VLAN 2, there
is no way they can reach the switch management console. The only way
this would be 'hackable' is if there would be an exploitable bug in
your switch firmware, which although is not unthinkable is considered
very unlikely (by me at least). I guess it all depends on what you are
trying to secure. This might not be a good idea if you are running a top
secret government network, but my home network is just not all that
important to hackers. :-)
Let us know how it works.
Regards,
Hans
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
