> Bear with me, this might become a long explanation. :-) > > I think you are making this overly complicated. VLANs are really easy to > config once you get the hang of it. That said, there are a few different > ways to set up VLANs, depending on the make and series of the managed switch > you are using. > > There's also a terminology problem here with the definition of the word > trunk I think. > The trunking you are referring to is actually 'bonding' which is combining > several (more than 2) ethernet ports into one big virtual ethernet port, for > the purpose of failover or greater bandwidth (or both). > > You don't really _need_ that kind of trunk in your case. VLANs and trunks > are two completely different things, but to make things confusing the > setting you need to set on VLAN ports to 'tag' packets with the VLAN ID > (We'll get to that later) is called 'trunk' on cisco switches. (the other > trunking is called bonding on cisco switches) > You _could_ use it, but for the sake of simplicity I would first test it > without bonding and see whether you get that running. Afterwards, the setup > with bonding is similar, since the bonding interface acts as a big virtual > interface anyway. > > For my own network, I usually use VLAN 1 (the default vlan) for my LAN since > most switches have their management IP address in VLAN 1 by default. This > way you can manage your switches from your LAN, and this means you don't > loose a switch port just for managing the switch. On your home LAN, where > you usually trust your clients, the security risk is neglectable. > > Another side note: From your explanation, I'm guessing you have telenet and > the telenet digicorder settop box. The 10.x.x.x address for the settop box > you are referring to is assigned by the ISP based on MAC address. They have > the list of MAC addresses for the settop boxes since they sell them > themselves. They feed this list into their DHCP servers to assign non-public > IP addresses and different gateways to the settop boxes. Any non-settopbox > MAC address is considered as an internet device and is assigned a real > public IP address. This is the way they keep both kind of devices apart. > This also means you cannot use a 1:1 mapping on your pfsense to assign a > 'public' 10.x.x.x IP to your settop box without messing with fake MAC > addresses and such. > > What I would do in your case: > (And I have a more or less similar setup running great at home with 7 VLANs) > > Switch 1 is at your cable modem. Switch 2 is under your television. > If not set already, give both switches an IP address in your LAN range, and > attach it to VLAN 1 (normally the default) > > Set up 2 VLANs on both switches. > VLAN 1 = LAN > VLAN 2 = WAN > > Connect both switches to eachother using port 1 on both switches. > Connect the cablemodem to port 2 on switch 1 > Connect pfsense to port 3 on switch 1 > Connect settop box to port 2 on switch 2 > All other switch ports on both switches are LAN ports and can be used for > any LAN device. > > Set port 1 on both switches to 'trunk' mode, sometimes also called 'tagged' > mode. > Set port 2 on switch 1 to 'untagged' mode IN VLAN 2 (!!!) (switchport 'mode > access' on cisco switches) > Set port 3 on switch 1 to 'trunk' mode > Set port 2 on switch 2 to 'untagged' mode IN VLAN 2 > Set all other ports to 'untagged' mode IN VLAN 1 > > > There are 2 port settings you need to know when using VLANs. The first being > 'trunk' or 'tagged' mode, the second being 'untagged' mode. > 'tagged' mode is for switchports attached to devices that also know how to > speak 'VLAN' (other switches, firewalls, ...) > 'untagged' mode is for switchports attached to devices that don't know what > VLANs are and only need access to 1 VLAN. > > The 'tagging process' means the switch will set a header in each packet with > the ID of the VLAN, so that the device attached to the other end of the > cable can then separate all packets again into the correct VLAN. In this > mode, the switches will send all packets for all VLANs to the device > attached to this port. This means that you should not connect devices to > this port that do not have the same VLAN configuration, since they will get > packets sent to them they will not understand. > > When setting the 'untagged' ports, these ports will be assigned to ONE > specific VLAN. The VLAN ID will not be written in the headers of the > packets, and only packets for that specific VLAN will be sent to the > attached device. That device will only be connected to that VLAN. > > Important step: setup the VLAN 1 and 2 on your pfsense, assigning your LAN > and WAN interface to the correct vlan interface. Maybe add another interface > (not vlan) with another subnet for management purposes in case you mess up > your VLAN config and can't reach pfsense anymore. > > If you think setting up VLANs on your pfsense is too complicated, let me > know, I can explain it in another email or on IRC if you want. > Or you could just run 2 cables from your pfsense to switch 1 to avoid having > to set up VLANs on pfsense. > In that case, in stead of setting port 3 on switch 1 to 'trunk' you would > then just set it to 'untagged' mode IN VLAN 2, and connect that to the WAN > port of your pfsense. > Connect a second cable from the LAN port of pfsense to port 4 on switch 1, > setting it to 'untagged' mode IN VLAN 1. > > Using this setup, your settop box and your pfsense will be virtually > directly connected to your cable modem, using VLAN 2 (WAN). > All the other ports are LAN ports using VLAN 1. > > > Disclaimer1: I'm leaving out several other VLAN settings and modes you don't > need in this case, for simplicity's sake. > > Disclaimer2: Some people might argue that this setup is unsafe since someone > might be able to hack into your switch since your VLAN2 is transporting > packets from your ISP. On the other hand, as long as you make sure your > switches don't have a management IP in the VLAN 2, there is no way they can > reach the switch management console. The only way this would be 'hackable' > is if there would be an exploitable bug in your switch firmware, which > although is not unthinkable is considered very unlikely (by me at least). I > guess it all depends on what you are trying to secure. This might not be a > good idea if you are running a top secret government network, but my home > network is just not all that important to hackers. :-) > > > Let us know how it works.
Hans, Thank you for your very extensive explanation. Following this guide, made me understand how this works beyond one switch - I was able to work VLAN's out on a single switch before - but to extend it to another switch baffled me at first hand... It truly works out just as you explained, to every point of the story. I did use the setup to use 2 cables from the Alix board - just not to complicate things more... And yes, it's telenet that I am connected to... Again, many thanks! --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
