Pfsense with Wireless NIC as access point - Also traffic isolation

Okay but im not quite sure if I totally understand that. So my single nic out from my pfsense carries 4 tag ids. Then using my managed switch I assign each of those ID's to an individual port on the managed switch. I then can use those IPs and VLANs on those ports?

Dumb switches can't carry VLAN tagging data.

@SrBushWookie I think you've got the high level understanding of it now. The tagging data also transmits the DHCP data so your workstation you assign a tag to will get a DHCP address.

But if i pull a dumb switch out of my managed VLAN port I will get the DHCP for that port?

No. If you have multiple switches they all have to be managed to transmit tagging data to each other.

So for each of my client machines i will have to use a managed port directly to them?

Correct. Depending on the amount of endpoints and distance between them you have you would only need 1 managed switch. All the endpoints need is a port on the switch that's properly configured to their associated VLAN.

Okay then @Yockanookany @sanfordvdev @LasseKongo @MichaelLindman @NetBandit Thank you heaps for your comments and with helping me understand VLANs - Now i have one last question. WTF switch should I buy haha

How many ports do you need and how much do you want to spend?

Well if im correct I just need one for each of me subnets 8 -16 ports. 32 if its not much more expensive and I am happy to use second hand stuff. $400 - $500 aud so like 382.24 usd <3 haha

Well you only -need- 1 for all of your subnets... again depending on distance and the amount of endpoints needing to be connected.

Edit:

HP makes pretty decent switches. They have lifetime warranties on them to, so buy one and forget about it. Make sure you but it from a reputable vendor though:

Netgear, allegedly, makes decent switches as well:

Absolute legend :) cheers for the lesson guys :)

Yes, if you have a managed switch with VLANs and a port that is assigned VLAN 1 (for example) then you can connect a dumb switch to that port and everything on that switch will be on VLAN 1. You just can't carry VLAN data over a dumb switch, so you can't connect it to a trunk port and expect it to work.

Basically, the device connected to a VLAN port only needs to be tagged if that port carries multiple VLANs (so the device knows which VLAN it's supposed to be on). If the port is configured for a single VLAN then the device doesn't need to know anything about VLANs to work.

3 Likes

right so for my workshop then I would only really need on VLAN into a dumb switch to provide the isolation I am looking for?

Yeah that's correct, so long as you didn't want anything in there connected to a different VLAN

I was never successful at getting any time of connection from a vlan connection into a dumb switch. The DHCP wouldn't transmit since all the DHCP subnets were based off VLAN tags and the endpoints didn't get the VLAN tag since the dumb switch wouldn't transmit it.

You should go pick up some Wireless N Linksys routers and use them as AP's. It will work better.

You shouldn't need to tag anything. You connect the dumb switch to a port which is assigned to whatever VLAN, not tagged in that VLAN, and then DHCP traffic, like any other broadcast traffic will have no problem getting to the dumb switch. Tagging is only needed when you connect a device to a port which carries multiple VLANs and you want to have virtual interfaces on that device for each VLAN.

That pretty much defeats all purposes of the VLAN infrastructure. You're just subnetting at that point.

Which is what the OP is trying to do, and he really doesn't need VLANs to do it if he has enough interfaces on the router and is happy to have two switches. If he just wants one switch then he can use VLANs to get what he wants, I'm just saying that if you plug a dumb switch in to a port which is assigned to a particular VLAN then everything connected to that switch will be on the network carried by that VLAN.

Right, because the VLAN data doesn't really exist anywhere but the router/firewall at that point logically.

Yeah if OP is fine as is then that's fine. I took it as he was taking this opportunity to de-clutter/complicate his network as well. Or maybe that was just me pushing an agenda.