1 lan 2 vlan from one nic configuration

I have just moved from opnsense and liking ipfire and will make a donation since this project gives importance to security it is fine at my home ,but i want to deploy it at my workplace labour camp with 150 users the present setup is opnsense router on a box ,unifi switches and access points there are 3 networks Lan ,vlan 10 and vlan 20 to segregate staff and labourers wifi and all coming from one nic of opnsense router .

Now after reading some blogs i think :thinking: it is not so straightforward and not possible from web gui in ipfire to have 2 vlans from 1 nic my router has 4 nic can someone guide me step by step since linux is not my area but ill learn,since i dont want to rewire the old setup and pull new cables now only one lan cable runs through all the 4 switches and access points

Honestly i think this option is useful imo

Indeed, It is possible.


It seems possible… at condition that the computer have at least two phisical NICs for RED and GREEN for setup.

1 Like

That link is to end up with a nic with a native connection and one vlan.

What @himurae is asking for is one nic with a native connection plus 2 vlan connections so that there ends up three separate lans on one nic.

That can’t be done by IPFire currently with the WUI.

It will be something that IPFire3.x will be able to do but that is still under development.


my bad. I answered before reading the post carefully. Thank you for setting the record straight.

you are right.

Adolf thanks again for the clarification i spend 3 days straight 8 hours to go through all possibilities of this firewall

Also i noticed ad blocking is pain in the ass ,in opnsense under unbound u could use predetermined or custom list but here its not easy doesnt work for me yet will keep trying

@himurae like it or not, the current path for this project is undoubtely towards the best security achievable with a firewall distro.
However, not all the features can be “steered” by userbase to what competing products and projects are providing. Still today, IpFire AFAIK cannot manage a redundand/multiple WAN/Red connections via network cards, only as Dialup for a small set of options and setups. IMVHO, today, is feature lacking, as for adfiltering.
However, you can still add a product in your network like PiHole setup and use this as ad-block features for the clients. It only require to design both installation for work as a team.


Using a “lying” DNS server like PIHOLE to help preserve privacy is conflicting with the use of DNSSEC. To me this is an issue of tradeoffs between security (DNSSEC) vs privacy features (PIHOLE). The topic is a bit nuanced..

By the way, there is a script that recreates PIHOLE behavior in unbound.


Currently the securing of DNS channel of communication is still… to be defined.
DoH, DoS and DNSSEC are concurrent options, with different nuances and features among all options, all defined in specific RFCs.

For someone DNSSEC is the only option, even with people developing this project. Market still waiting to decide the winning solution.

I agree, however the phrasing could give the impression that they’re competing protocols, which would not be an entirely accurate interpretation of your sentence, since each addresses distinct challenges.

Encrypted DNS (DoH or DoT) enhances privacy and security by preventing eavesdropping and tampering of DNS data by encrypting it and sending it over HTTPS or TLS. DNSSEC counters the problem of DNS cache poisoning by allowing DNS records to be digitally signed. The main challenge it confronts is ensuring the authenticity and integrity of DNS data.

1 Like

Are you confident that when a standard will be massively adopted, another one for different goals will be also used?

I am not even confident that IPv6 will be the prevailing standard during my life time. I see your point though, I was just a bit pedantic. That’s all.

Again I don’t agree.
You expressed an opinion, maybe personally biased, but an expression of thought. IMO, having someone which don’t agree with you is important for have deeper analisys of personal opinionis, beliefs, experiences.

IPv6 is deployed and working every day. AWS is charging more for IPv4 addresses than IPv6 addresses. It’s working every day, even if in LANs and devices is not that diffused current OSes supports it and can work with it,

I meant exactly what I said and I agree with the quote above.

I was just nitpicking that these 3 protocols solve two different problems and therefore are not exactly overlapping.

You asked if I had any confidence that, assuming one of the three would be chosen by the market, another one could be selected as well. My answer was that I am not confident of anything and to make a point I mentioned a protocol that should be the “chosen one” by the market, and clearly it is not even close to reach that goal (I never implied that was not used at all or not useful) after 20 and more years that has been released.

The point is, I am not even confident that the market will choose any of them. Network effects are difficult to displace. The status quo is always the predominant force. For a new standard to become the dominant force you need a very strong reason for adoption. Or a very long time.

At least a 10 folds improvement is what is needed to displace an incumbent with a new standard. Do any of DoT/DoH/DNSSEC improve 10 X the status quo? Maybe, but I am not so sure. This does not mean that we cannot use them, like you do with IPv6. It means that the market will not “massively” choose any of them any time soon. This is my belief.

EDIT: If we ask a different question: which one of the three will be more prevalent? My money goes to DNSSEC, only because the war on cryptography will only intensify in the coming years. Servers that encrypt DNS traffic probably will be relegated at the margin of Internet. DNSSEC should not upset the authoritarian tendency of our governments (all of them) as much as something that interfere with mass surveillance as encrypted traffic.


I am happy to see knowledgable people here so passionate about networking discussions which help others as well

1 Like

I have no idea, but already tried to configure simply 3 VLAN on one interface, that would be only one VLAN more, what would have to be set up on the switch. With two VLANs it works, I have green and orange as VLAN on one network card.

Please elaborate

This was my question to use one network card with two zones and VLANs
I already had red and green configured into VLANs because my modem is located somewhere else like the Ipfire, now the consideration was to run green as native and orange as VLAN, but because I already had green configured as VLAN, it didn’t work because of the tags. When I then made the green zone also a VLAN it worked. What’s wrong with putting the blue network on eth0 and specifying a third VLAN? As long as the ports on the switches cleanly set the tags and remove them again, this should run cleanly.