Hi there,
Is it possible to setup IPfire on one NIC and assign Red and Green VLANs? I have a L3 switch connected to the IPfire appliance.
Thanks!
Welcome to the IPFire community.
Each NIC can only have one vlan tag applied in the Zone Configuration wui page so you can not have a red vlan tag and a green vlan tag on the same nic
3 Likes
I have a similar need - running ipfire on an old NUC with one NIC
It would be great to allow segregation of traffic with VLAN tagging rather than adding USB adapters.
Is this a feature request yet, or can I submit one? Do the devs have any concerns with implementing such a capability?
Thanks! B
Hi,
welcome to the IPFire community. 
Only speaking for myself, not for the entire bunch of core developers: Yes.
For security reasons, you want at least to have the RED zone and internal ones (GREEN/BLUE/ORANGE) on different network interfaces, so a faulty VLAN configuration or vulnerable VLAN equipment cannot allow attackers to bypass your firewall completely.
For internal networks with different security levels (such as GREEN and ORANGE), I personally see VLANs as an ugly, but necessary compromise. (Did I mention I like to do as much in physics as I can? 
) But in the worst-case scenario, there is at least no way for an attacker to establish internet connections without having to go through IPFire. A single NIC with multiple VLANs on it would allow that.
Sorry to disappoint, and best regards,
Peter Müller
4 Likes
Thanks Peter, that makes perfect sense,
I personally knew of vlan hopping as an attack vector, but many users of IPFire probably would not be, and using physical adapters to avoid opening up the possibility is a fair stance for the project to take.
While I agree it shouldn’t be in the GUI, would it be achievable by editing the /etc/network/interfaces config? A manual method might be okay for admins who understand the risk of a single-interface-with-vlan-tags architecture.
I noticed that there are vlan options in the GUI for each Zone interface, but they didn’t do tagging like I expected. I’ll need to do more RTFM on this 
Thanks, Brett
My opinion.
VLANs are good means to structure areas.
A IPFire device has mainly two basic areas: WAN ( ‘the internet’ ) and LAN ( the local devices ). These are connected by the firewall and routing functions of IPFire. These areas should both have their own HW connections. VLAN puts several logical networks onto one physical network, leaving the discrimination of the networks to external devices ( managed switches, clients, routers, … ). This can’t be achievable for ‘admins who understand the risk …’.
So a manual VLAN method cannot replace a two NIC hardware solution.