My ipfire box has four nics, two of which are in use.
I am getting a managed switch, and I want to split my current LAN into two vlans.
I understand this means I need to use two of the 16 switch ports for the two router NICs, one for each zone.
The switch supports Access ports, which are filtered to a specific VLAN and are untagged.
It has trunk ports, which seem to pass though vlan tags although it is optionally possible to filter which vlan tags are allowed through.
It has a General port, which can act as a Trunk or an Access port, as far as I can work out. I don;t really get that, so I am ignoring it.
Anyway, does ipfire require tagged packets to arrive at the NIC? If a packet with the wrong tag arrives, I guess it is dropped. If a packet with no tag arrives, does it assume it belongs to the zone assigned to the NIC? My guess is that it expects tagged packets because it would seem to defeat the security benefits of vlans otherwise. I therefore think I should make the two ports connected to the router as Trunk ports, filtered specifically to the correct vlan.
I couldn’t find an answer to this on the Wiki. It probably seems obvious to most people.
You can use the defaul switch vlan for one half of the ports and the other half give a new vlan tag.It will act as 2 switches. You would not need a trunk port.
The ports would need to be setup for untagged use. This could be used as a blue and green switch.
You could set them for tagged access , then you would need to tag them at ipfire.
Not everything can be configured for vlan tags…
I have a wireless access point that I can setup with two VLANs, and I’d like to do that for work and home wifi, so I need two DHCP pools, but I guess the two DHCP pools and some specific forwarding between the two subnets is based on the zone rather than vlan tag. But then, why does ipfire have vlans if it doesn’t need them? Is it for the case where you have multiple unmanaged switches and no other way of doing VLANs?
In this case you would want a vlan trunk to your AP.
The weird thing about vlans in a switch is that, all ports belong to a vlan.
The default one or your specific one
You can define them any way you want or need.
So you would need some ports on default.
Some on vlan4 or whatever.
And you will need a trunk port for your AP.
It will direct them to the proper vlan.
Default maybe vlan1.
So you will have vlan1 and vlan 4
You will define if ports must have tagged traffic or not.
So it is possible to have
6 ports vlan1
2 ports vlan trunk ( vlan1 and vlan4)
4 ports vlan4
AP on trunk for default untagged = vlan1
And vlan4
Untagged traffic is treated as default ( vlan1)
You can limit the ports to only tagged or all traffic is treated as tagged for that vlan
If your Ipfire has 4 nics, you can use all of them on the one managed switch, but Ipfire must not configured in VLAN because red/green/blue/orange are 4 different networks, so you have to us 4 different switches to handle them.
On the managed switch you can separate in 4 VLAN if you connect there APs make a VLAN 05 and all ports with AP you make PID 05 the port to ipfire nic must be untagged and set as blue network. Ipfire must not know that blue is VLAN05 on switch, but your management of cable and switches must configured correct that all VLAN 05 are in the blue network of ipfire, as example your second AP is near your cable moden and your router is next to the managed switch in a different room, but you have only one port to connect the switches. You muss tagged both VLAN on this one port but the ports connected to AP or Modem must not be tagged. The connection ports (VLAN tagged) between the switches should always PID 01 (the green standard network to have control) . The configuration of PID ports is about the VLAN.
As an simple rule when a port is tagged or not. If the device to communicate must handle VLAN then tag the port, if not untag the port.
Ok remembering that I am a complete beginner, my conclusion is:
I wnt to split my LAN into two VLANs, “work” and "home.
I have one managed switch, and one of my four NICs is RED and connected to the ISP.
I already have a Green zone, now I also have a BLUE zone. The DHCP config is straight-forward, I can just copy and paste the Green settings.
This is what I think I should do:
I will configure my managed switch to have two VLANs, even of one of those is the “default” vlan. I will connect cables and map these ports as “access ports”, which means each of these ports will be for one specific VLAN in every case. An “access port” in TPLink terms forwards packets with the vlan tag maintained, as long as it is the matching VLAN tag for that port.
Exceptions:
2) except for the port used for the wireless access point, which will be a trunk port to allow the WAP to be visible on both virtual LANs. I will use the “work” VLAN as the management VLAN, so the IP address of the WAP will be on the work VLAN.
and except in the case of the two ports used to connect to the two IPFire NICs. These two ports accept inbound traffic matching their specific VLAN, but have an egress rule which drops the VLAN tag, so that ipfire never sees VLAN tags. The switch manual says that traffic inbound from IPFire, untagged, will be tagged appropriately before it is forwarded.
If I may make a note, the default VLAN “work” should then be the VLAN01 and no other, for the reason if times a switch hangs so that it must be reset or you include another switch you can see the switch directly and include. If the default is on another VLAN you have to preconfigure the switch before.
The real use case for vlans are trunking multiple zones on one interface.
Say I wanted a set of blue, orange, and green network to be sent to a work shop 1200 feet from the network in the house and a fiber run was installed and a 10 or 20Gb base-x fiber card was plugged into the ipfire machine to run this short haul, and configure my networks to send across to a switch to land the networks back on individual ports. VLAN is just a way of patching nets onto one media run (cat5, fiber, etc). Which is the only reason why a router would have VLANS in the first place.
There are some fiber ISPs that are sloppy with their network infrastructure and the customer has to use a VLAN on red to establish the endpoint for their connection, but that is a different story.
