vlans, switches & pfsense

[sapper6fd]

Ok, so this is going to be a rather comical / trivial post for some of the seasoned vets out there, but I'm about to dive into networking on a scale that's a bit foreign to me, vlans.

I've upgraded my home lab from a single PE2950 which handles everything in ESXi, except for my FreeNAS box, to include the following servers:

R710 (ESXi box)
R610 (Web server)
R510 (FreeNAS Box - not yet purchased but needed to replace an ageing server)
R210 II (pfSense box - not yet setup)
Powerconnect 6248 (about to order off eBay).

So with this setup, all servers will be connected to the regular network, with the exception of the Web server. I would like to separate it from the rest of the network for security reasons.

So my question is, am I able to setup a vlan in pfSense, and pass it through the powerconnect 6248 to the web server, or will I need to configure the 6248 to do this as well?

I want to make sure this is something I can do before pulling the trigger on this switch. Right now my switches consist of a smorgasbord of Netgear GS108's linked together. Its time I start doing things more properly.

 

[pricklypunter]

I'm no pFSense guru to be sure, but here goes. There are a couple of ways to skin that cat, but the simplest, I think anyway, is to configure port based VLAN's on the switch and trunk your traffic to your pFSense ports. I might miss a few things here, and I'm over simplifying, it's been a while, but it goes something like this:

Create your VLAN's on your switch, assign your ports as you desire.
Create your Trunk and assign your Trunk port, or ports if you are bundling links using a port aggregation protocol (LACP).
Create your Trunk link on the pFSense box to match your switch settings and create sub-interfaces on it for each of your VLAN's, the addresses you assign to each become the Gateway's for your clients.
Assuming that you are using DHCP, you'll also need to tell your switch to perform DHCP relay and point it to your DHCP server.

Another way to achieve the same end might be to just create your VLAN's on the switch, assign your ports etc and then route your traffic using a default gateway/ port to your pFSense box instead. Obviously your switch needs to support doing this whichever way you choose

 

[fractal]

If you want the web server on its own network with the equipment you listed then the switch needs to be involved.

One easy option might be to put a NIC in the pcie slot in the r210-ii and connect it directly to the web server. You might use an existing GS108 on that network segment if you plan on adding more "DMZ" class devices.

Otherwise I think you will need to set up multiple vlans on the trunk from the pfSense box to your switch and configure the port to your web server on that vlan.

 

[sapper6fd]

Thanks guys for the input.

I thought of using a separate NIC in the R210 II and dedicating one of the ports to the webserver - but it never crossed my mind to use the GS108 for that. I do know the GS108 is capable of handling vlan's so that's a great point.

 

[Diavuno]

if thats your network I would also install another NIC and spin it into another netowrk on that interface., just becareful with firewall rules between the two networks.

if you do decided on a 6248, remeber they are not quiet. (great switch IMO)

 

[sapper6fd]

if thats your network I would also install another NIC and spin it into another netowrk on that interface., just becareful with firewall rules between the two networks.

if you do decided on a 6248, remeber they are not quiet. (great switch IMO)

I am open to other gigabit switches, especially if they are quieter.