Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Newbie
    Join Date
    Jun 2020
    Posts
    3

    Question 4-port NIC VLAN Setup

    Hi all.

    I've got my Untangle VM with its own 4-port NIC. One will obviously be for External, connecting to my fiber modem, and I want to separate my network into 3 sections with VLANs, trusted internal, IOT, and Guest.

    In my Interface setup, do set it up with the interfaces being addressed, and VLAN interfaces bridged to those physical ports, with one port per VLAN back to my switch, and the switch ports tagged with the appropriate VLAN?

    Or can I just disable ETH2&3 and have the VLAN's bridged to the one internal port and addressed themselves?

    Thanks in advance.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    Welcome to the forums...

    And, I'm not sure exactly what you're after so instead I'll try to explain how Untangle does VLANs.

    The physical interfaces themselves handle untagged traffic, if you want those ports to handle untagged stuff, that's where you'll want them either static, or bridged to something that is static.

    The virtual interfaces for VLANs handle tagged packets. So if you're wanting to dedicate interfaces to tagged traffic, you'd disable the physical NIC, but make a tagged interface attached to it and the tagged interface on Untangle is statically configured.

    Make sense?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,268

    Default

    Yes, you can do it either way, though I'm not entirely sure what you mean when you say "bridged"; I don't know how bridging would come into play here.

    Letting Untangle handle the VLANs directly will be more flexible than having the switch tag and untag everything onto separate ports, and connecting the same device to the same switch with 3 cables seems a little silly unless you're doing LACP which Untangle doesn't do anyway. Plus that way you have 2 physical ports left some future use.

  4. #4
    Newbie
    Join Date
    Jun 2020
    Posts
    3

    Default

    Thanks for the replies!

    So what I'm trying to achieve is network segmentation for various IOT devices and guest away from the trusted core network. This is obviously not groundbreaking, I'm just confused about the way Untangle is allowing me to set it up.

    I can't post links yet but maybe the attachment will work.

    By "bridged", I mean that the VLAN interface GUI element let's me choose "Addressed", "Bridged" or "Disabled" just like the physical interfaces, so I didn't know if I needed to set the IP assignment through the physical port and bridge the VLAN interface?

    Obviously one cable from Internal to switch and all tagged traffic cuts down on cable clutter, I just didn't know if there were any benefits.

    wNmGDUp.png

  5. #5
    Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    58

    Default

    Hi and welcome.

    Rob sums it up pretty succinctly. Other things I'd add to help you make your choice:

    In my setup, I have one cable from my switch to Untange that carries all VLANs. Depending on your flavour of switch that might be called a tagged interface, a trunk etc etc. On Untangle, the untagged VLAN (1 in my case) is the physical interface and the others are tagged VLAN interfaces with the physical port they come in on as the parent.

    Screenshot 2020-06-24 at 21.31.33.png

    That works fine for me and you might choose to do it that way too. Although, if you have the spare ports on your switch you might prefer to connect each VLAN to Untangle directly on the other interfaces and give yourself the added bandwidth on each link and a bit of resiliance too. To be honest, in my home setup I'm not even close to saturating a 1Gig uplink, so it's not really a concern for me - but it could be for you. If my trunk goes down - everything loses connectivity, so splitting the VLANs out over separate links means that's less likely.

    As with a lot of networking, many ways to achieve the same result. Depends what makes the most sense in your setup.
    Last edited by Armshouse; 06-24-2020 at 01:48 PM.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    Tagged interfaces are just more interfaces. So they can be bridged, or static, or disabled.

    It is valid and perfectly reasonable in the correct circumstances to bridge a tagged interface to a physical one. That's now you'd get untagged packets and tagged packets into the same VLAN. And... because the world is strange, you can even have the physical interface you're bridging to be different than the one the tagged interface uses as a parent. You can even bridge a physical interface to the tagged one! Again, it's just another interface...

    So put your IP addresses where you can keep track of them for your own sanity. I tend to use real NICs for that, but there are times when a vNIC makes sense too.

    So if you want to go bonkers, you can easily melt your brain.

    For this specific application however, I'm wondering why you'd use tagged interfaces at all. As mentioned you can reduce the number of cables connecting to the local switch, but you're also cutting available internal bandwidth doing so. Why would you do this? You tell us! It's your network! That's why I'm focusing on what's possible, which is pretty much anything.

    Oh, and point of clarity...

    VLANS carve up layer 2.
    IP Networks carve up layer 3.

    Understanding what those two statements mean is critical.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,177

    Default

    How are you handling Wi-Fi?

    And a word to the wise, I recommend not assigning VLAN #1 on Untangle, consider it to be reserved for your switch and other infrastructure.

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,177

    Default

    So depending on physical layout (and other factors) some ideas for a possible architecture is one port/cable to the switch. One port/cable to the Wi-Fi AP. And the last, to something specific, or a spare, or maybe tether to a wireless device for WAN backup when needed.

  9. #9
    Newbie
    Join Date
    Jun 2020
    Posts
    3

    Default

    You guys are so welcoming and helpful!

    So wifi is going to be handled with Unifi AP's, so the VLAN's are easy to set up. Local switching is through some HP 1920-24G's, nothing fancy but enough for me to do what I need to. Internet is going to be 350/30, possibly moving up to 500/30, so not enough to warrant 3 links worth of throughput in Untangle
    There may also be some Powerline involved, which from what I've read are capable of passing the 802.1Q tags, but I'm gonna try to not over-complicated things. This would probably only be to add another AP anyway.

    With regards to the management side, would the preference be creating different policy racks based on each source interface VLAN?

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,660

    Default

    Only if you want different security policies for each, again that's up to what you need Untangle to do.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2