Gold/Gold Plus Questions: Untagged traffic
I am thinking of buying a FWG Plus mostly for segmenting my network into VLANs. I have several questions regarding VLAN and FW.
- In FW, if I add a VLAN, the original LAN is still there. But in other implementations, everything is VLAN and there is no concept of LAN. Is the LAN the same as "default VLAN" or "native VLAN"?
- I have read that all FWG ports are trunk ports. What happens if a tagged port receives an untagged frame? Does it drop it? Or does it consider it's coming from "LAN"?
- Conversely, what happens if I send a frame to LAN? Is it forwarded to all the trunk ports (i.e., all ports are implicitly members of LAN)? Or only to the ports that are explicit members of LAN?
- Is there any way to set PVID for the ports?
- What is the VLAN number of "LAN"?
Thanks.
-
The LAN ports send and receive untagged traffic. Each LAN port is a separate network in Firewalla. I don't believe you can combine LAN and VLAN ports into the same network.
All VLAN ports in Firewalla are trunk ports.
For example, you could connect an unmanaged switch to a LAN port to make that switch into a separate Firewalla network.
-
Thanks for the response. With all due respect, I do not believe this answers my questions.
As far as I know, in a typical v-lan set up, there is no concept of “lan.” Furthermore, the untagged traffic is handled in several ways:
1. An access port, aka untagged port, usually has a PVID setting. Tagged traffic going out of the access ports will have the tag removed. Conversely, untagged traffic going into the access port will have a tag specified by PVID added.
2. Trunk ports, aka tagged ports, usually carry tagged traffic. For untagged incoming traffic, it will add a tag of the native VLAN (that can be configured per switch per port). On the other hand, the outgoing tagged traffic that matched the native vlan will have the tag removed.
3. A port sometimes can be both tagged and untagged. In this case, untagged incoming traffic will be tagged with PVID. Along with port membership, it simulates "native VLAN."
Each LAN port is a separate network in Firewalla. I don't believe you can combine LAN and VLAN ports into the same network.
I do not have an FW to verify it, but I think the above is probably not true. Think about the example in the official documentation with the Purple. Because the Purple has only a single port, it is obvious that this port has to deal with traffic from multiple vlan's, including the default "LAN."
I am suspecting every port is a member of LAN, which is probably both the default VLAN and native VLAN ( but maybe it is not VLAN1 as some posts were alluding to). So I want to understand exactly what happens to untagged traffic and FWG. There are actually 8 combinations:
- Incoming vs outgoing traffic
- Tagged vs untagged traffic
- Tagged vs untagged port
-
I'm running a Firewalla Gold SE and I just added a couple of VLANs to segment my guest and IOT networks.
I don't have a managed switch, but I do have VLAN tagging for my WiFi networks. My main LAN the default LAN network and everything that isn't tagged goes onto it. I have then created 2 VLAN networks that map to my WiFi networks where the packets get tagged at the different APs.
In the FW configuration, all three ports (except for the WAN) are marked to be assigned to all three networks. In that configuration, anything that gets onto the LAN or my primary WiFi is untagged and that is my main network. Anything that is connected to my Guest or IOT WiFi will be tagged with the proper VLAN, the FW will see the tag, assign the proper DHCP address and segment the network.
https://help.firewalla.com/hc/en-us/articles/4408644783123-Network-Segmentation has a great documentation on how to segment your network.
-
I wrote up my set up here. So far it is working perfectly.
To answer my own question above: I believe FWG VLAN traffic is tagged and LAN traffic is untagged. For example, if a port is a member of VLAN 10 and VLAN 20 but not a member of LAN, then the traffic is tagged with tag 10 and 20. If it is also a member of LAN, then there is also untagged traffic on the port in addition to tagged traffic.
There is no way to set PVID on FWG ports. So, if you want to convert untagged traffic to tagged traffic, you will need a managed switch. For example, I have found that Omada OC200 only speaks untagged traffic but I would like my management traffic between the APs to be on a management VLAN. The solution is to plug it into an access port with PVID equals the management VLAN ID.
Please sign in to leave a comment.
Comments
6 comments