Gold/Gold Plus Questions: Untagged traffic

Comments

6 comments

  • Avatar
    David Rothenberger

    The LAN ports send and receive untagged traffic. Each LAN port is a separate network in Firewalla. I don't believe you can combine LAN and VLAN ports into the same network.

    All VLAN ports in Firewalla are trunk ports.

    For example, you could connect an unmanaged switch to a LAN port to make that switch into a separate Firewalla network.

    0
    Comment actions Permalink
  • Avatar
    GZ

    Thanks for the response. With all due respect, I do not believe this answers my questions.

    As far as I know, in a typical v-lan set up, there is no concept of “lan.” Furthermore, the untagged traffic is handled in several ways:

    1. An access port, aka untagged port, usually has a PVID setting. Tagged traffic going out of the access ports will have the tag removed. Conversely, untagged traffic going into the access port will have a tag specified by PVID added.

    2. Trunk ports, aka tagged ports, usually carry tagged traffic. For untagged incoming traffic, it will add a tag of the native VLAN (that can be configured per switch per port). On the other hand, the outgoing tagged traffic that matched the native vlan will have the tag removed.

    3. A port sometimes can be both tagged and untagged. In this case, untagged incoming traffic will be tagged with PVID. Along with port membership, it simulates "native VLAN." 

     

    Each LAN port is a separate network in Firewalla. I don't believe you can combine LAN and VLAN ports into the same network.

    I do not have an FW to verify it, but I think the above is probably not true. Think about the example in the official documentation with the Purple. Because the Purple has only a single port, it is obvious that this port has to deal with traffic from multiple vlan's, including the default "LAN." 

     

    I am suspecting every port is a member of LAN, which is probably both the default VLAN and native VLAN ( but maybe it is not VLAN1 as some posts were alluding to). So I want to understand exactly what happens to untagged traffic and FWG. There are actually 8 combinations:

    1. Incoming vs outgoing traffic
    2. Tagged vs untagged traffic
    3. Tagged vs untagged port

     

    0
    Comment actions Permalink
  • Avatar
    Gilles Khouzam

    I'm running a Firewalla Gold SE and I just added a couple of VLANs to segment my guest and IOT networks.

    I don't have a managed switch, but I do have VLAN tagging for my WiFi networks. My main LAN the default LAN network and everything that isn't tagged goes onto it. I have then created 2 VLAN networks that map to my WiFi networks where the packets get tagged at the different APs.

    In the FW configuration, all three ports (except for the WAN) are marked to be assigned to all three networks. In that configuration, anything that gets onto the LAN or my primary WiFi is untagged and that is my main network. Anything that is connected to my Guest or IOT WiFi will be tagged with the proper VLAN, the FW will see the tag, assign the proper DHCP address and segment the network.

    https://help.firewalla.com/hc/en-us/articles/4408644783123-Network-Segmentation has a great documentation on how to segment your network.

    0
    Comment actions Permalink
  • Avatar
    GZ

    Thank you. This is very helpful. I got it to work. 

    0
    Comment actions Permalink
  • Avatar
    DB

    GZ,

    Great explanation on VLAN operation but...

    Could you explain what you found out and how you are using it.

    I'd like to use your input for setup of my own network. (I had the same questions).

    Thanks GZ.

    0
    Comment actions Permalink
  • Avatar
    GZ

    I wrote up my set up here. So far it is working perfectly. 

    To answer my own question above: I believe FWG VLAN traffic is tagged and LAN traffic is untagged. For example, if a port is a member of VLAN 10 and VLAN 20 but not a member of LAN, then the traffic is tagged with tag 10 and 20. If it is also a member of LAN, then there is also untagged traffic on the port in addition to tagged traffic.

    There is no way to set PVID on FWG ports. So, if you want to convert untagged traffic to tagged traffic, you will need a managed switch. For example, I have found that Omada OC200 only speaks untagged traffic but I would like my management traffic between the APs to be on a management VLAN. The solution is to plug it into an access port with PVID equals the management VLAN ID. 

    0
    Comment actions Permalink

Please sign in to leave a comment.