Configuring the Switch Ports

The default configuration of the Netgate 1100 has each port configured as a discrete interface (WAN, LAN, OPT), but under the hood the interfaces operate as a switch and the default configuration isolates them by using a separate VLAN for each port.

This optional guide changes the configuration such that the LAN and OPT Ethernet ports are on the same VLAN, effectively creating a small two-port LAN switch.

Note

When connecting to the GUI, do NOT connect to any port being configured during this procedure or the device will lose connectivity to the GUI.

  1. Open the pfSense® Plus software GUI and log in.

  2. From the menu, navigate to Interfaces > Switches.

    ../_images/menu-interfaces-switches-expanded.png

  3. Go to the Ports tab.

    ../_images/interfaces-switch-ports.png

  4. Click on the Port VID for OPT. Change the default value from 4092 to 4091. In the lower right-hand corner click Save.

    ../_images/interfaces-switch-ports-edit-opt-pvid.png

    At this point the Ports tab under Interfaces > Switches should look like the following:

    ../_images/interfaces-switches-ports-after-changing-opt-PVID-to-4091.png

  5. Click on the VLANs tab.

    ../_images/interfaces-switch-vlans-tab.png

  6. Click on the fa-pencil button for VLAN group 3.

    ../_images/interfaces-switch-vlans-group-3-edit-button.png

    Warning

    VLAN group 0 must remain in place and VLAN groups 1-3 must include 0t as a member, to function properly.

  7. Click Delete for Member 1, then click Save.

    ../_images/interfaces-switch-vlans-groups-delete-member-1.png

  8. Click on the fa-pencil button on VLAN group 2.

    ../_images/interfaces-switch-vlan-group-2-edit-button.png

  9. Click on the Add member button. Enter Member 1, uncheck tagged and then click Save.

    ../_images/interfaces-swtich-vlan-group-3-add-member-1.png

  10. Confirm the configuration matches the screenshots below:

    ../_images/interfaces-switch-vlans-after.png
    ../_images/interfaces-switch-ports-after.png

  11. Navigate to Interfaces > LAN, unset the Switch Port option, then click Save and Apply Changes.

    Note

    Setting the drop-down menu to “Select the switch port…” ensures the port status is not tied to a physical port. Otherwise, if LAN is unplugged, then devices plugged into the OPT port could not access services bound to the LAN interface, such as DHCP or DNS.

    ../_images/1100-lan-swport-unselected.png

Note

Unlike software bridging, traffic between ports 1 and 2 will never leave the switch chip so it will perform at switching speed. The firewall cannot filter traffic between the two ports as pfSense® Plus software will never see it, as with any other (external) switch.

With both the LAN and OPT switch ports using the same VLAN on the switch (4091), the firewall will receive traffic from either port on its mvneta0.4091 interface, which is assigned as LAN by default. The assigned OPT interface in the firewall settings is redundant at this point and can be removed, along with the definition for VLAN 4092 on mvneta0.