Solved Question about bridges and vlans

wolffnx · Wednesday at 2:50 PM

The question is very simple and sounds nebwie..
Its posible to make vlans under one network interface?
If I assing an diferent ip range to diferents devices on my network,for example:

Cameras > 192.168.3.0/24
Computers > 192.168.4.0/24

Will be possible to process it trough PF as a VLANS?

I know,the ideal setup will be have a managed switch and make the vlans there,but I am poor

Thanks guys

SirDice · Wednesday at 4:40 PM

wolffnx said:
Its posible to make vlans under one network interface?

That's the whole point of a vlan(4). For example, I have one em1 "physical" ethernet interface with one single ethernet cable to my switch. Then run multiple VLANs over it, em1.10 is on VLAN 10, em1.20 is on VLAN 20, etc.

wolffnx said:
,the ideal setup will be have a managed switch and make the vlans there

You need a switch that's VLAN aware, the typical run-of-the-mill cheap, unmanaged, switch usually isn't. That said, an 8 port managed switch won't break the bank nowadays. They're a bit more expensive than the unmanaged ones, that's for sure, but it's not THAT much more expensive.

IEEE 802.1Q - Wikipedia

en.wikipedia.org

wolffnx said:
Will be possible to process it trough PF as a VLANS?

It's an ethernet interface, like every other.

Code:

pass in on em1.10 from any to any

Not much different from:

Code:

pass in on em1 from any to any

kent_dorfman766 · Wednesday at 5:47 PM

Yeah, what SirDice said...

wolffnx · Wednesday at 6:18 PM

SirDice said:
That's the whole point of a vlan(4). For example, I have one em1 "physical" ethernet interface with one single ethernet cable to my switch. Then run multiple VLANs over it, em1.10 is on VLAN 10, em1.20 is on VLAN 20, etc.

You need a switch that's VLAN aware, the typical run-of-the-mill cheap, unmanaged, switch usually isn't. That said, an 8 port managed switch won't break the bank nowadays. They're a bit more expensive than the unmanaged ones, that's for sure, but it's not THAT much more expensive.

IEEE 802.1Q - Wikipedia

en.wikipedia.org

It's an ethernet interface, like every other.

Code:

pass in on em1.10 from any to any

Not much different from:

Code:

pass in on em1 from any to any

you answer is more than clear,
I need "marked" packets comming from a managed switch(tagged or port based vlan), but I need a managed switch
then I can manage in PF and(before) create the bridges , for now that is the perfect solution,but for now even I cant buy a 6/8 managed switch,so move on
Thanks!

kent_dorfman766 · Wednesday at 8:55 PM

Since a computer can act as a switch you could configure one as a layer 3 vlan capable switch, but it only has value as an intellectual exercise...ie grossly inefficient compared to dedicated switches.

wolffnx · Wednesday at 11:30 PM

kent_dorfman766 said:
Since a computer can act as a switch you could configure one as a layer 3 vlan capable switch, but it only has value as an intellectual exercise...ie grossly inefficient compared to dedicated switches.

I have a more simple idea,but the network aliases never works good in this cases:

one machine, 2 network adapter(em1 LAN)
(em0 WAN)

-em1 has the 192.168.1.1 address , with 2 aliases
10.1.1.1
20.1.1.1

-I have the 3 kind of devices on my lan :
ip cameras > 192.168.1.0 (dont need internet) > gateway 192.168.1.1
computers > 10.1.1.0 > gateway 10.1.1.1
smart tv > 20.1.1.1 > gateway 20.1.1.1

in teory, I can make a firewall with PF? , and bind9 to local DNS..but that is another subject
like I say before, in the past I make good firewalls with PF but never like this
I think that is not possible,but ask to gurus

kent_dorfman766 · 2026-05-14T04:38:27+0100

FWIW, I know you're just giving examples, but make sure to restrict your internal use to the private IP ranges. 20.x.x.x.x is a public route-able class A, and thus is discouraged from ad-hoc assignments. Just break down 10.x.x.x. into anything and everything in your internal network with netmask /16 or /24 instead.

Also, I'd refrain from aliasing a single nic to addresses on different networks (unless you implement vlans). That is possible and maintains a strong relationship between vlan and subnet.

em0.17 -> 10.17.x.x
em0.22 -> 10.22.x.x

wolffnx · 2026-05-14T10:14:16+0100

kent_dorfman766 said:
FWIW, I know you're just giving examples, but make sure to restrict your internal use to the private IP ranges. 20.x.x.x.x is a public route-able class A, and thus is discouraged from ad-hoc assignments. Just break down 10.x.x.x. into anything and everything in your internal network with netmask /16 or /24 instead.

Also, I'd refrain from aliasing a single nic to addresses on different networks (unless you implement vlans). That is possible and maintains a strong relationship between vlan and subnet.

em0.17 -> 10.17.x.x
em0.22 -> 10.22.x.x

thanks for the ip range advise, and yes..this time I will leave the idea behind
Also aliases allways give problems with PF

Solved Question about bridges and vlans

Administrator