Patrick, the problem is that you can assign an IP-address to a certain function, but that does not make them vlans.
This may represent a misunderstanding of VLANs and the virtual networking stack of modern UNIX hosts on your part.
There has been a bad habit of some in the networking world to ascribe to VLANs some sort of magic qualities for security and separation. VLANs are nothing more than segregated broadcast domains within switchgear, such that the networks are manageable separately. If you have two basic ethernet switches, and hook them up to two separate ethernet ports on your server, you have two real-LAN's. If you number these "1" and "2", and combine them on the same switch, you now have VLAN's. The power of VLAN comes from the ability to then transport these off the switch silicon, still tagged, to other devices, whether switches or servers, bringing multiple networks to a device over a single trunk cable. VLAN's are really nothing more than a virtualized network abstraction.
Exactly that is the problem, as you understand I am trying to work around that. Which is nearly impossible !
No, it *is* impossible, at least to do it correctly, because modern networking designs have made choices that do not allow this to be safely implemented.
Be aware I know a lot about security, but I am not a unix expert,
I hope you can take it if I say I find these statements to be orthogonal.
even worse I expect "it" to behave as it should behave from the today point of view, which is ..... not always realistic.
But at least you're realistic about being unrealistic. Just looking for the upside here.
And I know server mother boards do have a managment interface, which to a certain extend, solve the need for a management vlan on gui level.
Well, sorta. You are basically talking about a secondary host that lives on the server, and which can therefore be independent from the networking of the primary host. This isn't the same thing as a management VLAN.
But I am using ordinairy computers not having that functionality
Also note that I did manage to create an IPFW rule set which does provide vlan / subnet separation,
I can make a pretty well-informed guess that you didn't actually succeed in doing this. Correctly, at least.
It is possible to do this, and I have done it, and in fact designed an automatic firewalling system for ISP systems that did this general thing back in the 1990's.
First off, let's discard the term "VLAN" which is just trashy confusing noise. Let's instead start with two basic networks on two separate switches, attached to em0 and em1 on a FreeBSD host.
Further, let's define network 1 to be 192.168.1.10/24 and network 2 to be 172.16.1.10/24 on the FreeBSD host, with .1 for last octet of the gateway, and we will assume for discussion that these get routed.
The FreeBSD host will have a directly connected route for both 192.168.1.0/24 and 172.16.1.0/24 out the respective em0/em1 interfaces.
The first common misconception is that a host at 192.168.1.100 that sends a packet to 172.16.1.10 will see its traffic transit em1. Indeed, 192.168.1.100, not knowing any better, will send that to the default gateway at 192.168.1.1, which then routes it over to 172.16.1.1, which then transmits it on network 2 to 172.16.1.10. So ingress does indeed occur on em1. However, the FreeBSD host, now trying to send an answer to 192.168.1.100, sees 192.168.1.0/24 as a connected route, and sends the egress traffic out em0. This comes as quite a shock to many neophytes, who naively assume that the IP address for an interface somehow forces all traffic to go in/out via that interface.
You can work around this by manually forcing traffic to the gateway, such as
ipfw add X fwd 192.168.1.1 ip from 192.168.1.10 to any out
ipfw add X+1 fwd 172.16.1.1 ip from 172.16.1.10 to any out
and that will seem to work, but it will have the undesired consequence of also forwarding all OTHER traffic bound for 172.16.1.0/24 to the gateway, forcing the gateway to hairpin. So a slightly more correct construct could be
ipfw add X pass ip from 192.168.1.10 to 192.168.1.0/24 out via em0
ipfw add X+1 fwd 192.168.1.1 ip from 192.168.1.10 to any out
ipfw add X+2 pass ip from 172.16.1.10 to 172.16.1.0/24 out via em1
ipfw add X+3 fwd 172.16.1.1 ip from 172.16.1.10 to any out
which allows the firewall to directly reach connected hosts on em0/em1. I leave as an exercise for the reader the reason for inclusion/exclusion of the via clause.
Ingress traffic is a different problem. In general, we expect routing to handle direction of traffic to a host, but when you have an attacher who has gained purchase on a directly connected network, this is no longer the case. For example, if I am on 192.168.1.100, and I do
# route add 172.16.1.10 192.168.1.10
# ping 172.16.1.10
I am likely to get a response, even if the upstream gateways strictly forbid such traffic. Writing proper ingress rules is complicated. You can try the trite version of
ipfw add X pass ip from 192.168.1.0/24 to 192.168.1.10 in via em0
ipfw add X+1 deny ip from any to 192.168.1.10 in via em0
ipfw add X+2 pass ip from 172.16.1.0/24 to 172.16.1.10 in via em1
ipfw add X+3 deny ip from any to 172.16.1.10 in via em1
but this breaks IP connectivity coming in from off-net. You can try exclusionary rules for directly attached networks,
ipfw add X deny ip from any to 192.168.1.10 in via em1
ipfw add X+1 deny ip from any to 172.16.1.10 in via em0
which is adequate to eliminate the spoofing ping example above, but is insufficient for other types of attacks. It also gets more complicated as the number of interfaces increases.
And of course all of this fails in the face of the more complicated topics of multicast and all that, because lots of traffic to and from the NAS isn't based on the NAS interface IP's. What I've discussed above is very basic and hardly comprehensive.
And then these things can fail again due to changes in the interface definitions. You swap out a network card, forgetting that you've got "em0" littered throughout your firewall, and all of a sudden, defenses vanish. You can work around that by abstracting out interface assignment detection in your firewall script. This is not trivial, I speak from experience.
And then these things can fail AGAIN, because FreeNAS is not designed to have a firewall. If the firewall fails to run for any reason, you end up with your pants around your feet, and you don't even know it. This can be very subtle. Our network monitoring here actually detects some failures of this sort, because we have a remotely detectable "network semaphore" that indicates a firewall is running, but if you haven't built such infrastructure, then I'd say you are in very hazardous waters relying on something to do something it wasn't designed for.
That's why the proper solution for this is to run FreeNAS in the manner in which it was designed, and then make sure you're controlling access upstream with a proper firewall device. This generally simplifies things to a great degree.
however more to test and some issues to solve. Among them this unexpected "lockout" behavior ....