====== PFSense - VLAN (Virtual LAN) - Set up a VLAN ======

===== Create the VLAN =====

Navigate to **Interfaces -> Assignments**.

Select **VLANs**.

  * Click the **Add** button.
  * Parent Interface:  **em1**.  Typically this is the LAN port.
  * VLAN Tag:  **20**.  Use any unique number from 2 to 4096.  Here 20 is used as an example.
  * VLAN Priority: **0**.  Keep the default.
  * Description: **VLAN 20**.  Any description will do.
  * Click **Save**.

<WRAP info>
**NOTE**:

  * **VLAN Tag**:  A unique number between 0 and 4096 for the VLAN.  Here we use 20 as an example.
    * VLAN 0 is used when a device needs to send priority-tagged frames but does not know in which particular VLAN it resides.
    * VLAN 1 is the default native VLAN for the LAN, and used for untagged traffic.  As we want an actual VLAN, we need to use an ID from 2 to 4096.
  * **VLAN Priority**:  Has a value range from 0 to 7.  See https://en.wikipedia.org/wiki/IEEE_P802.1p.

</WRAP>

----

===== Setup an Interface for the VLAN =====

Navigate to **Interfaces Assignments**.

Against **Available network ports**, click the drop down arrow and Choose **VLAN 20 on em1**.

  * Click **Add**.
  * Click **Save**.

Click the interface link for **OPT1**.

In **General Configuration**:

  * Enable:  **Checked**.
  * Description:  **VLAN20**.  Give the VLAN a nicer name.
  * IPv4 Configuration Type:  **Static IPv4**.
  * IPv6 Configuration Type:  **None**.


In **Static IPv4 Configuration**:

  * IPv4 Address:  **192.168.20.1**.
  * Click the drop-down for the Subnet Mask and select **24**.
  * Click **Save**.
  * Click **Apply Changes** at the top.

<WRAP info>
**NOTE:**  The VLAN interface is now created.

  * It has a VLAN ID of 20.
  * It has an IP address of 192.168.20.1.
    * Notice that the IP Address and VLAN ID both have a **20**.
    * This is simply used for convenience, and makes it easier to remember which IP range is associated with which VLAN.
    * However just because the VLAN ID is 20 does NOT mean that the IP also has to have a **20** in it.  The IP can be any internal IP.

</WRAP>

----

===== DHCP Server for VLAN 20 =====

Navigate to **Services -> DHCP Server**.

  * Select the VLAN Name along the top.  For this example select **VLAN20** or whatever name you gave the VLAN.
  
In **General Options**:

  * Enable: **Checked**.
  * Range: **192.168.20.100** to **192.168.20.199**.  
  * Click **Save**.

<WRAP info>
**NOTE:**  The Range is limited to those 100 addresses. 

Change this as needed.

</WRAP>

----

===== Firewall Rules =====

To allow the VLAN to get out to the Internet a firewall rule is needed.

Additional restrictions can be set against client of the VLAN with additional firewall rules.

----

===== Allowing VLAN 20 Clients Internet Access =====

Navigate to **Firewall –> Rules**:

  * Select the VLAN Name along the top.  For this example select **VLAN20** or whatever name you gave the VLAN.

  * Click on an **Add** button.
  * Action: **Pass**.
  * Interface:  **VLAN20**.   Or whatever name you gave the VLAN.
  * Protocol: **Any**
  * Source:
    * Invert Match:  **Not Checked**.
    * Source: **Any**
  * Description: **Allow OPT1VLAN20 to any**
  * Click **Save**.
  * Click **Apply Changes** at the top.

<WRAP info>
**NOTE:**  At this point, clients on VLAN 20 that are issued IP addresses on the 192.168.20.0 subnet should be able to get out to the Internet.
</WRAP>


<WRAP info>
**NOTE:**  When you create a firewall rule, it may not seem as if it goes into effect immediately.

The reason:

  * Let’s say a device is on the VLAN20 network and it is constantly accessing something on the LAN.
  * You haven’t activated a firewall rule yet to block VLAN20 from the LAN.
  * Even if you create that rule it won’t affect the device that’s constantly hitting something on the LAN due to something called a “Firewall State” or “Network State”.
  * The only way to make the rule go into effect immediately is to:
    * **Create the rule** (or any rule for example)
    * **Click** on **Diagnostic –> States –> Reset States**
    * When you do this any and all open states that exist will be broken.  So there will be a brief hiccup in Internet access.  However, it is usually very quick.  Just be aware of that before you go off and **Reset States**.

</WRAP>

----

===== Denying VLAN 20 Clients to the pfSense Web GUI =====

===== Add an Alias for the pfSense GUI =====

Navigate to **Firewall –> Aliases**.

  * **Click** on the green **Add**
  * Name: **pfSenseGUI**
  * Description: **Disable Access to pfSense GUI**
  * Type: **Hosts(s)**
  * IP or FQDN: **Enter the IP of the actual pfSense**.  Example, 192.168.1.1.

----

==== Firewall Rules ====

Navigate to **Firewall –> Rules**.

  * Select **Floating**:
  * **Click** on a green **Add** button.
  * Action: **Block**.
  * Quick: **Checked**.
  * Interface:  **Select the VLAN(s) to be denied access**.
  * Direction: **in**.
  * Address family:  **IPv4**.
  * Protocol: **TCP\UDP**.
  * Source:
    * Invert Match:  **Not Checked**.
    * Source: **any**
  * Destination:
    * Invert Match:  **Not Checked**.
    * Destination:
      * **Single host or alias**
      * Destination Address:  **pfSenseGUI**.
  * Destination Port Range:
    * From:  **HTTPS (443)**.   If pfSense is set to HTTP this needs to be HTTP (80).
    * To:  **HTTPS (443)**.  If pfSense is set to HTTP this needs to be HTTP (80).
  * Description:  **VLAN 20 – no access to pfSense GUI**
  * Click **Save**.
  * Click **Apply Changes** at the top.

<WRAP info>
**NOTE:**  Navigate to **System–>Advanced** to see whether the actual pfSense GUI is set to run on either HTTP or HTTPS.

To ensure that access is denied against both HTTP and HTTPS, setup a similar firewall rule for both.
</WRAP>

----

===== Block Access to LAN when on VLAN 20 =====

Navigate to **Firewall -> Rules**

  * Click on **VLAN20**:
  * Click the **Add** button (up arrow), so this needs to be the first rule in the list.
  * Action:  **Block**.
  * Interface: **VLAN20**.
  * Protocol: **Any**.
  * Source:
    * Source:  **VLAN20 net**.
  * Destination:  **LAN net**.
  * Description:  **VLAN 20 – cannot access LAN**.
  * Click **Save**.
  * Click **Apply Changes** at the top.

<WRAP important>
**IMPORTANT NOTE:**  Trying to restrict a client on a VLAN from accessing a device on the LAN will not work if used with an **unmanaged switch**.

  * An unmanaged switch just does not have the capability built into it to handle VLAN traffic.
  * Trying to restrict a client on a VLAN from accessing a device on the LAN has nothing to do with pfSense at that point.
  * A managed switch is needed for this.

This limitation does not necessarily apply to Wireless Access Points that have VLAN capabilities (such as Ubiquiti Wireless Access Points); as they have managed switches built into them.
</WRAP>