Table of Contents

PFSense - VLAN (Virtual LAN) - Set up a VLAN

Create the VLAN

Navigate to Interfaces → Assignments.

Select VLANs.

NOTE:

  • VLAN Tag: A unique number between 0 and 4096 for the VLAN. Here we use 20 as an example.
    • VLAN 0 is used when a device needs to send priority-tagged frames but does not know in which particular VLAN it resides.
    • VLAN 1 is the default native VLAN for the LAN, and used for untagged traffic. As we want an actual VLAN, we need to use an ID from 2 to 4096.
  • VLAN Priority: Has a value range from 0 to 7. See https://en.wikipedia.org/wiki/IEEE_P802.1p.

Setup an Interface for the VLAN

Navigate to Interfaces Assignments.

Against Available network ports, click the drop down arrow and Choose VLAN 20 on em1.

Click the interface link for OPT1.

In General Configuration:

In Static IPv4 Configuration:

NOTE: The VLAN interface is now created.

  • It has a VLAN ID of 20.
  • It has an IP address of 192.168.20.1.
    • Notice that the IP Address and VLAN ID both have a 20.
    • This is simply used for convenience, and makes it easier to remember which IP range is associated with which VLAN.
    • However just because the VLAN ID is 20 does NOT mean that the IP also has to have a 20 in it. The IP can be any internal IP.

DHCP Server for VLAN 20

Navigate to Services → DHCP Server.

In General Options:

NOTE: The Range is limited to those 100 addresses.

Change this as needed.

Firewall Rules

To allow the VLAN to get out to the Internet a firewall rule is needed.

Additional restrictions can be set against client of the VLAN with additional firewall rules.

Allowing VLAN 20 Clients Internet Access

Navigate to Firewall –> Rules:

NOTE: At this point, clients on VLAN 20 that are issued IP addresses on the 192.168.20.0 subnet should be able to get out to the Internet.

NOTE: When you create a firewall rule, it may not seem as if it goes into effect immediately.

The reason:

  • Let’s say a device is on the VLAN20 network and it is constantly accessing something on the LAN.
  • You haven’t activated a firewall rule yet to block VLAN20 from the LAN.
  • Even if you create that rule it won’t affect the device that’s constantly hitting something on the LAN due to something called a “Firewall State” or “Network State”.
  • The only way to make the rule go into effect immediately is to:
    • Create the rule (or any rule for example)
    • Click on Diagnostic –> States –> Reset States
    • When you do this any and all open states that exist will be broken. So there will be a brief hiccup in Internet access. However, it is usually very quick. Just be aware of that before you go off and Reset States.

Denying VLAN 20 Clients to the pfSense Web GUI

Add an Alias for the pfSense GUI

Navigate to Firewall –> Aliases.

Firewall Rules

Navigate to Firewall –> Rules.

NOTE: Navigate to System–>Advanced to see whether the actual pfSense GUI is set to run on either HTTP or HTTPS.

To ensure that access is denied against both HTTP and HTTPS, setup a similar firewall rule for both.

Block Access to LAN when on VLAN 20

Navigate to Firewall → Rules

IMPORTANT NOTE: Trying to restrict a client on a VLAN from accessing a device on the LAN will not work if used with an unmanaged switch.

  • An unmanaged switch just does not have the capability built into it to handle VLAN traffic.
  • Trying to restrict a client on a VLAN from accessing a device on the LAN has nothing to do with pfSense at that point.
  • A managed switch is needed for this.

This limitation does not necessarily apply to Wireless Access Points that have VLAN capabilities (such as Ubiquiti Wireless Access Points); as they have managed switches built into them.