How To Configure VLANs in pfSense
Thanks to the IEEE 802.1Q standard, network architects are able to segment traffic on their network into logical groups called Virtual Local Area Networks or VLANs. Traffic governed by these parameters are assigned a “tag” which specifies what VLAN individual data packets belong to. Paired with an 802.1Q-capable switch, VLAN traffic will act as if it is communicating with a unique interface on the edge router or firewall. As with all virtual technology, VLANs cut down on costs by reducing the amount of physical equipment scattered throughout a network. It also carries with it easier administration and enhanced security. By logically separating devices on a network, we can deny access across virtual borders. This article will discuss this process in depth using a pfSense security appliance.
Once logged into the admin console, we will navigate to Interfaces > Assignments > VLANs and hit Add. You will want to repeat this process for however many VLANs you wish to create.
Select LAN as your Parent Interface. Depending on how complex your environment is your needs may vary here, but the takeaway is that the parent interface will be the physical interface that the VLANs are sharing.
Specify a VLAN Tag for your VLAN. Although you can enter a value between 1-4094, consider picking something that makes sense to your environment. If this VLAN will be the 192.168.20.1/24 subnet, consider calling this VLAN 20.
Leave VLAN Priority at its default value unless you have a specific reason to mess with QoS. If you do have a specific reason, ensure you understand the implications of 802.1P.
Enter a friendly Description for the VLAN. Perhaps this is your Guest or IoT network
Now we want to add the VLANs as virtual interfaces back under Interfaces > Assignments. You will see “Available network ports:”. Select your new VLANs from that dropdown and hit Add.
Select these new interfaces to the left:
Enable the interface
Give it the same Description you gave the respective VLAN
Change IPv4 Configuration to Static.
Specify the subnet size under Static IPv4 Configuration
Once your VLAN interfaces are configured, go to Services > DHCP Server and create a DHCP range for each new VLAN.
Next we will want to create firewall rules for this new interface. We want to allow devices in this network to get out to the internet, but disable its ability to communicate with other networks. From Firewall > Rules, select your new interface. Keep in mind that pfSense will by default block any traffic not explicitly allowed. Our rule prioritization is also going to be important here. The action of the first rule to match a packet will be the one that is executed. Click Add. We are going to create a number of rules:
For the Action select Pass
For Interface select the same interface that we are currently applying this rule to
For Address Family select IPv4
For Protocol select Any
For Source select the VLAN net that correlates to this interface
For Destination select Any
Give the rule Description a friendly name. This rule is allowing any device behind this interface to reach any destination, granting it access to the internet.
Rule Two – Hit the upwards-pointing Add button. This rule will take priority over our previous one.
Set Action to Block
Set Source to Any
Set Destination to LAN net, and any other network you want to block traffic originating from this interface to, such as other segments of your network
Change the other settings to match that of our previous rule
Once these settings have been saved, we can now log into our switch or wireless controller to complete the creation of these VLANs. As you are creating new wireless networks or assigning ports to specific VLANs, remember that the VLAN tag is the most important piece of information that needs to be configured. If you have an 8-port switch with ports 1-4 configured for VLAN 10 and ports 4-8 configured for VLAN 20, devices in each respective VLAN will not be able to talk to those on the other side. Poor attention to detail here opens up the possibility for traffic intended for one network to travel across the other.