pfSense – Virtual LAN setup (VLANs)

This very lengthy Step-by-Step tutorial for setting up VLANs on pfSense.  There are quite a few tutorials out there on pfSense VLAN setups but several of them make assumptions of default settings.  In this tutorial, we try not to make those assumptions.  We go through each setting and what it should be.

 

The process will take a while but go through each step carefully.  Don’t get in a rush because you’ll probably over look something.   Remember, patience is a virtue.

A few things to keep in mind:

  • pfSense version 2.4.3-RELEASE-p1 is the version these instructions are based on.  This does not mean you have to have this version.  The instructions are simply based on this version.
  • VLAN 20 will be used. You can substitute a different VLAN but for the purposes of this tutorial VLAN 20 is used.
  • VLAN 20 will be assigned to LAN port along with the normal LAN traffic.
  • DNS Resolver is enabled for ALL interfaces (Services–>DNS Resolver). If it’s not enabled, Clients on VLAN 20 will not be able to get out to the Internet.
  • This tutorial does NOT include setting up a managed or smart networking switch. It only is walking you through how to setup VLANs to use with a managed/smart switch.  At the end of this tutorial I will tell you how to test it if it’s working with an unmanaged switch.
  • One more thing, BE PATIENT!

Steps to setup VLAN

  1. Login to pfSense
  2. Click on Interfaces–>Assignments
  3. Click on VLANs (link on the upper menu)
  4. Click on the Green Add button
  5. Fill out this information below on the VLAN Configuration
    1. Parent Interface: em1 (typically this is the LAN port)
    2. VLAN Tag: 20
    3. VLAN Priority: 0
    4. Description: VLAN 20
    5. Click on the blue Save button
  6. Click on Interfaces Assignments
    1. For “Available network ports”: Click the drop down arrow and Choose VLAN 20 on em1
    2. Click on the green Add
    3. Click on the blue Save
  7. Click on the interface link for OPT1
  8. Fill out this information below:
    1. General Configuration
      1. Enable Interface: checked
      2. Description: OPT1VLAN20
      3. IPv4 Configuration Type: Static IPv4
    2. Static IPv4 Configuration
      1. IPv4 Address: 192.168.20.1
      2. Click the dropdown for the Subnet Mask and select 24.
    3. Click on the blue Save
    4. Click on the green Apply Changes button at the top.

Great!  You’ve got a VLAN.  It’s on VLAN 20 and it’s IP interface is set to 192.168.20.1.  Keep in mind, just because it’s VLAN 20 doesn’t mean the subnet has to contain the “20” in it’s IP of 192.168.20.1.  We just find it makes it easier to keep the numbers the same as it’s easier in identifying particular settings and connected clients later.

Now in order for this VLAN interface to start issuing IP addresses we need to configure a DHCP Server for it. Read on.

DHCP Server for VLAN 20

  1. Login to pfSense (you’re probably still in pfSense but just in case you’re not you gotta log back in)
  2. Click on Services–>DHCP Server
  3. Click on Opt1VLAN20 (link on the upper menu)
    • Enable: Checked
    • Range: 168.20.100 to 192.168.20.150 (We’re simply going to issue 50 leases out for this VLAN.  You can change this if you need more DHCP IP addresses)
    • Click on the blue Save

Perfect!  We’ve now got the VLAN 20 interface issuing IP addresses. However, we have to create some firewall rules to get out to the Internet.  We may want to create some other rules as well restricting what exactly a client on VLAN 20 can get to.

Firewall Rules

There are a few rules we need to setup for VLAN 20.  Most importantly, if you want VLAN 20 to get out to the Internet we have to create a rule for that.  Perhaps you want to restrict clients on VLAN from accessing devices on the LAN.  We need a rule for that.  What about NOT allowing clients on VLAN 20 to even get to the pfSense web interface.  Well, we need a rule for that.  So below are some rules you may need to configure depending on what you want VLAN 20 to have access to.

One hugely important thing about Firewall Rules.  When you create a rule, it may not seem as if it goes into effect immediately. The reason:

  • Let’s say a device is on the VLAN20 network and it is constantly accessing something on the LAN.
  • You haven’t activated a firewall rule yet to block VLAN20 from the LAN.
  • Even if you create that rule it won’t affect the device that’s constantly hitting something on the LAN due to something called a “Firewall State” or “Network State”.
  • The only way to make the rule go into effect immediately is to:
    • Create the rule (or any rule for example)
    • Click on Diagnostic–>States–>Reset States
    • When you do this any and all open states that exist will be broken.  So there will be a brief hiccup in Internet access.  However, it is usually very quick.  Just be aware of that before you go off and Reset States.

Allowing VLAN 20 Clients Internet Access

  1. Login to pfSense (once again, you’re probably still in pfSense but just in case you’re not you know the drill)
  2. Click on Firewall–>Rules
  3. Click on Opt1VLAN20 (link on the upper menu)
  4. Click on the green Add button
  5. Fill out this information below:
    1. Edit Firewall Rule
      1. Action: Pass
      2. Interface: OPT1VLAN20
      3. Protocol: Any
    2. Source
      1. Source: Any
    3. Extra Options
      1. Description: Allow OPT1VLAN20 to any rule
    4. Click on the blue Save
    5. Click on Apply Changes.

At this point, clients on VLAN 20 that are issued IP addresses on the 192.168.20.0 subnet should be able to get out to the Internet.

Denying VLAN 20 Clients to the pfSense Web GUI

Often times when setting up VLANs you are doing this for a reason.  You are restricting VLAN clients from accessing certain things on your network.  Typically, we use VLANs for our Wireless Guest Clients.  It’s fine for them to have Internet.  However, you probably don’t want them even seeing the pfSense web GUI….why should they?  So let’s block them from getting to the pfSense Web GUI when on VLAN 20.

Keep in mind: These instructions are written if you are running pfSense in the HTTP setting (System–>Advanced where HTTP is set).  However, if this is in the HTTPS setting we will need to change a port number in these instructions.  I’ve noted that as well in these instructions.  Good idea to check this before you start these instructions.

  1. Click on Firewall–>Aliases
  2. Click on the green Add
  3. Fill out this information below:
    1. Properties
      1. Name: pfSenseGUIAccess
      2. Description: Disable Access to pfSense GUI
      3. Type: Hosts(s)
    2. Host(s)
      1. IP or FQDN: this will be the IP of pfSense. (ex, 192.168.10.1)
      2. Note: to add another entry you will need to Click on the green Add Host button.
        IP or FQDN: 168.20.1 (this is the IP of the VLAN 20 we used earlier)
    3. Click on the blue Save
    4. Click on the green Apply Changes button at the top.
  4. Click on Firewall–>Rules
  5. Click on Floating (link on the upper menu)
  6. Click on the green Add
  7. Fill out this information below:
    1. Edit Firewall Rule
      1. Action: Block
      2. Quick: Checked
      3. Interface: Click on OPT1VLAN20 to select it
      4. Protocol: TCP\UDP
      5. Direction: in
    2. Source
      • Source: any
    3. Destination
      1. Destination:
        Single host or alias
        pfSenseGUIAccess (you have to type that in)
      2. Destination Port Range:
        From: HTTP (80) (Keep in mind, if pfSense is set to HTTPS this needs to be HTTPS (443)
        To: HTTP (80) (Keep in mind, if pfSense is set to HTTPS this needs to be HTTPS (443)
    4. Extra Options
      1. Description: VLAN 20 – no access to pfSense GUI
    5. Click on the blue Save
    6. Click on the green Apply Changes button at the top.

Block Access to LAN when on VLAN 20

IMPORTANT NOTE:  If you use an unmanaged switch this will not work as trying to restrict a client on VLAN 20 from accessing a device on the LAN doesn’t have anything to do with pfSense at that point.  The unmanaged switch is “before” pfSense.  It has to do with only the switch and since it is unmanaged you have no way of preventing one device from getting to another due to how unmanaged switches work.  You need a managed switch for this.

When we setup Wireless Access Points that have VLAN capabilities they have managed switches built into them.  We often use Ubiquiti Wireless Access Points.

  1. Click on FirewallRules
  2. Click on Opt1VLAN20 (link on the upper menu)
  3. Click on the green Add button (up arrow), so this needs to be the first rule in the list.
  4. Fill out this information below:
    1. Edit Firewall Rule
      • Action: Block
      • Interface: OPT1VLAN20
      • Protocol: Any
    • Source
      • Source: OPT1VLAN20 net
      • Destination: LAN net
    • Extra Options
      • Description: VLAN 20 – cannot access LAN
    1. Click on the blue Save button.

Click on the green Apply Changes button at the top.

 

Mayfield IT Consulting