This file covers the steps taken to create a new VLAN using pfSense. I will be working from the pfSense book beginning at page 271 to step through the process. The URLs below suppliment the book. Some resources: https://www.crusec.com/single-post/2019/04/09/How-To-Configure-VLANs-in-pfSense https://mitky.com/pfsense-virtual-lan-setup-vlans/ https://techexpert.tips/pfsense/pfsense-vlan-configuration/ http://xaxowareti.com.br/?p=23 pfSense Book (pdf) Page 271 https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/ Also: https://www.practicalnetworking.net/stand-alone/vlans/ https://www.mustbegeek.com/understanding-vlans-in-switching-world/ https://help.ubnt.com/hc/en-us/articles/222183968-Intro-to-Networking-Introduction-to-Virtual-LANs-VLANs-and-Tagging https://docs.netgate.com/pfsense/en/latest/book/vlan/switch-vlan-configuration.html https://www.inteltech.com/blog/how-do-vlans-work/ https://www.megajason.com/2016/03/03/how-to-set-up-vlans-when-you-dont-understand-vlans/ -------- Critical! Make detailed notes as you go so that you have a record of every change you made and in what order! Us this to build video documentation. -------- Background We have a pfSense device and several managed switches comproising our network. Note that only managed switches support VLANs (switches that support 802.1Q). We current have one VLAN that consists of our WiFi APs and their guests as a way of creating a captive portal to isolate that public traffic from our production traffic. This new VLAN is intended to support our Worship Team systems specifically using Dante. The goal is to isolate the Dante traffic while allowing those hosts access to the Internet and the production/office (default) VLAN. VLANs, are created by assigning switch ports to a preconfigured VLAN identifier. This image illustrates a simple VLAN similiar to the new VLAN being created. 160319-net-vlans.png -------- On pfSense configure a LAN port with a unique subnet and assign it a VLAN. The uplink port on the switch side connecting to our pfSense router will be set to tag all the traffic using the 802.1Q protocol. Our pfSense box will have an IP address in each VLAN(192.168.1.1, 10.1.1.1, etc...) which will function as the default gateway for clients assigned to those VLANs. -------- Goto VLAN Management->Create VLAN and click 'add' Then enter the new VLAN ID and name ID: VLAN30 Name: Dante or ID: 30 Name: VLAN30 -------- Before assigning membership of a particular port to one of our new VLANs, we must first configure that port to be either an “Access” port or a “Trunk” port. Access ports are ports that are members of only one VLAN. This type of port is normally used for attaching end devices which are generally unaware of a VLAN membership, either because their NIC is incapable of tagging Ethernet frames a VLAN ID, or they are not configured to do so. Trunk ports on the other hand can carry multiple VLAN traffic, and are normally used to connect switches to other switches or to routers. Consequently, we’ll configure ports 1 and 2 as Access ports, and assign each membership in one of the two newly created VLANs. Furthermore, we’ll also assume that port 25 is currently being used to connect the switch to the pfSense LAN interface, and configure it as a Trunk port, assigning it membership in both of the newly created VLANs. VLAN Management->Interference Settings, select port 1 and then select “Edit”. Change the Interface VLAN Mode from Trunk to Access, then select “Apply” Next, navigate to VLAN Management->Port VLAN Membership, select port 1 and then select “Join VLAN”. Since Access ports can be added as untagged to only a single VLAN, we’ll need to first remove the default VLAN the switch automatically assigns to each port (usually VLAN 1). Highlight VLAN 1 by left-clicking on it, then select the arrow icon to remove it from the interface. Now highlight VLAN 10 by left-clicking on it, then select the arrow icon to add it to the interface, ensuring that “Untagged” is selected from among the options under “Tagging”. Now let’s configure the port 25, the port that is connected to the LAN NIC in pfSense. This port will be configured as a Trunk port and joined to both VLAN 10 and 20 so that, in addition to passing the Ethernet frames from from devices attached to the other ports on the switch to pfSense, it will also pass Ethernet frames tagged with VLAN IDs 10 and 20 (from ports 1 and 2). Ensure that port 25 is configure as a Trunk port, then navigate to VLAN Management->Port VLAN Membership, select port 25 and then select “Join VLAN”. Highlight VLAN 10 by left-clicking on it, then select the arrow icon to add it to the interface, ensuring that “Tagged” is selected from among the options under “Tagging”. That’s it for configuring the switch. If your switch supports both a running configuration and a startup configuration, make sure to save the changes you’ve made to the startup configuration so that they are not lost should the switch reboot for any reason. Continue with 'Configuring pfSense' in file:///home/ben/CCCC/Tech/VLANs/How%20To%20Create%20And%20Configure%20VLANs%20In%20pfSense%20%E2%80%93%20XaxoWareTI.html -------- -------- -------- -------- What I actually did. . Went to Interfaces / VLANs and added a VLAN. . Defined the VLAN (see screenshot). . Went to Interfaces / Interface Assignments and clicked on 'Available network ports' and selected the VLAN I had just defined. It was then displayed as OPT2. . "The VLAN-based OPT interfaces behave as any other OPT interfaces do, which means they must be enabled, configured, have firewall rules added, and services like the DHCP Server will need to be configured if needed. See Interface Configuration Basics for more information on configuring optional interfaces." Page 272 bottom. Clicking on 'Interface Configuration Basics' take you to page 70. (7.2.2) Not much here... . I went to Status / Interfaces and scrolled down to 'OPT2 Interface (opt2, igb2.30)' and noticed it was 'Status: disabled'. So I went to 'Interfaces / OPT2 (igb2.30)' . There I checked the 'Enable' checkbox. . 'IPv4 Configuration Type'. Per https://techexpert.tips/pfsense/pfsense-vlan-configuration/ I set this to 'Static IPV4'. . Also on On https://techexpert.tips/pfsense/pfsense-vlan-configuration/ "On the Static IPv4 Configuration area, perform the following configuration: IPv4 Address - Configure the VLAN interface IP address and netmask I selected: IPv4 Address 10.32.20.1 Subnet mask IPv4 255.255.255.0 This was then displayed: The OPT2 configuration has been changed. The changes must be applied to take effect. Don't forget to adjust the DHCP Server range if needed after applying. Click on the Save button. Click on the Apply changes button. . Per the last step above, I clicked "Apply changes" and it took several seconds to process before returning me to the 'InterfacesOPT2 (igb2.30)' screen with the message 'The changes have been applied successfully.' . I went back to 'Status / Interfaces' and scrolled down to 'OPT2 Interface (opt2, igb2.30)' and found the changes had taken effect. Status up MAC Address 40:62:31:00:55:48 IPv4 Address 10.32.20.1 Subnet mask IPv4 255.255.255.0 IPv6 Link Local fe80::4262:31ff:fe00:5548%igb2.30 MTU 1500 Media 1000baseT In/out packets 0/5 (0 B/416 B) In/out packets (pass) 0/5 (0 B/416 B) In/out packets (block) 0/0 (0 B/0 B) In/out errors 0/0 Collisions 0 . I then decided to set the firewall rules. Ref. https://www.crusec.com/single-post/2019/04/09/How-To-Configure-VLANs-in-pfSense . "Next we will want to create firewall rules for this new interface. We want to allow devices in this network to get out to the internet, but disable its ability to communicate with other networks." https://www.crusec.com/single-post/2019/04/09/How-To-Configure-VLANs-in-pfSense I will perform this configuration, but will likely want to alter it later so that the hosts on this VLAN can access the office network. . I went to 'Firewall / Rules / OPT2' and found no rules had been set. Expected. There I click on the first 'Add' button which adds a rule to the top of the list. . On the 'Firewall / Rules / Edit' screen most of the fields were already set. I did change the following: 'Protocol' to 'Any' 'Source / Source' to 'OPT2 net' 'Description' to 'Grant access to the Internet' . I clicked 'Save' and was returned to the previous page with a message that: The firewall rule configuration has been changed. The changes must be applied for them to take effect. . I then set a second rule. Hit the upwards-pointing Add button. This rule will take priority over our previous one. I did change the following: 'Action' to 'Block' 'Source / Source' to 'Any' . Clicked 'Save' and was returned to the previous page with the message: The firewall rule configuration has been changed. The changes must be applied for them to take effect. . I clicked "Apply Changes". I then was given the following message: The changes have been applied successfully. The firewall rules are now reloading in the background. Monitor the filter reload progress. . I clicked on 'Monitor' and reviewed the log text to verify there were no apparent problems. . The next instruction on URL https://www.crusec.com/single-post/2019/04/09/How-To-Configure-VLANs-in-pfSense is the following: "Once these settings have been saved, we can now log into our switch or wireless controller to complete the creation of these VLANs. As you are creating new wireless networks or assigning ports to specific VLANs, remember that the VLAN tag is the most important piece of information that needs to be configured. If you have an 8-port switch with ports 1-4 configured for VLAN 10 and ports 4-8 configured for VLAN 20, devices in each respective VLAN will not be able to talk to those on the other side. Poor attention to detail here opens up the possibility for traffic intended for one network to travel across the other." -------- At this point I stopped before proceeding to the next steps. Wed 27 May 2020 02:17:05 PM EDT . I need to goto '16.4 Switch VLAN Configuration' page 273 for guildlines on configuring our switches. -------- -------- -------- --------