configuring vlans on pfsense · pdf fileour pfsense router we will configure our lan port with...

8/1/2016 Configuring VLANs on pfSense – HIGHLNK

https://www.highlnk.com/2014/06/configuringvlansonpfsense/ 1/21

Technology and Networking

search this site...

HomeNetworkingOperating Systems »StorageVirtualizationAboutContact

Configuring VLANs on pfSensePosted by Glenn on Jun 29, 2014 in Networking | 55 comments

Intro:

In this article I will go over how to configure routing between multiple VLANs by using our pfSense router and a switch that supports 802.1Q. Onour pfSense router we will configure our LAN port with multiple sub interfaces and assign each one to a certain VLAN. The uplink port on theswitch side connecting to our pfSense router will be set to tag all the traffic using the 802.1Q protocol. This configuration is known as a router on astick and the diagram below gives you an idea of the configuration that we will accomplish. In the diagram, we have five VLANs and a differentsubnet assigned to each. Our pfSense box will have an IP address in each VLAN(192.168.1.1, 10.1.1.1, etc…) which will function as the defaultgateway for clients assigned to those VLANs.

The switch configuration will vary from manufacturer to manufacturer which means that what applies to my switch might not necessarily apply toyours. I will cover Cisco, Dell, and Avaya switch configuration commands for configuring trunks, VLANs, and access ports since I am familiar withall three.

https://www.highlnk.com/

https://www.highlnk.com/

https://www.highlnk.com/category/networking/

https://www.highlnk.com/category/operating-systems/

https://www.highlnk.com/category/storage/

https://www.highlnk.com/category/virtualization/

https://www.highlnk.com/about/

https://www.highlnk.com/contact/

https://www.highlnk.com/author/glenn/

https://www.highlnk.com/category/networking/

https://www.flickr.com/photos/highlnk/14352098480



pfSense Configuration:

Before we start, we are going to configure our WAN interface firewall rules to allow us to connect to our pfSense web GUI from the WAN. We aredoing this because while configuring our LAN port to trunk multiple VLANs we will lose connection to pfSense should we be accessing it via theLAN. For this reason, it is better if we connect a laptop directly to the WAN port while we are configuring the router’s LAN port so that we do notlock ourselves out. By default, pfSense will block connections destined to port 443 so we must allow it by creating a firewall rule. You can create afirewall rule by heading over to firewall–>rules–>WAN.

In here you want to add a new rule at the bottom. See below for the settings for this new rule.

You must also modify the WAN interface and give it a static IP address since it is most likely configured to grab one via DHCP. If it is notconfigured for DHCP then you should be fine, otherwise modify it by going over to interfaces–>WAN.





You should now be able to plug your laptop or desktop directly to the WAN interface on your pfSense router and access it via the web by going overto https://IPADDRESS where IPADDRESS is the IPv4 address you chose above. Note: You should assign your laptop or desktop a static IP addressin the same subnet as the WAN IP Address. If you chose 192.168.8.1/24 as your WAN IP address then 192.168.8.2 through 192.168.8.254 are allvalid IP addresses that you can assign the network adapter on your laptop or desktop.

Once you have gained access to your pfSense box by plugging into the WAN port then the next step is to head over to Interfaces–>VLANs. Youshould have two Interfaces currently configured which should be your LAN and WAN interfaces respectively and each one should be mapped to aphysical port on your pfSense box.

In the VLANs tab you want to add a new VLAN and assign it to the interface that your managed switch will be plugging into. Each VLAN that youcreate must get a TAG between 1 and 4094 which will match the VLAN number that you configured on your switch that plugs into this port. Belowis an example of a VLAN creation.


https://ipaddress/





Note: If for some reason the parent interface is not listing all your network adapters then that means that your network adapters do not support802.1Q tagging and therefore they cannot tag traffic.

Hit save when done and add other VLANs should you need to create more.

We must now head back to the interface assignments tab and start adding interfaces for each VLAN that we created.

When you are done, you want to click on your interfaces which should have a name starting with OPT# and enable them.

After enabling the VLANs, you should have more settings available. Below is one of my VLANs that I have configured with a static IPv4 address.The IP address that I assigned to this VLAN will be the default gateway for my clients that will be assigned to this VLAN.






Note: You should restart your pfSense box once you are done configuring all your settings for each VLAN. I noticed that my settings did not takeeffect until I restarted my box.

Now that all my VLANs are setup and each one has been assigned an IP address then the next thing that I did was configured DHCP for each one ofthose VLANs. DHCP will allow my clients to get an IP address automatically when they connect to any of those VLANs. Configuring DHCP issimple and once you enable the DHCP server on each VLAN interface then all you have to do is assign a range of IP addresses that your clients willreceive on this VLAN.

Note: There are a lot more DHCP options that you can set should you decide to use them but I will not cover them here.

Now that we have the VLAN interfaces created, DHCP configured in each VLAN, then the next thing that we have to do is to enable DNS in eachVLAN interface. Most people will configured their pfSense box to forward all DNS request to either their ISP, Google Public DNS, or another thirdparty DNS server. This means that for DNS forwarding to work properly then you must enable it on the interfaces that your clients will beconnecting to. In our case our clients will be connecting to the VLANs that we created and they will most likely be behind private IP addresses withtheir DNS servers being set to their VLAN default gateway IP address.





The last thing that we will do is modify our firewall rule for each VLAN interface and create an allow rule similar to the one below. The reason forcreating this firewall rule is so that NAT can work since it is most likely the case that our clients will be behind private IP addresses and will needtheir traffic to be NATed in order to reach the internet.





The specific settings for the firewall rule above is shown below.

Now that our pfSense box is configured with VLANs then the next step is to configure our switch that will be connecting to the pfSense box.

Switch Configuration:

Below are some commands that you use to configure a trunk port on switches for different vendors that I am familiar with. Assume that your switchis named SW1 and that interface 1/1 is used to connect to your pfSense box. We will start with the VLAN configuration followed by the trunkconfiguration and then the access port configuration.

Cisco Configuration:

VLAN Configuration

SW1(config)#vlan #

This will create a layer 2 VLAN

SW1(config‐vlan)#name NAMEHERE

Assign a name

SW1(config‐vlan)#exit

Exit VLAN configuration mode

Trunk Configuration

SW1(config)#interface gig 1/1

SW1(config‐if)#Switchport trunk encapsulation dot1q

Switches the encapsulation to 802.1Q

SW1(config‐if)#Switchport mode trunk

changes the port to a trunk port

SW1(config‐if)#Switchport trunk allowed vlan {add|all|except|remove}

configures which VLANs can be allowed on a trunk. By default, all the VLANs are allowed.

Access Port Configuration

SW1(config)#interface Fastethernet #/#

SW1(config‐if)#switchport mode access




Make it an access port

SW1(config‐if)#switchport access VLAN#

Assign the VLAN that it belongs to.

Dell Configuration:

On Dell PowerConnect switches the configuration is very similar to Cisco switches.

VLAN Configuration

SW1(config)#Vlan database

Enter VLAN configuration mode

SW1(config‐vlan)#Vlan #

Create VLAN

SW1(config‐vlan)#exit

Exit VLAN configuration mode

Trunk Configuration

SW1(config)#Interface ethernet 1/1

SW1(config‐if)#Switchport mode trunk

Switches the encapsulation to 802.1Q

SW1(config‐if)#Switchport trunk allowed vlan add

configures which VLANs can be allowed on a trunk.


SW1(config)#interface ethernet #/#

SW1(config‐if)#switchport mode access

Make it an access port

SW1(config‐if)#switchport access VLAN#

Assign the VLAN that it belongs to.

Avaya Configuration:

On an Avaya switch the configuration differs from the Dell and Cisco configuration.

VLAN Configuration

SW1(config)#vlan create VLAN# name NAMEHERE type port

Create the VLAN, give it a name, and make it be a port based VLAN.

Trunk Configuration

SW1(config)#vlan ports 1/1 tagging tagAll

Configure our port to tag all traffic

SW1(config)#vlan members add VLAN# 1/1

Configure which VLANs you will be tagging on this interface


SW1(config)#vlan members add VLAN# PORT#/#

Assign VLANs to ports

SW1(config)#vlan ports #/# pvid VLAN#

Assign the Port VLAN ID to the port

Note: A port can be a member of multiple VLANs but can only have one PVID(Port VLAN ID) associated with it which tells us what VLAN youtransmit on. Most people make this a 1 to 1 relationship so that the VLAN assigned to the port matches the PVID.

This will conclude another pfSense article. As I experiment more with the platform and decide to use other features then I will keep documenting the



configuration for reference here. As always, thank you for taking your time to read this blog post and I hope that it was helpful. Any feedback andcomments are greatly appreciated.

Share this:

Email Print Twitter More

55 Responses to “Configuring VLANs on pfSense”

1. Donavan says:October 3, 2014 at 10:09 AM

very helpful thanks

reply

Glenn says:October 5, 2014 at 10:24 PM

Glad it helped.

reply

2. K. Callis says:December 3, 2014 at 12:27 AM

I am banging my head against the wall. Prior to me reading up on your VLAN tutorial, I had set up all of the interfaces and even did theVLANS. I also had set up my CIsco Catalyst 2950 with VLANS. I just didn’t understand how to make the two talk correctly!

I was very surprised and excited to run into your tutorial, and also it was great because I had already did most of this tasks. As soon as Ichanged things over to the VLANs on pfsense, I was no long able to ping or reach the GUI. Of course as soon as I change the interface back tothe regular interface, everything is phone.

Like you, I have a lot of different devices running, wifi, cameras, pbx, etc. I need to get this working and soon. Any pointer to help metroubleshoot and get this working would be greatly appreciative.

reply

Glenn says:December 3, 2014 at 1:15 AM

How many interfaces does you pfsense box have? Do you have 1 for LAN and 1 for WAN?

It looks like you created the VLANs in the VLAN tab. You then went over to the interface assignments tab and added an interface forevery VLAN and tied that VLAN to the interface on your pfSense box that connects to your switch? After adding the interfaces for eachVLAN did you enable them?

To make things simple I would start with one VLAN on your pfSense box and create that VLAN on your switch as well. Connect alaptop on an access port in your switch that is assigned to that VLAN and make sure that you are tagging the VLAN on the trunk port inthe switch that connects to your pfsense box. Prior to enabling the VLAN in pfSense I would give your laptop a static IP address in thenetwork which that VLAN will be serving in pfsense e.g. if you assign the VLAN interface a 10.10.10.1/24 address then make yourlaptop 10.10.10.2. Once you enable the VLAN in pfSense and if your connection drops try doing a reboot of the box(power button) as Inoticed that the same thing happened to me and I had to physically reboot my box and then it came online with the settings takingeffect. I am not sure why changing the interface from being untag to tagged required a reboot to take effect. I was locked out like youtoo and I couldn’t do a graceful restart from the management console. Once the initial VLAN was working, creating the other ones andconfiguring them was a breeze and did not require a restart.

Like this:

Loading...

Related

pfSense: Installation and Configuration Part 1 Configuring OpenVPN on pfSense OSPF Configuration Overview Part 4June 27, 2013In "Networking"

December 29, 2013In "Networking"

November 24, 2013In "Networking"

https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/?share=email&nb=1

https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/?share=twitter&nb=1

https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/?replytocom=86#respond

http://www.highlnk.com/




https://www.highlnk.com/2013/06/pfsense-installation-and-configuration-part-1/

https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/

https://www.highlnk.com/2013/11/ospf-configuration-overview-part-4/



reply

K. Callis says:December 3, 2014 at 2:42 PM

You are correct in the process of my setup. I first assigned interfaces (I have a total of 6) to WAN, LAN, WIFI, Office and gavethen address. I then went to the Interfaces|VLANs and and create a VLAN for LAN (re1), Office (re2) and WiFI (re3).

So after reading your posting, I immediately switch the Interface Assignments to the respective VLAN. Needless to say, thatwhen I plug my laptop into one of the access ports for the LAN on the Cisco, I am no longer able to ping to another devices onthe LAN. Only when I change the Interface Assignment back to my standard setting am I able to ping or access devices on theLAN.

I am quite sure what you mean about tagging. I have set up the default setting that I know about setting up VLANs on the Cisco,and it is in line with the info that you listed in your tutorial. Everythings should be working correctly, since the access ports areassigned to the appropriate VLANs, but I am getting nothing.

reply

Glenn says:December 4, 2014 at 2:29 PM

I forgot to add but the VLANs in pfsense will not talk to each other by default unless you create specific firewall rules ineach VLAN interface that allows them to talk to each other. Make sure that you check these settings.

reply

K. Callis says:December 3, 2014 at 4:13 AM

I just noticed that you are creating the VLANs on a single interface. I am running pfsense on a Watchguard X700 which has 6interfaces. So I have re0re5, which is each configured with an IP address and DHCP. My Cisco is setup with the same same commandsthat you have listed before.

reply


Ok, so you have multiple interfaces in your pfsense box. You can take one of the six interfaces in your pfSense box and startassigning multiple VLANs to it. Connect your desktop/laptop to another interface in your pfsense box that is not your WAN sothat you don’t lose connectivity during this process. This interface that you are assigning VLANs to has to connect to your ciscoswitch and you have to enable tagging on the cisco side as I have above(trunk configuration). Don’t forget to enable the VLANafter you assign them over to the interface in your pfsense box and setup the ip address, dhcp, and firewall rules for it.

Make sure that on the cisco side that the interface that connects to your pfsense box is in an up/up state.

Regards,

Glenn

reply

K. Callis says:December 6, 2014 at 2:54 AM

It took me awhile to get it, but basically, instead of using the additional the additional interfaces and trying to create VLAN, youare suggesting that we multiplex several VLANS through on interface. Is that correct?

reply


Yes, push multiple VLANs through the trunk interface. Since you have multiple interfaces in your pfSense box and yourCisco switch most likely with the right IOS version provides support for a link aggregation group(LAG) via LACP then Iwould take a few ports and create a bundle. pfSense does support link aggregation groups via LACP, see:https://doc.pfsense.org/index.php/LAGG_Interfaces










https://doc.pfsense.org/index.php/LAGG_Interfaces



reply

3. leonroy says:December 11, 2014 at 7:30 PM

Superb write up, sorted me out so that within 15 minutes I had a working VLAN setup in pfSense.

I’m looking at separating our vmkernel traffic into four separate VLANs. I understand what Vmotion is, but in your image above what isVMOTIONMGMT?

reply


Leonroy,

VMOTIONMGMT is the VLAN that I used for my ESXi host vMotion and Management traffic. I use the same VLAN for both in myhome lab. If you are using ESXi in production then you should separate your iSCSI, vMotion, Management, VSAN, and FaultTolerance into separate networks.

reply

leonroy says:December 14, 2014 at 5:27 PM

Thanks will do. Semi production. It’s just a home lab for now.

Had fun separating voice, cctv, management and vSphere (thanks your article helped on that front!) in the home office this week.

Whilst I love pfSense the value ofthose £2k L3 gigabit switches does make itself clearer now when it comes to routing VLANs.

Is there any upside to pfSense over a full featured L3 Cisco switch if all I want to is VLAN, provide a gateway address and routethe subnet?

reply


I use pfSense for my home lab and it is routing all my VLANs. My pfSense box connects to a multilayer switch and I havetrunk between them both. All my devices connect to the switch and I have separate VLANs like you do for management,video, etc…

I could have used the existing switch for the L3 capabilities that pfSense provides but there are certains things that pfSensedoes that you wouldn’t get from a L3 switch. I used the firewall functionality, Snort for the IPS, OpenVPN for remoting,ntop for traffic analysis, plus there are other things that you can do such as a squid proxy, captive portal, etc..Overall I thinkthat pfSense gives you a lot of value for a free solution. You certainly can do the above with many different solutions but ifyou are not doing any complex routing OSPF, BGP, ISIS, etc… then pfSense will do a good job for a home network.

reply

4. tjaus says:December 31, 2014 at 7:19 AM

It’s New Years Eve and I decided to reconfigure my pfsense and switch to incorporate 802.1Q. In a nutshell I have successfully trunked aninterface talking to my switch in a remote building and bringing my internet feed into my pfsense box using a DHCP vlan (there’s noauthentication its delivered as ethernet).

I have a pfsense box with 4 nics, 1 used for trunking to my switch in a remote building and the other nics directly to small switches for eachnetwork (home and guests) locally.

What I would like to do is have the home and guest networks not only locally available via the physical interface on my pfsense box, buttrunked back to the other building with the existing trunk (hence the reason of converting the link to a trunk)

I can’t work out how to do this, certainly I can create a vlan and trunk it across the link as well and it works fine, but how to merge is with thephysical interface on pfsense box without the use of different subnets and routes?

Brilliant write up, it took me a while to work out how to set the untagged 802.1Q PVID ports on my old Netgear, but once I had that sorted,


http://www.leonroy.com/




http://www.leonroy.com/




http://gravatar.com/tjaus



all was well.

reply


So you have a pfSense box with 4 interfaces. One interface(let’s call this em1) is connected to a switch in a different building and it hasbeen configured as an 802.1Q trunk. The other two interfaces on the pfSense box are for your home(em2) and guest(em3) network andthe last interface is for your internet(em4) connection?

Do the two interfaces(em2 and em3) connecting to your home and guest network uplink to switches that support tagging? If they dothen you can create two VLANs for Home(e.g VLAN 20) and Guest(e.g VLAN 30) and tag VLAN 20 on em2 and VLAN 30 on em3.Don’t forget to create the 802.1Q trunk on the other side of each interface and tagged the VLANs as well on those switches. You canthen configure a separate network for home (e.g 192.168.20.0/24) and similarly do the same for Guest (192.168.30.0/24). Once youhave that then you can enable DHCP, DNS, etc… on each VLAN and it should work fine.

You can then easily Tag VLAN 20 and VLAN 30 on em1 and this will allow you to access both Home and Guest network on the otherswitch in the separate building as long as you create the VLANs and tag them on the uplink for that switch. On the client facing(access)ports on the separate building switch you would untag VLAN 20 if you want computers connecting to this port to be part of the Homenetwork and untag VLAN 30 on another port etc… if you want computers connecting to that port to be in the Guest VLAN.

If you don’t have switches that support tagging connected to em2 and em3 then you can still create VLANs 20 and VLANs 30 onpfsense. What you would then do is untag VLAN 20 on em2 and untag VLAN 30 on em3. em2 and em3 will then be able to receivetraffic destined for VLAN 20 and VLAN 30 respectively. When traffic is received on em2 and em3 then they will put it into the properVLANs based on the VLAN that you untagged for each interface. You would then Tag VLAN 20 and 30 on em1 and configure theVLANs and tag them on the uplink on the switch connected to em1. For access ports connected to the switch on em1 you would untagVLAN 20 and VLAN 30. The problem with this second setup is that I am not sure if you can configure an interface and “untag” aVLAN for it using pfSense. I will have to look through the configuration to verify since I have not done it in this platform.

reply


I just went through the pfSense definitive guide and found no reference there on how to untag a VLAN on an interface in apfSense box. This means that the option of not having a switch that supports 802.1Q tagging on em2 and em3 will not work.

reply

tjaus says:December 31, 2014 at 5:04 PM

Thanks for your replies (whilst I slept 2015 in)

My setup yesterday was such:

em0 – Direct connection to internet (Gateway) in another building.em1 – Home LANem2 – Guest LANem3 – Unused

The Ethernet link that plugged directly into em0 comes via a single link from another building directly from the providersterminating unit, the link is mine, I installed it to bring it to this building.

The em1 and em2 ports are directly connected to stupid non 802.1q switches for very local distribution in the house.

I do have 1 switch that’s capable of 802.1q that was unused.

What I was trying to achieve based on this awesome post was the following:

I would love to be able to use the Home and Guest LAN in the remote building.

To do this I configured the appropriate VLANS 666 (Internet), 10 (Home) 11 (Guest). I then trunked them all over the linkto the switch I configured and Voilà, it works.

The link that was single purpose now has the raw internet traversing the trunk on VLAN 666, it also has VLAN 10 and 11being taken back to the remote building and presented on the appropriate ports on the switch.

So the guide was excellent, I was able to repurpose the link and convert it to a trunk without dramas, that part I have undercontrol no worries.

The only problem is that that VLAN 10 and VLAN 11 are not the same Home and Guest subnets presented on em1 andem2.









I tried a few things and read a bit and I think you’ve confirmed in your second post that dropping an untagged port on thephysical pfsense interface wont work. Dang!

At this stage I see the solution would be to buy another small (and capable) switch and place it in the middle, that is trunkto the switch from pfsense, then trunk from that switch to the other switch in the remote building and then drop out theappropriate ports on either switch.

I will soon be converting the pfsense physical box to a virtual machine within ESXi, so i might have a look at using virtualswitching to present an untagged port on the physical interface. I think it might be possible that way too.

Thanks for your input, much appreciated…

reply


“At this stage I see the solution would be to buy another small (and capable) switch and place it in the middle, that istrunk to the switch from pfsense, then trunk from that switch to the other switch in the remote building and then dropout the appropriate ports on either switch.”

This option would work fine. You can also plug the new switch into em1 or em2 or both(if your switch supportsLAG) and create a trunk to the new switch and tag VLAN 10 and 11. You can then untag on your access ports either10 or 11 depending what VLAN you want your clients to be in and plug them in directly to the switch. You can evenplug in your dumb switches to the access port and connect your clients to the dumb switches. This might cause somecongestion depending on how much traffic the uplink will see.

tjaus says:January 8, 2015 at 6:03 PM

Well since this post thanks to your messages Glenn this is what I’ve done over my Christmas break.

I built up a new VMWare ESXi server to run pfsense as a virtual machine, not as a standalone box on old hardware. Ialso acquired 2 capable switches off ebay (Netgear GS724T’s). I created the VLAN’s I wanted 5 (Home Lan(Trusted), 10/11 (Guest/Workshop), 666 (Internet) and then also created a 2x1Gb 802.1ad (LACP) link from theswitch to the ESXi box (using standard vswitches) to pfsense to get 2Gb of bandwidth.

I was able to get this all working without too much hassle, I can now place any network I like on either switchwithout any problems. I was confused about PVID on trunk ports initially but everything seems to be working aok soI’m happy.

I would have loved to use Cisco switching to learn more, but the Netgear’s are very capable and we’re relativelycheap especially off ebay (40% of retail price, the current model) and enabled me thanks to your blog Glen to finallysetup my network the way I want.

Next step would be to play more with distributed vswitches and trunking from ESX itself rather than pass throughdirectly to pfsense, but heck its working well now

Thanks again.

Glenn says:January 9, 2015 at 12:29 AM

Nice! Distributed switches are great when you have multiple hosts in your ESXi cluster as it makes the managementeasier. You will also need the premium license to enable them and you would also have to get vCenter setup.

The netgear switches are pretty good. I have a POE gigabit switch of theirs at my home that is solid. The Cisco stuffis pretty expensive even when it is used if you are looking for anything that is gigabit with a decent amount of ports.If you want to play with Cisco routing/switching devices then I recommend looking at GNS3.

I buy Nortel switching gear(now own by Avaya) for my home lab as you can get decent prices for high performanceequipment. You can find good deals on ebay every now and again for devices that Avaya is still supporting withsoftware and firmware upgrades.

5. Dugbartey says:February 15, 2015 at 4:44 PM

I have been trying to implement the same solution as you described in my network but facing some challenges with the IP assignment onpfsense. I have two internet connections coming into my office and i want to create two vlans on the wan interface on pfsense, which i







perfectly did. from the two internet connection into two different vlans each for an ISP on a cisco switch which is trunked into pfsense.

Now the issue am facing is this, i don’t want to assign an IP from the ISP to the physical WAN port but to the Vlans created under the wanhowever pfsense i wouldn’t allow that. am able to assign the point to point IP(/30) to the vlans interfaces created under the wan interface.

Am doing all this because I want to use the load balance and failover feature of pfsense with the two internet connection i have.

Do i assign one of the public IP from my ISP to the wan physical port?

Am asking all this because I know for instance if u do router on a stick with a cisco router, the IP are actually assigned to virtual interfaces andnot the physical interface.

What do you think i can do in this situation with pfsense?

reply

Glenn says:February 15, 2015 at 7:10 PM

I want to make sure that I understand what you are trying to accomplish in order to help you out. You have two internet connectionscoming into your office. Each internet connection terminates to a separate interface on a CISCO router. Each of these interfaces is on aseparate VLAN and from the CISCO router you created a trunk to your pfSense box?

I am not sure how many interfaces your pfSense box has but if you have multiple interfaces(3 or more) then what I would personally dois to connect your two internet connections to the pfSense box and the remaining interface in your pfSense box should connect to yourhome switch for your internal devices.

With regards to your two internet connections and the IP addresses. Are the IPs in two separate /30 subnets? For example do you havean IP for one of your connections in one subnet 10.10.7.1/30 and another IP in another subnet 10.10.8.1/30? What I am trying to findout is if you have two separate gateways rather than just one for both of your internet connections? A /30 gives you two usableaddresses in the subnet but sometimes you can get more if you enable the use of the zero subnet and the broadcast address.

reply

6. Pepe says:March 2, 2015 at 1:59 PM

Hi, I have a question regarding pfSense VLAN configuration.When I create VLANs and assign then to a LAN interface, the LAN port becomes a Trunk 802.1Q port, right? in the Trunk port each VLANis tagged according to the ID configured, how can I configure an untagged VLAN?

reply

tjaus says:March 2, 2015 at 4:31 PM

I think you are at the same stage I was in Dec, that is you want to use a NIC on your pfsense box and untag it. Alas, it can’t be done..You need to trunk from pfsense to a switch, then break out the untagged VLAN’s from there. It works great when you do this, trust me:).

As per Glenn on December 31, 2014 at 3:36 PM:just went through the pfSense definitive guide and found no reference there on how to untag a VLAN on an interface in a pfSense box.This means that the option of not having a switch that supports 802.1Q tagging on em2 and em3 will not work.

reply

Glenn says:March 3, 2015 at 2:12 AM

Pepe,

As tjaus replied below, I do not know of a way to modify the native VLAN on a trunk interface configured in pfSense. Furthermore, ifyou are trying to configure an untagged interface in pfSense(access port) then you would have to trunk it to a switch and break it outfrom there.

reply

7. Nathan Wiering says:April 3, 2015 at 11:26 PM





http://terryjwood.wordpress.com/






Excellent Guide. thank you very much, this is greatly appreciated.

reply

8. Kleber says:June 14, 2015 at 9:25 PM

I would like more details on trunk between pfsense with more dynamic VLANs dhcp macbased server and active layer 3 switch with clientsconnected

reply

Glenn says:June 17, 2015 at 12:12 AM

Kleber,

Thanks for the feedback. I will take this into consideration when I write my next article on pfSense. I have been thinking of doing aconfiguration writeup on deploying in VMware ESXi.

reply

9. Ismail Khan says:September 3, 2015 at 2:49 PM

HiHope you will be fine. i have implemented the same solution as you described in this article but i am facing an issue. i have created the Vlan10, 172, 192 and 193 on the pfsense box as well as on my Cisco 3560 L3 switch. DHCP , DNS and internet are working but i cannot pingfrom Vlan 10 host to Vlan 192 or 172 or 193 host. i can ping Vlan 10 gateway from other Vlan like 192 or 193 or 172 this is just becausethese are the interface ip of the vlans but cannot ping host ip from vlan10 to other vlans. In simple words intervlan communication is notworking please help.

Thanks waiting for your reply.

reply

Glenn says:September 4, 2015 at 2:19 AM

Have you created firewall rules under each VLAN interface to allow for communication between VLANs? Can you make sure that it isnot the client side firewall that could be blocking the pings by putting them both in the same VLAN and testing to make sure that theycan talk there before moving them over to separate VLANs?

reply

Ismail Khan says:September 4, 2015 at 12:38 PM

Glenn thanks for reply Today i make changes in Pfsense box. First i changed the LAN ip to none and second i disabled the dhcp on LAN.Then i pinged the PC from VLAN 10 to VLAN 192 but no luck.But surprisingly when i disabled the firewall of both PC’s it started ping reply from both sides:)What was the issue ? Was it physical LAN ip or the Windows Firewall ?

Thanks

reply

Glenn says:September 4, 2015 at 2:54 PM

I think it was windows firewall since it blocks ping by default. Glad you got it solved.

reply

10. blb says:













September 28, 2015 at 12:28 PM

plz how to configure pfsense limit bandwidth per vlan

reply

Sujith Kawashkar says:October 14, 2015 at 5:25 AM

You can install BandwidthD package on pfsense. once installed you can get the tool under services and then configure as per yourrequirement.

reply

11. Sujith Kawashkar says:October 14, 2015 at 5:30 AM

Can I configure the same method using an L3 switch (Cisco catalyst 3750). At present the vlans are configured in the L3 switch and it is thedhcp source. I want to configure Vlans in pfsense and assign them to the interfaces in the switch. Also I want to configure DHCP in for everyVlans. The main objective is to obtain and store the DHCP logs from pfsense.

reply

Glenn says:October 15, 2015 at 9:46 AM

Yes, I have done this before. You just need to configure a trunk port on the Cisco switch that connects to pfSense. On pfSense you haveto tag the VLANs on the interface that leads to your cisco switch.

Regards,

Glenn

reply

12. Pavan Ayyagari says:October 14, 2015 at 3:16 PM

Can I configure the same method using an L3 switch (Cisco catalyst 3750). At present the vlans are configured in the L3 switch and ip routinghas been enabled for inter VLAN ROUTING.I want to configure Vlans in pfsense and assign them to the interfaces in the switch.

reply

Glenn says:October 15, 2015 at 9:48 AM

Yes, I have done this before. You just need to configure a trunk port on the Cisco switch that connects to pfSense. On pfSense you haveto tag the VLANs on the interface that leads to your cisco switch. The access ports on the cisco switch that leads to your client need tohave the VLANs untagged. On pfSense you can setup DHCP for each VLAN. In essence your Cisco L3 router will be performing onlyL2 switching functionality while pfSense will take care of the rest.

Regards,

Glenn

reply

Pavan Ayyagari says:October 15, 2015 at 2:58 PM

Thanks for your advise Glenn. Much appreciate it. I will tried this last night but no luck yet. Below is my setup:I have a cisco catalyst 3750 in which i have created about 6 VLANS, created interfaces for each of them and ip routing has beenenabled. I can ping all VLAN interfaces from the switch thats all good. I am running pfsense as a virtual machine and has twonics to it. One is going to the WAN ( Internet) and one to the LAN with the port group for that vswitch has all VLAN tagged. Icannot attach the picture for more information.So do you advise creating the same VLANS on the pfsense box too and with the same interfaces as the cisco switch? What willbe the default route on the cisco switch? Should that be pointing to the pfsense box? Do i need to add any static route on thepfsense box too pointing to the switch. been struggling for a while on this and any help on this will be greatly appreciated.


https://plus.google.com/115703697377255870489


https://plus.google.com/115703697377255870489









Hope to hear from you soon.

Thanks,Pavan

reply


Since you are running pfSense as a virtual machine with two physical NICs on the server the configuration is a little bitdifferent. One of the physical interfaces on the server must connect to a port on your cisco switch. This port must beconfigured as a trunk port on the switch:

Trunk Configuration:SW1(config)#interface gig #/#

SW1(configif)#Switchport trunk encapsulation dot1qSwitches the encapsulation to 802.1Q

SW1(configif)#Switchport mode trunkchanges the port to a trunk port

SW1(configif)#Switchport trunk allowed vlan {add|all|except|remove}configures which VLANs can be allowed on a trunk. By default, all the VLANs are allowed.

Additionally you can create your VLANs as well:

SW1(config)#vlan #This will create a layer 2 VLAN

SW1(configvlan)#name NAMEHEREAssign a name

SW1(configvlan)#exit

You shouldn’t need to do anything else on the switch besides configure the access ports:

SW1(config)#interface Fastethernet #/#

SW1(configif)#switchport mode accessMake it an access port

SW1(configif)#switchport access VLAN#Assign the VLAN that it belongs to.

Going back to the VMware side of things the next steps will differ if you are using standard virtual switch or distributedvirtual switch. The portgroup that is mapped to the physical NIC on the server which connects to the trunk port on theswitch must be configured for Virtual Guest Tagging. The pfSense virtual ethernet adapter(Known as LAN in pfSense) thatbelongs to this port group is tagging frames and they must be preserved between the VM networking stack and the externalswitch when frames are passed to/from virtual switches. Assuming that you are using Standard Virtual Switch see belowfor how to set this:

To set a standard vSwitch portgroup to trunk mode:

Edit host networking via the Virtual infrastructure Client.

Navigate to Host > Configuration > Networking > vSwitch > Properties.Click Ports > Portgroup > Edit.Click the General tab.Set the VLAN ID to 4095.A VLAN ID of 4095 represents all trunked VLANs.Click OK.

See:

http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1004252

for more information.

Your cisco switch will not be doing any routing as this will all happen at the pfSense level. The VLANs on the cisco sidemust match the VLANs on the pfSense side of things or else it won’t work. There is no need for a default route as the ciscoswitch is just a layer 2 device that does not need to do any routing. There is no need for static routes on the pfsense boxeither.

reply



http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1004252





Thanks you very much Glenn. Kind of newbie when it comes to networking but trying to get there. Will give this ago in next few days and will let you know the result.

Have a good weekend!

Cheers,Pavan


Hello Glenn,Hope you are well mate. Tried it over the weekend and it worked. Firewall was blocking the ICMP and managed toconfigure the ANY rule and i am back to business. I would like to thank you for all your help.

Cheers,Pavan


Hello Glenn,

Thanks for your help setting up pfsense and VLANS everything working great. I need to introduce one more host andconfigure a cluster for vMotion etc and want to check if i need to setup another pfsense VM on the new host as wellsame as the first host or one firewall should do?Please advise.

Many thanks,Pavan


Pavan,

You should be fine with having one pfSense firewall for the entire cluster. Assuming that the secondary host that youare adding has the same number of interfaces as the first host then you should be good. Make sure that the portgroupthat is mapped to the physical NIC on the first server which connects to the trunk port on the switch that isconfigured for Virtual Guest Tagging also exist on the secondary host. You will need the same port group on thesecondary host and it must be named exactly the same for vMotion to work properly. The port group should have thesame configuration as the existing port group and also on the switch side must be configured as a trunk port.

Regards,

Glenn

13. Pavan Ayyagari says:October 28, 2015 at 6:54 PM

Hello Glenn,

I have introduced second host as per your instructions and it worked. Thank you very much for that. I was looking at Sophos UTM and lookslike it has more features than pfsense and easy to use as well. Do you agree on that? If i want to replace pfsense with Sophos can I follow thesame instructions you have provided for pfsense creating vlans on the layer 2 switch as well as on the sophos UTM and connect them as atrunk ports. Can you please advise how to create VLANS on sophos if possible. Thank you very much for your help till date mate. muchappreciate it!!!

Cheers,Pavan

reply





Terry says:October 29, 2015 at 4:47 AM

Hello Pavan,

I wanted to take the time to reply to this email as I also followed the information here long ago and also moved to a Sophos UTM frompfsense. I’ve gotta say, its the way to go and works very very well. I did find that I had trouble trunking to the UTM and setting one forthe vlans as my DHCP capable wan port. It should have worked but just didn’t. Maybe this has been fixed in later releases. To resolvethis I just broke out the WAN connection at the switch and brought it to my ESX box on a dedicated port and all was well. Trunkingand firewalling all other vlans over a trunk to UTM were no problem at all.

Regards,

Terry

reply

Terry says:October 29, 2015 at 4:53 AM

To continue, my setup https://drive.google.com/file/d/0B5FsI0NIr8KlaTZZZUVxYnNZNHc/view?usp=sharing which was birthed frommy original posts here nearly a year ago with pfsense (which I still have as a backup VM too). A lot of the magic is obviously done inthe UTM VM on my ESX box, but it gives an idea.

reply


Thanks Terry. I did try Sophos last night and it did not work and no too much information over the web as well. Is there anyway ican get configuration screenshots or steps for setting up VLANS inside sophos and allowing internet for those VLANS? I wouldlike to set it up inside ESXI 5.5. My email is [email protected] if you can help here please.Much appreciated.Thanks,Pavan

reply


Pavan,

I don’t have experience setting up the sophos appliance so I can’t help you out :(.

reply

14. Volker says:November 19, 2015 at 12:35 PM

Hello Glenn,

thank you very much for your wonderful configuration report. As I am using a Cisco SG30028 switch in layer 3 mode I would prefer to dothe inter VLAN routing on the switch. I have read that pfsense is able to manage this scenario and that you should create another VLAN forinternet connection taht ist routed by pfsense. Unfortunately I have actually no idea how to do this so far. It would be great if you could helpme with the issue.

Best regards,

Volker

reply

Glenn says:November 23, 2015 at 1:48 AM

If you have the switch configured for inter VLAN routing and connect pfSense to it then the only way for you to actually make this


https://drive.google.com/file/d/0B5FsI0NIr8KlaTZZZUVxYnNZNHc/view?usp=sharing


mailto:[email protected]








work is to install the RIP or OSPF routing packages on the pfSense box. If this is a small home/office scenario going with RIP makessense since it simple to configure. You would use the same routing protocol on the switch side and create a neighbor relationship. Onyour switch side you can create a static default route to send everything on to the pfSense box in order to keep things simple.

Regards,

Glenn

reply

15. veig says:November 25, 2015 at 12:16 PM

Works with Netgear switches.

Big thanks and very useful guide.Long life to the author Regards,Veig.

reply

16. NetSys Pro says:December 6, 2015 at 6:39 AM

Hello,

Just 1 question: I haven’t read all the comments, so apologies if this has been addressed, but after you’ve configured the VLANs, do youdisable the default LAN interface on pfSense?

Thank you.

reply


Sure, if you are not using it then there shouldn’t be any issues.

reply

Leave a Reply

Enter your comment here...

Search

Search

Recent Posts

Disk Benchmark Part 1 April 30, 2015ZFS iSCSI LUN MPIO Setup Windows Server January 31, 2015vSphere Upgrade Process October 31, 2014ZFS FTPD Configuration August 31, 2014Configuring VLANs on pfSense June 29, 2014

Recent Comments

Build Your Own VPN. Browse Securely from Anywhere Vpn Tunnel on Configuring OpenVPN on pfSenseGlenn on Configuring OpenVPN on pfSensemadhusudankh on Configuring OpenVPN on pfSenseNovuz on Configuring OpenVPN on pfSenseGlenn on Configuring OpenVPN on pfSense






https://www.highlnk.com/2015/04/disk-benchmark-part-1/

https://www.highlnk.com/2015/01/zfs-iscsi-lun-mpio-setup-windows-server/

https://www.highlnk.com/2014/10/vsphere-upgrade-process/

https://www.highlnk.com/2014/08/zfs-ftpd-configuration/

https://www.highlnk.com/2014/06/configuring-vlans-on-pfsense/

http://vpntunnel.gq/build-your-own-vpn-browse-securely-from-anywhere/

https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/comment-page-2/#comment-381



http://gravatar.com/madhusudankh







Archives

April 2015 (1)January 2015 (1)October 2014 (1)August 2014 (1)June 2014 (1)April 2014 (1)February 2014 (1)December 2013 (2)November 2013 (2)October 2013 (3)September 2013 (2)August 2013 (1)July 2013 (1)June 2013 (1)May 2013 (2)February 2013 (1)January 2013 (2)

Meta

Log inEntries RSSComments RSSWordPress.org

License

Creative Commons LicenseHighlnk Blog by Glenn is licensed under a Creative Commons AttributionShareAlike 3.0 Unported License.

Powered by WordPress | Designed by Elegant Themes

https://www.highlnk.com/2015/04/

















https://www.highlnk.com/wp-login.php

https://www.highlnk.com/feed/

https://www.highlnk.com/comments/feed/

https://wordpress.org/

http://creativecommons.org/licenses/by-sa/3.0/deed.en_US


http://creativecommons.org/licenses/by-sa/3.0/deed.en_US

http://www.wordpress.com/

http://www.elegantthemes.com/

configuring vlans on pfsense · pdf fileour pfsense router we will configure our lan port with...

Documents