Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense VLAN setup

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 3 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stevewm
      last edited by

      At my workplace we are bound by "PCI Compliance" rules as set forth by the credit card industry…

      To make ourselves compliant, our wireless network needs to be segmented off from our main network.

      Could someone take a look at this setup and see if you see any problems:

      Wireless AP with 3 SSIDs, each SSID has its own VLAN (2,3, and 4). AP is plugged into a dumb switch (which will pass VLAN tags) along with a few other PCs that will be sending un-tagged traffic.  The AP will be sending only tagged traffic.

      Dumb switch is connected to a Netgear L3 switch. This port on the Netgear is configured as a member of VLANs 2,3,4 and a default PVID/VLAN of 1 for the untagged traffic.  PVID 1 is the default LAN which all other ports are on.

      PFSense box will have a 3rd NIC, with 3 virtual interfaces configured, one for each VLAN (the physical interface itself is NOT assigned so it will ignore untagged traffic).

      PFSense box is connected to the Netgear L3 switch, port is configured as a member of 2,3, and 4.  Default PVID/VLAN is 50, which is unused.  This is so untagged traffic should it arrive here, will go nowhere

      My understanding is that only tagged traffic from the AP will only be able to reach the PFSense box, and vice versa.  While the untagged PCs connected to the dumb switch will continue to operate on the default network (PVID 1) as usual.  Untagged traffic should never arrive at the port going to the PFSense box, and ditto the other direction.

      I've attached a quick Dia diagram below:

      Diagram1.png
      Diagram1.png_thumb

      1 Reply Last reply Reply Quote 0
      • K
        kc8apf
        last edited by

        Everything you have said is true.  The only problem with that configuration is the use of a dumb switch to pass both tagged and untagged traffic.  This allows those PCs to be part of any of those networks and potentially bridge across them.  Replacing the dumb switch with a managed switch will ensure that a rogue PC can't violate your policies.  You'd set the port VID for the PCs to 1, the port VID for the AP to 50 and make it a member of VLANs 2, 3, and 4.  The upstream port should be a member of 1, 2, 3, and 4.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          It does look sane except for the inclusion of the unmanaged switch. That's just asking for trouble in this day and age, people can set a VLAN tag on their network card directly in that case and hop onto whichever VLAN they want.

          You can get a cheap 8-port managed switch, even gigabit, that support VLANs, for about $100 or so. It's not worth the risk of including an unmanaged switch.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • S
            stevewm
            last edited by

            Ah!  Hadn't even thought of that!  I'll grab a 8-port managed Netgear then :)

            I passed the setup by our "PCI auditor" and he approved it, and didn't catch the unmanaged switch either, useless auditor…...

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.