Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN clarification please

    General pfSense Questions
    4
    4
    962
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      detox
      last edited by

      Hello All!

      OK, I've been reading on how to use VLANS with pfsense and need clarification for my puny brain housing group to assimilate the docs.
      What I am reading (I think), is pfsense does not govern or set up VLAN's.  A managed switch does that, and, pfsense just accepts what the managed switch has configured?
      Or am I reading this wrong?
      I have several small departments in one office that need to share the internet ( 1 connection DSL) and I need to keep all of them separate, but allow the printer to be shared across all 3 departments.
      So, I'd have VLAN 100 for dept 1; VLAN 200 for dept 2; and VLAN 300 for dept 3.  VLAN 1 (main trunk) would be where the printer is.

      Does that sound right?  Once all of this is working correctly, I can configure my pfsense box (1 LAN, 1 WAN) to accept the VLANS from my managed switch?

      Thanks so much for any help on this

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You create VLANs in Interfaces > (assign). If you assign a pfSense interface to VLAN XXX on eth0 it will be tagged with that VLAN on eth0.

        You need to understand tagged vs. untagged ethernet ports to be able to successfully administer this.

        If you want VLANs 100, 200, and 300 on pfSense you can:

        Put separate ethernet interfaces into untagged switch ports on VLANs 100,200,300.

        Create pfSense VLAN interfaces on 100,200,300 on one interface and patch that to a tagged switch port.

        Any combination of the above.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • QinnQ
          Qinn
          last edited by

          Yes, you create the VLAN's in pfsense and use a (smart) managed switch to channel them. For example you could create a VLAN only for your printer give it's own port on your managed switch and set the firewall rules in pfsense so that it that can accessed by the other VLAN's.

          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
          Firmware: Latest-stable-pfSense CE (amd64)
          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Its not so much that either pfsense or switch create the vlan, they both need the vlan info to be able to work together.. If the vlan is untagged pfsense has no clue that its in a vlan, just traffic it sees you control what untagged vlan that interface pfsense sees in the switch.

            If your sending tagged vlans to pfsense interface, then yes pfsense needs to know what IDs are which..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.