3 NETWORK CARDS ON PFSENSE
Currently I have 2 physical cards in NIC cards, one for WAN(from ISP) and the other one for LAN(to your dlink switches)
Considering i need to create 2 VLANs for our corporate network, do I need add an extra NIC card, to cater for the guest VLAN option?
my end goal is to have two VLAN(Corporate and guest) I had created a sub interface under the LAN em1 interface on the pfsense and configured vlan 10(corporate) and 20(guest) on the vlan as well.
I had done the same on the dlink switches,the issue was that for ports tagged to vlan 20, once i plug in a cable there, the device doesnt pick an IP address as defined in the guest interface, as as configured on the dhcp server on the guest vlan…
Provided your switch supports VLANs you create two VLAN tags bound to the one interface and then assign these to two 'virtual' NICs. I've done this myself for my two internal LANs and it works fine. You can find this under Interfaces -> assign. Create the VLANs under the VLANs tab and assign them a created interface under the Interface assignments tab.
If your switch does not support multiple VLANs on one interface, you may have to set it to trunk mode and follow the suggestion of muswellhillbilly.
I have created the vlan 20 as the guest interface and under assign,I have assigned it under guest 20 on em1, em1 is the LAN interface.
I have created the VLAN 20 on the switches as well, the switches are dlink DES model, on the VLAN 20 guest interface i have enabled DHCP to clients connected to that VLAN,
the cable that moves from pfsense to the switch connects to port 24 on the dlink switch, I have made port 24 a trunk port(under VLAN trunk settings in dlink switches) .
the issue, is this, that if i tag port 21 on the vlan 20 on the switch and connect a laptop to that port, it doesnt pick DHCP range specified from the pfsense, instead it picks the normal office IP addresses.
What could i be missing.
Sounds like a switch misconfiguration. If you're running multiple VLANs on your em1 interface on the PFS, you need to be sure that port 24 on your switch is tagged with whatever VLAN IDs you need the guest and office LANs use. To start with, make sure your PFS can ping an IP on the VLAN20 network. My guess is it probably can't, otherwise your client would be able to pick up a DHCP address correctly.
Thanks for your reply.
Seems it worked in a way. For port 24 , i tagged it with VLAN 10 & 20. I connect a machine via LAN to port 21 and I untagged it(port21|) on VLAN 20
It got the IP from the pfsense ;D .
Now I can access internet on that machine, but i dont need it to access any thing else, as it is now i can ping other clients which are in our corporate network,. so I need to restrict access to the other VLAN, where the printers ,servers and everything else is…. I will appreciate help on this.
2nd thing is , i have like 5 switches, for the ports where the switches connect to each other, do i tag them as well with all the VLAN I have, ie. switch 1 port 9 connects to switch 2 port 23...for this two ports in different switches do i tag them with all the VLAN's in place.(guest and office)?
Restricting access from one VLAN to another is something you do on your own particular switch. The firewall simply needs the VLAN(s) set that you want the other parts of the network to reach.
Answer to second question: Yes, your connections from switch to switch do need to have all VLANS tagged on those connecting interfaces.
how can i restrict access from one VLAN to the other, I need it such that clients connected to the guest vlan cannot even ping the corporate network