Multiple VLANS across physical Interfaces

  • I am trying to setup a pfSense box that has 4 physical Interfaces (em0 - em3). The first Interface (em0) goes to the Internet. The second (em1) and third (em2) Interfaces go to separate managed switches. Each of these switches has various VLANs configured but for the ease of describing my problem lets limit it to 3 VLANs (VLAN2, VLAN3 and VLAN4). We are using the pfSense firewall for all DHCP services.

    NOTE: We will also be adding a third switch on the forth (em3) interface that will only need access to the other 2 switches via VLAN3.

    What I need to do is have all three VLANs traverse to the Internet and have VLAN3 traverse between switches via the firewall. I also would like PC1 and PC2 to be able to pull from the same DHCP server.

    I was able to creatre the VLANs for VLAN2 and VLAN4 and route these to the Internet. I am having issues correctly setting up VLAN3 between the 2 different interfaces and still use the same DHCP service and Firewall RULES. It seems that I have to handle these under separate Interfaces.

    –---              -----
            | PC1 |            | PC2 |
            /-----/            /-----/
            -----              -----
              |                  |
        -----------          -----------
      | Switch #1 |        | Switch #2 |
        -----------          -----------
      VLan    \                /  VLan
      2 & 3    \              /    3 & 4
                \ em0    em1/
                | pfSense FW |
                  | Modem |

    Any thoughts would be helpful.

  • You can have each VLAN on one physical interface/trunk only in pfSense.
    Put a managed core-switch in front of your pfSense and distribute the VLANs on dedicated trunks to each access-switch.

  • LAYER 8 Global Moderator

    Yeah that is not how you would do that..

    Use a switch to distribute the vlans to access switches.  The connection to pfsense can be a trunk with all the vlans on it, or from the distribution switch you can have uplinks for every vlan to physical or mix and match depending on what your intervlan traffic will be - you wouldn't want intervlan traffic having to hairpin, etc.

