PfSense VLAN configuration with Netgear GS724Tv3 and Asus RT-AC3200 on Tomato



  • Hi All,

    For some time, I've been running the three devices in the title quite happily in my home network.
    pfSense handles all of the routing duties. It has a dual NIC, and one port is connected to the LAN and the other creates a PPPoE connection to my ISP.

    The pfSense router also creates 3 x OpenVPN connections to PIA (London, Netherlands and US access points). Client routing to the VPN interfaces is based on firewall rules and determined by client IP address. I use static DHCP mappings and then aliases which I use to determine if a client's traffic should go via VPN interface or straight to the WAN via my ISP.

    The RT-AC3200 is simply used as a wireless access point, and does no routing duties at all.

    The GS724T is pretty much in it's default configuration, as I've never needed to change anything to get the functionality I need.

    I've now decided that I'd like to add the following functionality to my network:

    Have virtual SSIDs on the RT-AC3200 (WIFI-NOVPN, WIFI-VPN and GUEST). As the names suggest, clients connected to these SSIDs should be routed via the ISP WAN interface, one of the VPN interfaces, or simply have guest access and not be able to see any of the rest of my network).

    In order to achieve this, I figured that VLANs were the way to go. I was thinking of having the following:

    VLAN 10 - GUEST network - 192.168.10.x
    VLAN 20 - WIFI-NOVPN - 192.168.20.x
    VLAN 30 - WIFI-VPN - 192.168.30.x

    pfSense would act as DHCP server for each of these subnets.
    For the guest network, then clients connecting to this SSID should have no access to the rest of my network.
    For the NOVPN and VPN SSIDs, then access to other subnets should be allowed (all other machines are on 192.168.0.x).

    pfSense is on 192.168.0.1, RT-AC3200 is 192.168.0.254, GS724T is 192.168.0.253.

    Right now, I've only tried configuring the guest network, as I thought to keep it as simple as possible initially.
    I followed the instructions here:
    https://learntomato.com/setup-guest-network-guest-wifi-tomato-vlan/ in order to configure the GUEST WiFi vlan on the RT-AC3200

    The only differences are that I did not enable the DHCP server on the RT-AC3200, as this load will be carried by pfSense and I set the AC3200 to 192.168.10.2 on the new LAN segment (pfSense will be 192.168.10.1).

    Next, I followed the instructions here:
    https://www.iceflatline.com/2013/09/how-to-create-and-configure-vlans-in-pfsense/
    for creating my VLANs on pfSense.

    I followed these instructions exactly.

    At this point, I believe that pfSense is configured to have VLAN 10 on 192.168.10.x subnet, has the IP address 192.168.10.1, has DHCP server enabled and has a firewall rule to send all traffic on VLAN 10 out of the ISP WAN interface.

    The point where I'm stuck is configuring the Netgear switch. The pfSense router is connected to port 24 on the switch and the RT-AC3200 to port 23.
    Port 23 needs to continue passing untagged traffic from my 192.168.0.x subnet, should pass tagged VLAN 10 traffic to port 24, but not pass it to any other ports.
    I believe port 24 needs to behave in a similar fashion.

    I'd really appreciate some advice on how to configure the Netgear, as everything I've tried hasn't worked.
    I've currently configured it as follows:

    This configuration still allows untagged traffic to pass successfully, but it is not allowing any traffic on VLAN10 to pass to pfSense from the RT-AC3200.

    I'd really appreciate some advice on how configure things to get the functionality I'm looking for.

    Thanks,

    Andy.