Templating for VLANs / DHCP / rules etc



  • Hi guys

    My topic is both a "how do you do it" and maybe a feature or package idea :
    For some hotels we work for we wanna do a system where each room has a VLAN. They'd all have the same rules but of course different IP ranges

    Currently - as far as I know - you can do that on a one by one basis or maybe by managing to create a configuration generator for Pfsense that would create the appropriate VLANs / DHCP / DNS / Firewall rules . What I would love is to have a templating system which can keep some parts of the configuration unique for each VLAN and maintain some other global settings that would apply to each room's VLAN

    Would you approach this differently ? or think it would be useful to have templating in Pfsense?

    Thanks :)  8)

    Gonzague



  • What are the reasons for wanting to VLAN things out? That solution doesn't scale well and carries a lot of overhead. VLANs are not for isolation or security, they are for segregation. And much like public toilets, segregation can be jumped.

    Is there some reason why you don't want all of your rooms on the same VLAN (or at most break down by building, or by floor) and just use the firewall rules to block attempts to communicate within the network (except the gateway of course)? That'll give you better isolation than an VLAN would.


  • LAYER 8 Global Moderator

    "VLANs are not for isolation or security"
    "just use the firewall rules to block attempts to communicate within the network"

    Huh??  Vlans are very much so for isolation and security ;)  When your route the vlans through a firewall like pfsense, or via a L3 switch with ACL's applied..

    How exactly is the firewall (pfsense) going to stop devices in the same network/vlan from talking amongst themselves?

    While I agree with your does not scale well statement, and breaking vlans down to buildings or floors makes more sense for scaling..  The rest doesn't make much sense.

    So how many rooms are you talking?  Isolation of each room to their own vlan in say a hotel with 100's as stated doesn't scale well.  Little B&B with handful of rooms ok.. Normally in hotels your guests access would be via wifi.. How are you going to deploy a different vlan to each room via wifi?  Or is there only wired in these rooms?  Is each room going to have their own AP?  This does not scale well either and can be an issue for interference.

    So your example of hotel rooms doesn't seem to make a lot of sense for a template of rules, etc.  And dhcp seems to be out in left field.. What rules are you wanting to do for dhcp on each vlan?  Pfsense out of the box when you enable dhcp on an interface/vlan will create the hidden rules needed to allow for it to be the dhcp server.

    So I take it you are more meaning the template of the actual dhcp settings?

    So all of the settings in pfsense are stored in XML..  Lets say you needed to setup a 100 vlans.. I would prob just manipulate the xml and then restore it.. This could be done for firewall rules, dhcp settings, etc. etc.

    Other option for firewall rules would be to just use the floating tab to apply the rules to the interfaces you want and right them in such a way to do what your looking to do..

    To be honest.. Normally in a network with 100's of vlans pfsense wouldn't be leveraged as dhcp or firewalling between.. In such a large network pfsense roll to me is better suited as the edge router.. Sure I guess you could use it as your core router, etc.  But hardware doesn't scale well for a network with 100's of vlans.. The routing of such a network is normally done with a core L3 switch that can have 100's of switch interfaces to connect all these vlans together..  Vs hundreds of vlans all on the same limited number of interfaces you have in typical router/firewall that pfsense would be used for.

    Maybe at some point in the future pfsense will be better suited to run on network core or distribution layer hardware.  So while on small or medium sized network it can work both as edge, core and or distribution and even access layer.. What hardware are you planning on running pfsense on that would scale to 100's of vlans?

    In a hotel that you wanted to have 100's of vlans pfsense for sure could be the edge device to the internet or other hotel locations/networks/etc  But doesn't seem to make a lot of sense to use it as your core/distribution layer router.. Use a L3 with ACLs for your intervlan traffic.  With lots of vlans and wanting to run dhcp - this would be better suited with different dhcp running that allows for multiple scopes, etc.  Easy to manage that way. Pfsense would then be connected to your downstream L3 switches via transit network(s) depending on how many different L3 you had in this large network with 100s of rooms and vlans.



  • VLANs are not for isolation or security, they are for segregation. And much like public toilets, segregation can be jumped.

    VLANs can't be jumped if there's no tagged traffic in the wire you're connected to which is the case if you do VLAN setup with a VLAN capable switch properly and use a trunk port with tagged only traffic and all of the client ports as untagged.


  • LAYER 8 Global Moderator

    @kpa not sure I would say "can't" be jumped ;)  There are plenty of attacks on vlans, etc..  But fully agree that normally this is not the case, and when done correctly is very secure.  And yes the switch(es) your using and the config on them play a vital role in how hard or easy it might be to "jump" vlans..



  • That's why I said "when there is no tagged traffic", if there's no VLANs you can access directly there is no attack surface.


  • LAYER 8 Global Moderator

    Ah agree if there is no tagged traffic anywhere and your using fully different physical hardware for your different vlans then sure it would be impossible to jump.  But normally there would be tagged traffic on the uplinks between switches and or switch and AP or router, when you have to carry multiple vlans over the same wire.

    We are in agreement just debating over semantics I guess ;)


  • Banned

    @johnpoz:

    …hundreds of vlans all on the same limited number of interfaces you have in typical router/firewall that pfsense would be used for...

    Just asking out of curiosity.
    Given that the average pfSense box has between 2-5 physical interfaces, would adding more NICs make it scale up to 100's of VLANs for this application?

    Even celerons usually support 6 PCIe v2.x+ lanes, there are riser cards with four PCIe v2.x+ outputs. So if you needed to you could cram 16 physical gigabit interfaces onto a board.

    Would doing this improve the scaling performance for an application like what the OP is attempting?


  • LAYER 8 Global Moderator

    Your still only talking a handful of ports.. Even with your 6x4 your only talking 24 ports..  While sure you could do say 100 vlans that way or lets say even 200..  Why would not just use a layer 3 switch of you have hundreds of vlans to contend with..


  • Banned

    No reason that I can think of, I was just curious about a ballpark range of how physical NICs scale to VLANs. Thank you!



  • @gonzague:

    For some hotels we work for we wanna do a system where each room has a VLAN. They'd all have the same rules but of course different IP ranges

    Give some more infos on the setup.
    How many ports do you run to each room, is there a WLAN as well? How many buildings/floors/rooms are you talking about?

    Depending on the size there are different approaches to design such a network infrastructure.
    (We have not yet started talking bandwidth at all…)



  • @johnpoz:

    "VLANs are not for isolation or security"
    "just use the firewall rules to block attempts to communicate within the network"

    Huh??  Vlans are very much so for isolation and security ;)  When your route the vlans through a firewall like pfsense, or via a L3 switch with ACL's applied..

    How exactly is the firewall (pfsense) going to stop devices in the same network/vlan from talking amongst themselves?

    Hah :) Wow, that'll learn me for drive-by commenting. No idea what I was thinking in regards to those two statements! Disregard..!

    But the inability to scale well for this scenario still applies.


Log in to reply