Basic VLAN config?

  • I haven't used VLANs so far. I understand some of the key points (VLANS are not to reach end-user devices!), but my knowledge is very limited and the very little I know is hazy at best.

    I'd like to split traffic between three VLANs on my LAN, effectively creating a more privileged "management network", a less privileged "user network", and a completely untrusted "WiFi network". I'd like to use VLANs for this, and better control what src+dest can communicate what type of traffic with what other endpoint (to an extent).  The entire LAN is VLAN-capable, although some devices don't have a specific VLAN setup GUI and would need some CLI-fu.

    My eventual aim, once I have a clue how to do it, is to move from this design:

    • LAN =, completely flat, typical home network, all LAN devices equally trusted, all network traffic security/access down to individual devices once within the LAN, effectively "pass everything " rules on all LAN switches.

    to this design:

    • All traffic by default on VLAN (A) (assigned unless otherwise specified

    • Only very few devices are able to access shell/admin login on network devices.  Admin login at all servers and switches is blocked on anything except VLAN (B) (assigned  Packets matching some rules will be tagged with this VLAN by the switch to allow them onto the management VLAN. A typical rule will be "if src=X and dst=Y and dstport=Z then tag as VLAN (B) and pass … {other rules here} ... if we get here and src or dst is a privileged machine and pkt isn't tagged VLAN (B) then drop/reject". Of course this is a layer, in addition to any other security when the connection is allowed.

    • All traffic to/from wireless AP clients tagged as VLAN (C) (assigned either by the AP or by the switch as they pass through it (based on dest IP)

    • Switch handles a degree of network traffic control. As well as rules on ordinary traffic (easy enough), also rules for VLAN tagging such as "traffic on VLAN (C) blocked unless dest is non-local (WAN/Internet)" or "Only port 80 can be accessed on a given server from VLAN (A), to access other ports such as SSH the request needs to be on VLAN (B)" This is the crux and I'm not sure how to get there.

    • The LAN networking can be used to segregate these different privilege streams. (I understand that VLANs can easily be misconfigured and then will not do segregation properly, but my understanding is that when properly configured, that's its basic function).

    I don't know what switch I'll use, but if I assume the switch is basically just another pfSense installation, then knowing what to configure on it will be enough familiarity to get it working initially, and find the equivalent config later for any other switch when I need it.  It's definitely the kind of direction I'd like to go in my setup. The ordinary rules are easy (I've included them for realism) - it's the VLAN setup/config that I'd like to ask for a beginner's outline of what steps I need to do.

    With luck this question will meet a really kind, helpful, and knowledgeable forum member, and I'll get a clue what I need to know, and step-by-step what to configure, so that I can move in this direction :)  I know it's very open but I can work out much of the detail, if I understand the principles and basics, and a simple working example how I'd configure the basics on my pfSense install. Then I can experiment and figure out the rest.

  • LAYER 8 Global Moderator

    Having a hard time finding actual questions in here… What exactly are you asking??

    Yes segmenting your network is good security practice.  Yes firewall between your segments also good..

    It is very easy to do.. Pfsense, a vlan capable switch along with vlan capable AP and clickity clickity..

    Do you currently have vlan capable switch(es) and AP?  Are you asking what you should get?

    "Switch handles a degree of network traffic control."

    I think your confused here.. Yes depending on the switch you could setup ACLs to control traffic... This not normally where it would be done - especially if you have pfsense to work with.  Pfsense will handle all traffic control between our segments.  Your switch is just going to isolate the different segments for you via vlans..

    Do you have a specific question you would like answered?  I am not really seeing it.. Lets start with basics... What hardware do you have to work with?  What hardware are you looking to get that supports vlans?  If you have the hardware then sure we can go over how to setup the vlans..

  • I'll take a shot at what I think you are asking, this is from a non-technical perspective:

    The way I think of a "Truck/Parent"-VLAN relationship is as follows:
    The Trunk/Parent(or LAN in my case) has VLANs running in it…much like a "household cable" has a "+", "-" and a "ground" wire seperated, yet inside 1 wire. Instead of all 3 wires running a "+"...each wire gets a seperate role. That is my crappy basic description!

    In terms of setting it up on pfSense:

    1. As John mentioned, make sure you have the correct hardware, specifically an AP and a managed switch that can both handle VLANs. I have gotten away with just a pfSense and a Unifi AP(no switch but a switch is recommended)
    2. Go to "Interfaces -> Assignment -> VLANs -> "Add button", pick the parent(aka Trunk) interface(likely your LAN or Opt1 i.e. the "household cable"), give your VLANs Tags...say VLAN 10, VLAN 20, VLAN 30, etc...put descriptions for each VLAN.
    3. Go to "Interfaces -> Assignment -> Interface should now see "Add" buttons for each VLAN created. Add each VLAN...
    4. Go to "Interfaces -> you should see each new interface in drop-down...configure each VLAN...
    5. Go to "Services -> DHCP Server"...enable each VLAN...assuming you want each VLAN to be configured similarly to LAN
    6. Treat each VLAN like a seperate interface i.e. add rules, fixed leases, possible aliases, etc...

    In terms of configuring your switch that gets model specific and a little more indepth(I called thier tech support and they helped me configure) Unifi AP was really simple in terms of setting up seperate SSIDs for each VLAN. Those VLAN numbers/Tags in step 2) are entered into your switch and AP so they can direct the data appropriately.

    I hope this helps...

  • I understand the need for security, but your description of your new design is unnecessarily complicated.  You're not going to need switch ACL's and/or NAC on a home setup… it's just not necessary.

    At a high level, what you're asking is rather straightforward.... You would create vlans on your PFsense LAN interface and trunk that LAN interface to a managed switch.  You would then create the same vlans on your managed switch and assign specific vlans to different ports.  Inter-vlan traffic will traverse PFsense and can be controlled via firewall rules.

    The setup is straightforward, but far from child's play.  You should have a decent grasp on networking so you know what you're getting yourself into or you'll be pulling your hair out for weeks trying to get this setup working.  The particulars for configuring the switch will vary depending on what switch vendor you go with.

  • Thank you John, V3lcr0, and marvosa, for the incredibly helpful replies above.

    I've taken time to read carefully and try and learn from and understand all the points made, which is why this reply has taken some time.  I now realise that my question was, as you said, poorly worded and a bit too clueless. I didn't actually know the right question to ask. I think I have a much more specific focus and a bit more of a clue now. Thank you for the effort in helping me.

    I've posted my more focused question in a new thread under "wireless" so this one can drop to the end and not accidentally confuse anyone who finds my OP unhelpful. :)  It should be more "to the point".

Log in to reply