Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN Configuration Question

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    11 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jst68
      last edited by

      I am in the process of replacing the firewall for our family home. pfSense has been highly recommended by friends and so I am trying to get a test installation going, but I am stuck on some hardware related issues documented in another forum post.

      While I am working on overcoming those, I am hoping to get some answers for some configuration requirements.

      Our current network consists of three different subnets that are also different VLANs. They are basically following the following format:

      Subnet A - 10.10.A.0 / 24 - VLAN A - For wired PCs / Macs, gaming consoles and wireless devices (phones/tablets)
      Subnet B - 10.10.B.0 / 24 - VLAN B - For wired VOIP phones
      Subnet C - 10.10.C.0 / 24 - VLAN C - For Smart Home devices (e.g. Google Home)

      Configuration:
      Subnet B has the highest priority to make sure that phone calls don't get interrupted. Subnet B has no access to any other subnet.
      Subnet C allows limited access from Subnet A to control smart devices (e.g. lamps) on Subnet C.
      Subnet A is a general purpose network allowing various family members to safely access the internet.

      Can we replicate this setup in pfSense? How complicated is the setup?

      Thank you for your input!

      DaddyGoD 1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @jst68
        last edited by

        @jst68

        Hi,

        Yes, pfSense can handle this task without any other difficulties.
        "How complicated is the setup? = wants some professional knowledge, but nothing is impossible with learning...

        please keep in mind, NGFW is not something you can leave alone, requires continuous, almost daily administration!

        here in the forum you can get answers to anything that only causes problems during installation and subsequent management

        PS:

        I would further segment the network to.. "D" VLAN for WLAN devices (phones / tablets) only

        and

        "E" VLAN for gaming consoles (because the UPnP & NAT-PMP)

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        NogBadTheBadN J 2 Replies Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad @DaddyGo
          last edited by NogBadTheBad

          Iโ€™d have wifi on the same subnet as the ethernet devices.

          Class your vlans on use, I have the following:-

          LAN <- This is just used for switch management

          USER <- My Macs, iphone, ipad, work laptops, etc ...

          GUEST <- Where I let my guests connect

          IOT <- My IOT devices

          DMZ <- Where I place my publicly accessible stuff

          The last 3 vlans can only access the internet.

          Does your wifi support vlans?

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • J
            jst68 @DaddyGo
            last edited by

            @DaddyGo Thank you for your feedback!

            I like your suggestion to put our phones/tablets and gaming consoles on separate VLANs. Also love that NGFW supports UPnP which might simplify things for our gaming consoles.

            I also love playing around with new devices and software. So, no worries about learning new things on my end. This is probably how we ended up having quite an elaborate network for a home environment. ;)

            I have also gained experience with various platforms (Netscreen, Sophos SG/XG, Meraki and others) over the years. However, I am somewhat concerned about your statement that I would have to do daily administration work using NGFW. I mean I understand that it will take some time to get the configuration into place, but why would I have to do daily administration once everything is up and running? Could you please elaborate on that? TIA!

            @NogBadTheBad Thank you for your feedback!
            Your setup also raises some interesting ideas and, yes, we also have a GUEST network, but I forgot to list it since it is handled by the wireless access point.

            Yes, our current wireless solution (aging Meraki) supports VLAN. How do you like the UniFi AP-AC-Pro? It is one of the devices I have looked at, but I was hoping to find a device supporting WIFI 6.

            One new question for both of you: Our current solution allows me to assign multiple VLANs per interface/subnet. Is this possible with NGFW? I have seen the VLAN configuration screen and I am confused by the need to assign one interface to one VLAN without giving the option to assign it to all interfaces.

            NogBadTheBadN DaddyGoD 2 Replies Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @jst68
              last edited by NogBadTheBad

              @jst68 said in VLAN Configuration Question:

              One new question for both of you: Our current solution allows me to assign multiple VLANs per interface/subnet. Is this possible with NGFW? I have seen the VLAN configuration screen and I am confused by the need to assign one interface to one VLAN without giving the option to assign it to all interfaces.

              VLAN 10 on one pfsense interface is different to VLAN 10 on an other interface, you'd need to set up a LAG i.e. bond 2 x 1Gb interfaces together.

              Create them here:-

              Screenshot 2020-06-25 at 07.22.00.png

              Add them to the interfaces here:-

              Screenshot 2020-06-25 at 07.22.27.png

              The Ubiquity stuff seems to be the flavour of the month due to cost and it handles vlans.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • DaddyGoD
                DaddyGo @jst68
                last edited by

                @jst68 said in VLAN Configuration Question:

                @DaddyGo Thank you for your feedback!

                Hello,

                As @NogBadTheBad suggests, the more parts you divide your network into, the more secure it is.
                (WiFi devices, game consoles, phones are almost mandatory for these)
                there is currently a small problem with pfSense UPnP, but it is in the process of being fixed and is only affected by multiple consoles on the same network

                https://forum.netgate.com/topic/154153/test-request-upnp-fix-for-multiple-consoles-playing-the-same-game-static-port-outbound-nat

                VLAN question on same interface:

                although at this point I would note that for many VLANs, it is not enough to create a LAG

                VLANs consume the bandwidth, on the interface or interfaces (1Gig) in LAG (2Gig)

                if you can, choose a solution where you can integrate a +++quad NIC into the hardware

                or
                for example, I use hardware that has 4 ports on the motherboard (Intel I350 !!!!) plus four portals on an addon card level (Intel I350 also !!!)
                it already has eight physical interfaces, it is smoothly enough for a very secure SOHO environment

                (thus, fewer VLANs need to be placed on one physical interface

                in my opinion, I by no means place more than 2 - 3 VLANs on one physical interface
                (unless, not 10Gig is the speed of that physical interface))

                @jst68 "Could you please elaborate on that? TIA!"

                pfSense begins with long learning and after that comes satisfaction and joy....
                it will help a lot if you have experience with devices from reputable companies (Cisco Meraki, Sophos, etc.), but pfSense is great because it's not as rigid as Cisco ASA and not so expensive

                by daily administration I mean that in an NGFW environment, you will receive alerts and blockages on a daily basis, which needs to be investigated

                it is not a switch that we configure and let it work

                for example:

                want to visit a website, but the system will not allow it
                and it has been used so far, but let's say pfBlockerNG now blocks either Snort or Suricata or Squid, etc.

                ERGO:
                so you need to look at why these applications consider the site in question dangerous

                it can usually be said that 4 -6 months and all its lists, rules and operating conditions will be fine-tuned

                the second thing: since it is a communit-supported opensource system, it responds much faster to any changes, vulnerability fixes, so it is very important that you always follow the updates

                many people don't think so and postpone the update for months, but it's nonsense, the updates are not made in vain and put into the system

                finally, an important suggestion to get rid of a lot of headaches....
                do not use NICs with Realtek or other unnamed ethernet controllers

                the soul of NGFW is the NIC

                the following Intel ethernet controller basics are a particularly good choice for pfSense:
                I340, I350, I210, I211

                Cats bury it so they can't see it!
                (You know what I mean if you have a cat)

                1 Reply Last reply Reply Quote 0
                • J
                  jst68
                  last edited by

                  @NogBadTheBad and @DaddyGo
                  Thank you again for your feedback!

                  The VLAN information is very helpful for me. I also have finally been able to setup a small test box. More testing might result in more questions... ๐Ÿ˜‰

                  DaddyGoD 1 Reply Last reply Reply Quote 0
                  • DaddyGoD
                    DaddyGo @jst68
                    last edited by

                    @jst68

                    this would have been my next suggestion - test environment first - before releasing pfSense to your family, hahahahaa
                    even with this you can avoid a lot of unspoken slander๐Ÿ˜

                    come back to us if you have any questions ๐Ÿ–

                    Cats bury it so they can't see it!
                    (You know what I mean if you have a cat)

                    1 Reply Last reply Reply Quote 0
                    • JeGrJ
                      JeGr LAYER 8 Moderator
                      last edited by

                      Also a test or lab VLAN like @NogBadTheBad lists is a very good idea to test things out before running it on other VLANs that could drop your wife's/family's acceptance level ๐Ÿ˜

                      Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                      1 Reply Last reply Reply Quote 0
                      • J
                        jst68
                        last edited by

                        @DaddyGo @JeGr
                        Haha! You both have a great understanding of the testing requirements in family environments!! ๐Ÿ˜‚

                        DaddyGoD 1 Reply Last reply Reply Quote 0
                        • DaddyGoD
                          DaddyGo @jst68
                          last edited by

                          @jst68

                          because I think we're over it....hahaha
                          thatโ€™s why you have to work (on pfSense config), when everyone is asleep ๐Ÿ˜‰

                          Cats bury it so they can't see it!
                          (You know what I mean if you have a cat)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.