Create Vlan with Several IoT Static IP's

oznet

I have read the basic setup for Vlans but I need to place several static IP's (already assigned) to 6 IoT devices into a Vlan but I need also need to manage those devices from my desktop and home mobile which are assigned static IP's. I need this to manage these 6 IoT devices.

Netgate 2100 plus a few layer 2 switches

I assume this could be done by firewall rules but not sure how?

patient0

@oznet I'm not completely sure I understood what you want to achieve:

At the moment, do you only one LAN where you have statically assigned IPs to the IoT devices, your desktop and home mobile?

And now you want to move the IoT devices into their own VLAN? While still managing these IoT from your desktop and home mobile, which both will stay on LAN?

AndyRH

It is a little confusing to me also.
It is not hard to have different networks and allow one side to connect to the other while blocking the reverse.
Define the new network and assign it to a port, then test and make sure you get an address. After that add some rules to allow the access you want, the new network will have no rules and out going traffic will be blocked, but the default any:any rule on the LAN will allow access to the devices on the new network.

oznet

@patient0 Yes I only have one lan right now it is a flat network and I want to move these IoT devices which all have static IP's into its own vlan.

I also need to have access to these IoT devices from a desktop and mobile which will stay on the lan

AndyRH

@oznet When you move them they will change addresses, otherwise it is not a different network.

Do it one step at a time, create the new VLAN and plug in a computer and make sure it works like you want, then move the devices.
You always want a working place to return to if you make a mistake. On more than one occasion I had to reload and restore a config due to a mistake.

Backup often.

patient0

@oznet I assume there are a ton of guides for that scenario and the question comes up frequently.

Generally it's a good idea to keep the IoT devices on their own lan. A tricky part in your case is maybe the VLAN config of the Netgate 2100. The 2100 has a built in switch and the VLAN creation.

First read through the link below and see what mode you want to use on the 2100, probably 802.1q VLAN Mode is what usually gets used.

https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html#switch-overview

If you configured the VLAN, start by connection a full client to the VLAN where you have easy access and debug possibilities.

And in regards to VLANs: with the default LAN allow-all rule you can access everything, including future VLANs. In pfSense you restrict access from the source (to the destination), not by blocking at the destination.

If LAN should be able to access the IoT VLAN, leave the default rule.

When you create another interface it will have no rules created and thus by default everything from the interface (to the LAN or internet or other VLANs) is blocked. You will have to create a rule, to start with similar to the LAN-allow-all rule but instead of LAN net as source the VLAN net as source.

Generally: the first matching rule is executed and no rules after the matching one will be evaluated (with the exception of floating rules).

If for example you want to block the IoT VLAN clients to reach the LAN you define rules in the VLAN interface. For example in pseudo code:

block source 'IoT VLAN' destination LAN
allow source 'IoT VLAN' all

All traffic to LAN will match the first rule and be blocked, all other traffic will not match the first one but will match the second and be allowed (including another VLAN, so it's really only a simple example).

Another thing to be aware is that most local lan service discovery is going to be not easy to implement, multicast stops the the network segment level. Some can do it (keyword multicast proxy) others not (I'm in the not group, not enough patience for it).
E.g if you have a SONOS device on the IoT VLAN and you want to control it from the LAN, or print discovery. Make sure that the services you want to use in the IoT VLAN work across networks or there are workarounds.

oznet

@AndyRH so if I understand you correctly these static IP's will have to be removed from the IoT devices and set up new ones in the new vlan network. I currently have 192.168.1.1, 192.168.1.2...etc 255.255.255.0 so I would need to readdress them with something like 192.168.2.1 etc???

patient0

@oznet I missed to mention that, @AndyRH is of course right. The new VLAN will get it's own DHCP server instance and the IP range has to be unique on the pfSense.

With your example you are spot on.

AndyRH

To maybe make life simpler in the future, avoid common subnets like 192.168.0.0, 1.0, 2.0. These are used by many things such as ISP routers.
I went with .42.0, because it is the meaning of life, the universe and everything.