Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Creating VLAN on primary LAN subnet

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    3 Posts 2 Posters 345 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      NadaBytes
      last edited by NadaBytes

      Objective: I am trying to create VLANs for each of my subnets (none exist currently). I seem to have successfully set them for all my subnets except for my primary LAN network. I seem to know just enough to be dangerous here :)

      Process to create VLAN for other subnets: (1) create VLAN, (2) assign VLAN to an interface (I assign new VLAN to my primarily "LAN" interface), (3) set up DHCP server, (4) set firewall rules.

      Problem: The process seems like it must be slightly different for my existing LAN than the other subnets but I am not figuring it out. I cannot seem to set my VLAN for my primary LAN subnet without completely destroying my entire network requiring restoration of router and/or switch from backup. I'm not sure if I am doing things in wrong order or if there is something I have to do slightly different giving I am trying to set it on the primary LAN.

      To start I have my UniFi switch set to allow all VLAN traffic to the ports I am using during configuration; I have tried configuration of router from both primary LAN/VLAN as well as a secondary VLAN with same results. It is in STEP #2 above where things go bad and entire network seems to go down and ultimately recovery usually requires restoring router and/or switch from backup.

      I cannot assign a new VLAN to my existing LAN like I did for the other subnets (going to Interfaces -> Assignment (ie, can just select VLAN and "add") because my primary LAN is existing and I don't think I can delete it because the other VLAN's are configured from it?!

      Equipment: Netgate 5100, UniFi Pro 48 port PoE managed switch

      Question: Any thoughts on what I may need to do differently to assign new VLAN to my primary LAN than would be different for new subnets? Do I need to rebuild everything from the ground up starting with my LAN? There is some fundamental config concept here I am just missing I think. I was just hoping I could "assign a VLAN" and be done with it :)

      Thank you in advance for your thoughts!

      luckman212L 1 Reply Last reply Reply Quote 0
      • luckman212L Offline
        luckman212 LAYER 8 @NadaBytes
        last edited by luckman212

        @NadaBytes so your goal is to eliminate VLAN 1 ("native" VLAN) from your network entirely? What is the purpose here? Security by obscurity? It's pretty rare to see this. I also think that for Unifi equipment (switch) to properly communicate with its control plane, it requires the ability to "talk" to the mothership (selfhosted or cloud) via VLAN 1 (could be wrong here)

        Would it instead be "secure enough" to set the native VLAN ports on your switch to whatever you want your default VLAN to be, and then shut off DNS, DHCP etc on the pfSense "LAN", and block all access to it with firewall rules? This might be easier than what you're trying to do, and you could configure exceptions if needed (eg for the switch itself to be able to pass traffic on VLAN1)

        In any case, I'm guessing that the issue might be, until you assign the VLAN to an interface, you can't configure firewall rules on it to allow traffic to pfSense from hosts attached to said VLAN, and also won't be able to allow DNS, or provide DHCP on it etc. A bit of a chicken and egg problem.

        A few ways come to mind that might work around this:

        • temporarily allow management traffic on the WAN interface, and then use another device, connected via mobile hotspot to reconfigure your LAN to use the VLAN
        • or, as it seems you've been able to configure other VLANs successfully, use a host on one of those to complete your LAN reconfiguration
        • if you have a console cable, use that to configure the VLAN since it should prompt you to enable DHCP etc during the wizard, and worst case you can disable the firewall temporarily using pfctl -d if you get locked out
        N 1 Reply Last reply Reply Quote 0
        • N Offline
          NadaBytes @luckman212
          last edited by

          @luckman212 bingo! Thank you for so succinctly saying what I was fumbling around trying to say!

          Yes, primarily security. Google VLAN1 tons of articles and whatnot advising to turn it off for security reasons (primarily for large enterprise). Secondarily (especially at this point), is a little academic - I am kind of frustrated at myself for not figuring this out so would like to accomplish for my personal satisfaction (though I am busy like everyone else and don't want to be doing purely stupid things).

          I will look into the UniFi thing, their controller software is unusual but it does seem to allow configuring a default VLAN simply clicking on the default network in the controller software and entering the VLAN id however during hard reset it goes back to VLAN1 of course which could be issue if that becomes necessary.

          I think your "Secure Enough" strategy sounds more sensible given my limited experience (I did try to configure from another subnet but got locked out and required a reset of the router). I think I will try this first. Thank you for the out-of-da-box thinking!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.