PfSense VLAN setup



  • At my workplace we are bound by "PCI Compliance" rules as set forth by the credit card industry…

    To make ourselves compliant, our wireless network needs to be segmented off from our main network.

    Could someone take a look at this setup and see if you see any problems:

    Wireless AP with 3 SSIDs, each SSID has its own VLAN (2,3, and 4). AP is plugged into a dumb switch (which will pass VLAN tags) along with a few other PCs that will be sending un-tagged traffic.  The AP will be sending only tagged traffic.

    Dumb switch is connected to a Netgear L3 switch. This port on the Netgear is configured as a member of VLANs 2,3,4 and a default PVID/VLAN of 1 for the untagged traffic.  PVID 1 is the default LAN which all other ports are on.

    PFSense box will have a 3rd NIC, with 3 virtual interfaces configured, one for each VLAN (the physical interface itself is NOT assigned so it will ignore untagged traffic).

    PFSense box is connected to the Netgear L3 switch, port is configured as a member of 2,3, and 4.  Default PVID/VLAN is 50, which is unused.  This is so untagged traffic should it arrive here, will go nowhere

    My understanding is that only tagged traffic from the AP will only be able to reach the PFSense box, and vice versa.  While the untagged PCs connected to the dumb switch will continue to operate on the default network (PVID 1) as usual.  Untagged traffic should never arrive at the port going to the PFSense box, and ditto the other direction.

    I've attached a quick Dia diagram below:




  • Everything you have said is true.  The only problem with that configuration is the use of a dumb switch to pass both tagged and untagged traffic.  This allows those PCs to be part of any of those networks and potentially bridge across them.  Replacing the dumb switch with a managed switch will ensure that a rogue PC can't violate your policies.  You'd set the port VID for the PCs to 1, the port VID for the AP to 50 and make it a member of VLANs 2, 3, and 4.  The upstream port should be a member of 1, 2, 3, and 4.


  • Rebel Alliance Developer Netgate

    It does look sane except for the inclusion of the unmanaged switch. That's just asking for trouble in this day and age, people can set a VLAN tag on their network card directly in that case and hop onto whichever VLAN they want.

    You can get a cheap 8-port managed switch, even gigabit, that support VLANs, for about $100 or so. It's not worth the risk of including an unmanaged switch.



  • Ah!  Hadn't even thought of that!  I'll grab a 8-port managed Netgear then :)

    I passed the setup by our "PCI auditor" and he approved it, and didn't catch the unmanaged switch either, useless auditor…...


Log in to reply