VLAN - Need configuration guidance and recommendation

  • pfSense
    Netgear GS108Tv2 smart switch - 8 Port
    AP - VLAN aware

    pfSense has dual gigabit ports. One port is dedicated to WAN (directly connected from Modem) and the other is for 4 VLANs (connected to Netgear switch)

    VLAN 1 - LAN [10.0.1.x -] (All PCs, Macs, Printers, NAS..etc)
    VLAN 2 - VoIP [10.0.2.x -] (All VoIP ATA's, WiFi Cell Phone connections)
    VLAN 3 - Video [10.0.3.x -] (TVs, BluRay Players)
    VLAN 4 - InternetTV [10.0.4.x -] (Couple of SetTop boxes that need only internet connection)

    Netgear GS108Tv2
    Port 1 (T) - pfSense (connecting 4 VLANs through this port)
    Port 2 (T) - AP (VLAN aware) - Connects wireless clients to the right VLAN based on their SSIDs
    Port 3 thru 7 (U) - PCs, Macs, NAS (Port based VLAN 1 members as stated above)
    Port 8 (U) - VoIP ATA (Port based VLAN 2 member as stated above)

    I do not need any communications between VLANs as each VLAN member only needs to communicate to the internet (WAN) or with members in the same VLAN. So a PC in VLAN1 cannot see or even ping members of other VLANs except for VLAN1 members. Same goes for other VLANs.

    Default "LAN" rule is created by pfSense after install as below.

    Proto Source Port Destination Port Gateway

    • LAN net * *                 *     *

    I removed the default LAN rule and added rules for LAN VoIP, Video and InternetTV as follows. Took advantage of Alias to define all VLAN networks (10.0.x.0) as (LAN- L, VoIP- Vo, Video- Vi, InternetTV- I)
    Proto Source           Port Destination Port Gateway

    • LAN net              *         !VoViI              * *
    • VoIP net              *         !LViI             * *
    • Video net         *         !LVoI                * *
    • InternetTV net *         !LVoVi              * *

    The updated rules have helped me isolate all the 4 VLANs and none of the VLANs can talk to each other.

    Now my question is that the pfSense dashboard only shows traffic coming in or going out of WAN to the specific VLANs. There is extremely heavy network traffic within each VLAN, especially VLAN 1 - LAN as it consists of PCs and NAS doing data transfers all day long. How can I monitor intra-VLAN traffic?

  • I got my answer from another post…

    "VLAN to VLAN traffic is handled entirely within the smart/managed switch and doesn't get to the router"

