Hello again all,
Still playing/learning vLans!
I've set the vLans in my switch (ZyXEL1528) to be untagged to a port (say port 2 for vLan2) and tagged to the port that has pfSense on it (port 25). I've also created a VoIP vLan (64) which is tagged to ports 25 and 26 (26 is the port that the VoIP network will be connected to).
In pfSense, I've created/add all these vLans. Then in interfaces, I edit the OPT created for it. Then I click to enable it, set it as static and give it a static address (I'm using 10.1.0.1/24, 10.2.0.1/24, 10.3.0.1/24 etc.). I'm then not adding a gateway - is that right?
No they will not need a gateway. That is set on OPT interface in case you want to use them for WAN.
pod….. (the genius),
So the gateway is all automatic.
Thanks to your idea of backup, edit and restore to save time, I have another question or two!
Firstly, how do I prevent all the vLans (other than 1) from being able to access the pfSense controls?
And secondly, how do I also allow allow remote access to edit the pfSense settings?
pfSense automatically listens for connections to the settings page from all interfaces, but only opens the firewall by default on the LAN interface (you can disable the "anti-lockout" rule in settings, but be careful). If you wanted to access the settings page from the WAN, for example, just add a rule to the WAN to allow access from anywhere to the WAN IP address, protocol HTTPS (port 443) TCP, and you will be able to access it remotely. Same is true of any other interface, add a similar rule for access to the interface IP, from any or specific IPs as desired. Or, add explicit block rules if you want to or if you've opened it up with other rules. I also tend to change the listening port to something other than 443 so I don't interfere with port-forwarding of HTTPS and am on a non-standard port (less likely to be target of random scans from Internet or guesses internally).