Pfsense 2.0 VLAN beginners issues



  • Hi everyone,

    I am new to the world of Pfsense, and have been tasked with setting up a network for some high volume HD video and internet usage.  I currently have SUPERMICRO SYS-5015A-EHF-D525 1U Intel Atom D525 Dual Gigabit with a Netgear JGS524E Prosafe 24 Port Gigabit Switch.  I am looking to create 3 VLANs:
    1. VIDEO  - 192.168.10.100-200
    2. NAS and other network devices - 192.168.20.100-200
    2. INTERNAL INTERNET - 192.168.30.100-200
    3. GUEST INTERNET - 192.168.40.100-200 with login page.

    Pfsense is hooked to Port 1.  NAS and other devices port 2-9.  Video is expected to run without internet on ports 10-20.  A guest internet will be provided on Port 24 to a wifi router.  Internal internet is expected to run on ports 21-23.

    WAN is expected to pass through port em0 on pfsense device, and LAN is on em1 to the router.  I've tried almost all the tutorials I can find, but still have no luck.  I'm not even sure how the 802.1Q should be set on my switch.  Any input or tutorials would be extremely appreciated!

    Thanks everyone!



  • setting up vlans have few limitations as vlan 1 should not be tagged and 4096 should not be used.
    your list had 4 lan's and you talked about three which is the case?



  • @tludikar:

    Hi everyone,

    I am new to the world of Pfsense, and have been tasked with setting up a network for some high volume HD video and internet usage.  I currently have SUPERMICRO SYS-5015A-EHF-D525 1U Intel Atom D525 Dual Gigabit with a Netgear JGS524E Prosafe 24 Port Gigabit Switch.  I am looking to create 3 VLANs:
    1. VIDEO   - 192.168.10.100-200
    2. NAS and other network devices - 192.168.20.100-200
    2. INTERNAL INTERNET - 192.168.30.100-200
    3. GUEST INTERNET - 192.168.40.100-200 with login page.

    Pfsense is hooked to Port 1.  NAS and other devices port 2-9.  Video is expected to run without internet on ports 10-20.  A guest internet will be provided on Port 24 to a wifi router.  Internal internet is expected to run on ports 21-23.

    WAN is expected to pass through port em0 on pfsense device, and LAN is on em1 to the router.  I've tried almost all the tutorials I can find, but still have no luck.  I'm not even sure how the 802.1Q should be set on my switch.  Any input or tutorials would be extremely appreciated!

    Thanks everyone!

    You need 4 VLANs on em1.
    For simplicity, I'll just use the 3rd octet of the individual subnets.

    That is, you must create on em1:

    VLAN 10 (192.168.10.0/24 subnet for Videos)
    VLAN 20 (192.168.20.0/24 subnet for NAS)
    VLAN 30 (192.168.30.0/24 subnet for LAN; this is the default LAN used for pfSense)
    VLAN 40 (192.168.40.0/24 subnet for Wifi)

    When asked to assign the interfaces, select em0 for WAN and VLAN30 on em1 for LAN.  Set VLAN 10 on em1 as OPT1, VLAN 20 on em1 as OPT2 and VLAN 40 on em1 as OPT3.

    Go to assign Interface addresses and set as follow:
    LAN - 192.168.30.0 subnet mask of 24 (255.255.255.0)
    OPT1 - 192.168.10.0 subnet mask of 24 (255.255.255.0)
    OPT2 - 192.168.20.0 subnet mask of 24 (255.255.255.0)
    OPT3 - 192.168.40.0 subnet mask of 24 (255.255.255.0)

    em0 port from pfSense will be connected directly to your modem.

    Configure the switch as such:

    VLAN 1 (Usually the management interface ID):  Ports 1-23 as 'U'  <– This allows you to access the Switch WebGUI from ports 1 to 23 on the switch but not the Guest Wifi port.
    VLAN 10:  Port 1 marked as 'T'; Ports 10 to 20 Mark as 'U'.
    VLAN 20:  Port 1 marked as 'T'; Ports 2 to 9 Mark as 'U'.
    VLAN 30:  Port 1 marked as 'T'; Ports 21 to 23 Mark as 'U'.
    VLAN 40:  Port 1 marked as 'T'; Port 24 Mark as 'U'.

    And

    Port 1 Default PVID 30;
    Ports 2 to 9 default PVID 20;
    Ports 10 to 20 Default PVID 10;
    Ports 21-23 Default PVID 30;
    Port 24 Default PVID 40;

    If there is a restriction on VLAN access to the management interface, you must allow VLAN 30 to access the management interface first or you'll lose access to the switch management interface.

    Once that is done, you should be able to access the WebGUI from any machines connected to Ports 21-23 on the switch.

    The firewall and NAT rules are up to you to set.  I'm not sure what kind of restrictions you need and what subnet needs to talk to other subnets vice versa.

    For a basic configuration, you can set under Firewall rules (Description in brackets):
    LAN tab:
    Add a rule to Block any protocol and source to destination subnet 192.168.40.0/24 (Block LAN to Guest traffic rule)
    Move this rule above "Default allow LAN to any rule".

    OPT1 tab:
    Allow any protocol and source to destination subnet 192.168.20.0/24 (Allow Videos to NAS traffic rule)
    Allow any protocol and source to destination subnet 192.168.30.0/24 (Allow Videos to LAN traffic rule)
    Block any protocol and source to destination subnet 192.168.40.0/24 (Block Videos to Guest traffic rule)

    OPT2 tab:
    Allow any protocol and source to destination subnet 192.168.10.0/24 (Allow NAS to Video traffic rule)
    Allow any protocol and source to destination subnet 192.168.30.0/24 (Allow NAS to LAN traffic rule)
    Block any protocol and source to destination subnet 192.168.40.0/24 (Block NAS to Guest traffic rule)

    OPT3 tab:
    Block any protocol and source to destination subnet 192.168.10.0/24 (Block Guest to Video traffic rule)
    Block any protocol and source to destination subnet 192.168.20.0/24 (Block Guest to NAS traffic rule)
    Block any protocol and source to destination subnet 192.168.30.0/24 (Block Guest to LAN traffic rule)
    Allow Any Protocol, Source and Destination (Allow Guest to access internet rule)

    On the Main Firewall: Rules page, click apply to commit the changes.

    Go to Firewall->NAT rules:
    Switch to Advance Outbound NAT.
    Click on the plus sign beside the "Auto created rule for LAN to WAN" Rule.
    On the redirected page:
    Under Source Network, change to:  192.168.20.0/24
    Change Description to:  "Rule for NAS to WAN"
    Click Save/ Apply.

    Again,
    Click on the plus sign beside the "Auto created rule for LAN to WAN" Rule.
    On the redirected page:
    Under Source Network, change to:  192.168.40.0/24
    Change Description to:  "Rule for Guest to WAN"
    Click Save/ Apply.

    Finally, click Apply on the Firewall:NAT page.

    For captive portal on guest subnet, you need to consult the other members.  I don't use Captive portal on pfSense so I can't help you here.



  • dreamslacker: You gave full answer right away..



  • @Metu69salemi:

    dreamslacker: You gave full answer right away..

    Not quite..  He has to go figure out the DHCP and specific rules assignment.  ;)

    Getting the basic functions up is one thing, if he's required to perform more specific firewalling then he's utterly skrewed if he doesn't learn and learn real fast.



  • Dreamslacker… Amazing!  Thank you very much!

    I got it up and running with no problems, and figured out where I went wrong originally.  But for some reason, I am able to get internet on all VLANs except VLAN3 (LAN).

    Anyway, thanks very much!  Its greatly appreciated, and the instructions were spot on!



  • @tludikar:

    Dreamslacker… Amazing!  Thank you very much!

    I got it up and running with no problems, and figured out where I went wrong originally.  But for some reason, I am able to get internet on all VLANs except VLAN3 (LAN).

    Anyway, thanks very much!  Its greatly appreciated, and the instructions were spot on!

    Check that your VLAN numbering scheme on both pfSense and the switch match up.  I was using VLAN30 in my example but you're referring to VLAN3.  So you must verify that both pfSense and switch use the same VLANs.

    Oh and VLAN1 should not be used.

    Check if you had accidentally edited the Default rule for LAN rather than duplicating it.
    Check the following rules to ensure you did not edit the LAN allow rules by accident:

    Firewall:Rules -> LAN -> "Default allow LAN to any rule"
    Firewall:NAT -> "Auto created rule for LAN to WAN"


Log in to reply