VLAN use on the LAN port of pfSense

  • Hello,

    I am very new to VLANs – but I think I have a good understanding of them.

    Here's the scenario: We provide internet service to our tenants in a highrise building. Every tenant gets an ethernet port in their office and their ethernet port is connected to a switch which connects on the LAN port of the pfSense box. Its a NAT'ed system so the pfSense DHCP server assigns them an address in the pool.

    Here's my question: What I want to do is replace all the switches with VLAN capable switches and make a VLAN for each suite so that there is no traffic visible from suite to suite. Then I want to configure pfSense so that the trunk coming from the switches connects to the LAN port of pfSense in a way that no traffic is passed between the VLANs (so that no traffic is seen between the suites).

    I think I know how to set this up but I would like to hear from someone who can offer me advice on how to set this up so that I can compare before trying this in a production environment.

    I am concerned that even if the VLANs are set up properly in the switches (so that traffic isn't passed between VLANs), when traffic gets to the LAN port of pfSense, traffic will start getting passed between VLANs. How do I make sure to prevent this?

    As a side note; what if the LAN network interface doesn't support VLANs? The pfSense manual says it can still work but the ethernet data frame size would drop by 4 bytes, and could cause problems. What kind of problems would that be or is this really insignificant?

    Thank you!


  • You will create a vlan in pfsense for each suite. The vlan IDs must match those that you set up in the switch. Enable each vlan interface in pfsense and give it a static IP on its own subnet, for example 192.168.x.1/24, where x is the suite # (and could also be the vlan # for simplicity, but generally don't use vlan 1).

    By default, the LAN interface has a pass rule that allows LAN hosts to reach every attached network. Either don't use the LAN interface for one of your suites, or change the default rule.

    By default, other (non-LAN) interfaces will deny all traffic, so the hosts in your building won't have internet access. Usually the easiest way to rectify this is to create a firewall alias that includes all local subnets (ie, 192.168.y.0/20 if you have 16 suites). Now make an interface group that includes all of these interfaces. Now go to the firewall rules page for this group and make a single rule to pass all traffic from this group's subnet to all destinations not local.

  • OK GREAT I am going to try this ASAP! Thank you!

  • By the way, if the LAN interface does not support VLANs, will it NOT be shown when I go into INTERFACES > ASSIGN > VLANs > ADD screen? I guess my question is, if the interface is listed then I do not need to worry about the reduced MTU as it states in the INTERFACES > ASSIGN > VLANs page? It states on that page:

    "Not all drivers/NICs support 802.1Q VLAN tagging properly. On cards that do not explicitly support it, VLAN tagging will still work, but the reduced MTU may cause problems. See the pfSense handbook for information on supported cards."

  • I think NICs that don't support vlans are fairly uncommon these days. I haven't seen one, but it is my understanding that if you had one it would still appear on the vlan page and you could select it. Once configured I expect it would default to an mtu of 1496, which is not likely to cause you big problems in my experience. I serve a lot of clients with a WAN (PPPoE) mtu of 1452 and never a complaint.

Log in to reply