VLAN Setup of pfSense.



  • ???Proof of concept - can this be done ???

    The customers scenario:

    They have a pfS box with four interfaces (fxp0-3)
    fxp0=WAN (static)
    fxp1=LAN (192.168.1.0/24)
    fxp2=DMZ (10.1.1.0/24)
    fxp3=WLAN (192.168.2.0/24)

    Everything works well and very reliably, but I have two new networks (VLAN'd w/ Cisco switches) that need access to the internet and DMZ based servers through the pfS platform.  I can not add another NIC (or dual NIC) to the pfS box as I am out of PCI slots and there is no other option, hardware wise, for this platform.

    VLAN setup on customer network:

    VLAN100=management net
    VLAN101=LAN NET (192.168.1.0/24)
    VLAN201=KIOSK NET (192.168.100.0/24)
    VLAN301=LAB NET (192.168.200.0/24)

    As of today these VLANs/networks (201 & 301) are segmented/isolated and have their own DHCP servers and have dead ended default gateways IPs of said DHCP server .. another words they go nowhere when requesting addresses other than the attached IP space.  I do not have the option of changing the address space of these networks as they are managed by different business units and they are adamant that they will not re-ip their networks.  The LAN NET VLAN101 is the only one that has exposure to the internet and they use pfS for DHCP, DNS FWD & default gateway.

    So here is my thinking … I am thinking that I can present the pfS box with a Cisco trunk that will carry VLANs 101, 201 & 301 and feed it to the fxp1 interface of the pfS box.  I can prune and do all that I need to limit the exposure of all VLANs to the pfS box no problem.  But the real question is how to provide default gateway addresses and DHCP service to these three dissimilarly IP'd networks when there is really only one physical NIC.  I can see in the interface section were to create the tagging and assign NICs to a tagged VLAN, but I am unclear as to assigning the IP of the dissimilar networks to one NIC, is this the "virtual IP address" section?  Assuming it is and I assign VIPs to the fxp1 interface like this (physical=192.168.1.1, VIP1=192.168.100.1, VIP2=192.168.200.1) then how could I provide DHCP and DNS service to all three networks from pfS?  The managers want to remove the DHCP servers from each of the two additional networks and rely on pfS for DHCP and resolution to the net and DMZ.  [ thereby putting all the management of these nets on me … oh whoopee :-( ]

    I may be reaching here and maybe this can not be done with pfS.

    Suggestions VERY welcomed !!!



  • You setup vlans like any other nic
    http://pfsense.hotserv.dk/hmm.htm



  • I think you create vlans only… but you must add this vlan as new interface (in Interfaces: Assign)
    Then you can set IP for this interfaces, set rules and dhcp... etc



  • @Perry:

    You setup vlans like any other nic
    http://pfsense.hotserv.dk/hmm.htm

    VERY, VERY helpful … thanks bunches!!  I have it up and running now with little difficulty thanks to this great presentation.


Log in to reply