Multiple VLANs within same subnet

  • I am looking to separate some layer 2 traffic and force requests through the firewall if they are not in the same VLAN. What I believe is needed is an interface in each VLAN. What I am unsure about is how to configure the interfaces to all share the same IP address. Also, will the firewall rules get applied to traffic coming from other VLANs?

    How do I configure all the VLAN interfaces to share the same IP address?

    Please see attached diagram of setup.

  • 1: Create your different VLANs.
    2: Assign them.
    3: Bridge them.

    Depending on your needs, assign the bridge itself as well. The IP of the pfsense in this subnet would reside on the bridge.

    Firewall rules to control traffic between the VLANs go to the tab of each assigned OPT interface for a VLAN.

  • Great! Assigning the IP to the actual bridge itself seems to be what I was missing. Currently all interfaces are configured without IPs and the gateway IP being assigned to the bridge.

    The issue now is that CARP IPs on the bridge don't appear to be working properly. On the CARP Status page the IP says INIT. After a reboot it has a green play symbol but does not say Master.

    Are there any issues with creating CARP IPs on a bridge?

  • I am still struggling to wrap my head around this configuration. Ultimately what I am looking to do is prevent hosts within the same subnet from seeing each other and have the firewall rules enforced as if the host was external from the other system. I understand how to accomplish this with ASAs but not with PFsense. We're also utilizing carp so the solutions must failover. I have seen many posts suggesting to stay away from carp and bridging.

    We currently have 2 pfsense boxes with 6 interfaces and we're looking to split our subnet in to about 10 separate security contexts.

    Any insight is greatly appreciated.

Log in to reply