Separating pfSense VLANs with Cisco switch



  • Hi all,
    I'm using a HP server with pfSense 2.1.5 and a Cisco Catalyst 3560 to run my apartment blocks internet connection. It's working fine, but I have trouble setting up the VLAN separation, so that each apartment/switchport has it's own VLAN.

    My switches config is here:
    http://pastebin.com/XDfj7hst

    This is my setup - the drawing might miss something, but you get it!

    Firewall rules:

    I'm testing with VLAN122 - which is switch port 22, with IP 192.168.122.20.
    I don't who if the VLAN's is acting correctly, or it could also be the firewall rules, which I'm a totally bad at!

    Could anyone point me in the correct direction or help me troubleshoot?

    Thanks,
    Nikolaj



  • The VLAN122 firewall rule is just allowing TCP traffic to the LAN network. That will let you access pfSense webGUI (for example) at 192.168.1.1
    Actually it seems like you want VLANnnn to have internet access, but NOT access to other private VLANs or devices on LANnet (like pfSense webGUI).
    You could setup an alias for all your private address space that you might use - InternalSubnets 192.168.0.0/16 - then:

    Allow UDP/TCP to VLAN122address port 53 (DNS) - so they can use pfSense for DNS.
    Allow ICMP to VLAN122address - just being nice here so when testing they can ping pfSense
    Block All protocols, source any, destination InternalSubnets - block access to anything else internal
    Allow all protocols, source VLAN122net, destination any - let them out to the public internet in general

    (note: if you are using pfSense DHCP server - which I expect you are - then pfSense automatically puts a pass rule in to allow DHCP requests etc on the interfaces with DHCP server enabled - no need to put your own rule for that)



  • This seems to be perfect!
    Thank you so much!