Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Separating pfSense VLANs with Cisco switch

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nikolaj
      last edited by

      Hi all,
      I'm using a HP server with pfSense 2.1.5 and a Cisco Catalyst 3560 to run my apartment blocks internet connection. It's working fine, but I have trouble setting up the VLAN separation, so that each apartment/switchport has it's own VLAN.

      My switches config is here:
      http://pastebin.com/XDfj7hst

      This is my setup - the drawing might miss something, but you get it!

      Firewall rules:

      I'm testing with VLAN122 - which is switch port 22, with IP 192.168.122.20.
      I don't who if the VLAN's is acting correctly, or it could also be the firewall rules, which I'm a totally bad at!

      Could anyone point me in the correct direction or help me troubleshoot?

      Thanks,
      Nikolaj

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        The VLAN122 firewall rule is just allowing TCP traffic to the LAN network. That will let you access pfSense webGUI (for example) at 192.168.1.1
        Actually it seems like you want VLANnnn to have internet access, but NOT access to other private VLANs or devices on LANnet (like pfSense webGUI).
        You could setup an alias for all your private address space that you might use - InternalSubnets 192.168.0.0/16 - then:

        Allow UDP/TCP to VLAN122address port 53 (DNS) - so they can use pfSense for DNS.
        Allow ICMP to VLAN122address - just being nice here so when testing they can ping pfSense
        Block All protocols, source any, destination InternalSubnets - block access to anything else internal
        Allow all protocols, source VLAN122net, destination any - let them out to the public internet in general

        (note: if you are using pfSense DHCP server - which I expect you are - then pfSense automatically puts a pass rule in to allow DHCP requests etc on the interfaces with DHCP server enabled - no need to put your own rule for that)

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • N
          Nikolaj
          last edited by

          This seems to be perfect!
          Thank you so much!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.