Vlan with pfsense

  • Hi everyone

    My network topology
    vlan2–--------                |
    vlan3----------cisco 3550----(vlan1-nic1)pfsense(nic2)-----internet
    On switch cisco. divided vlan 2, 3,4, ip route default-gateway nic1(pfsense)
        From vlan 2,3,4 I can access,ping to server pfsense
    On pfsense
        Rule--Lan: permit range ip from vlan 1 to vlan 4 out internet
        Nat on outbound interface nic2 for vlan1, vlan 2,vlan 3, vlan 4
        From servers I can access internet but from vlan2, vlan3,vlan4 I can not access internet
    I don't know I configured wrong from where. Please help me

    Thank you very much

  • Did you specify the other vlans 2-4 on the nic in pfsense?

  • Are you talking of portbased vlans or tagged vlans? Your drawing doesn't make too much sense to me because it looks like none of the vlans should be able to communicate with each other imo.

  • I thought that vlan tag on pfsense for trunking only. I have switch cisco 3550 belong switch layer3. I don't think it need trunking. It's right. Moreover, I can ping PC belong vlans different, and ping nic1(vlan1) of pfsense. So I thought that no problem about routing.


  • I'm not sure if you really know what you want to setup here or how you have to set it up. I guess you want to have seperation between the vlans (firewall them against each other). For this you have to create a vlan trunk to the pfSense. The switchport on the cisco, that links to the pfSense has to tag traffic (IEEE 802.1Q, not the cisco vlan protocol) and has to have all the other vlans enabled (vlan1, vlan2, vlan3, vlan4). At the pfSense you have to create all the vlans as well and assign each vlan as interface. The additional ports on the cisco should be portbased (untagged or "native" like cisco calls it iirc) vlanmembers of only the vlan they belong to (so either vlan1 or vlan2 or vlan3…). I have that exact setup at the office with 7 vlans. This way all the segments will be routed and firewalled by the pfSense.

Log in to reply