Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Are VLANS needed in the firewall setup if handled on a managed switch?

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    10 Posts 7 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Artecs
      last edited by

      I have set up a PFsense firewall with a WAN interface and a LAN interface. The WAN interface is connected to a cable modem and the LAN interface is connected to a Dell Powerconnect that is managing 5 VLANS.

      100 (10.10.0.0)
      101 (10.10.1.0)
      102 (10.10.2.0)
      103 (10.10.3.0)
      200 (192.168.0.0)

      just for thoroughness I have added all of the vlan tags in the pfsense server but have not configured any as interfaces.

      I can traceroute from the LAN interface to addresses on all of the VLAN's except 200, when I try to run the traceroute on it (192.168.0.1) the firewall shows the first hop as the cable modem gateway address then all *** after that eventually timing out.

      I have confirmed that the port on the switch is set up with access to the vlan by plugging in a windows pc and pinging the address successfully however the PFsense firewall cannot ping or traceroute.

      I have confirmed that "Block private networks" and "Block bogon networks" are not set on the LAN inteface

      I have created firewall rules for the LAN adapter to allow traffic from any source/port directed to any source/port.

      What am I missing here?
      Thanks
      -Luke

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        You need the interfaces setup to handle their own IP range and use the designated GW's.

        1 Reply Last reply Reply Quote 0
        • N
          nicholas1520
          last edited by

          Assign the VLANS in pfSense and enable the interfaces with the respective addresses then set up the DHCP server on each of those interfaces. You'll need to make sure you enable the port that is connected to the router it is configured as a trunk on each VLAN on the switch.

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            You dont need the trunk. Just assign the same ports to difference VLAN TAGS. Then the switch can handle it easily.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              If you are dealing with interface eth0:

              Interfaces > (assign)

              Traffic to/from a pfSense interface assigned to eth0 will be untagged to and from the switch

              Traffic to/from a pfSense interface assigned to VLAN X on eth 0 will be tagged with VLAN X to and from the switch

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • A
                Artecs
                last edited by

                Thanks for the input! I need to clarify, I inherited the network and am not a network guy!!! The VLAN's are already built on the switch and handled by a windows server with DHCP scopes for all but 200 (the one that i'm having trouble with)

                are the VLAN adapters required in pfSense to connect to the VLAN's (for tagging?) or are they only required if you need DHCP or special routing in place?

                again thanks for all the input, I've read almost every doc. page but haven't found a simple explanation (other than the router on a stick document) is there anything that you could point me to for a better understanding of the VLAN  settings in pfSense (is this outlined in better detail in the pfSense Definitive guide included with gold subscription?)

                Thanks again,
                -Luke

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Inherited a network and you're not a network guy, huh.  Must not be very important to TPTB that their network actually work.

                  If you need layer 3 connectivity to pfSense on VLAN 200 then you need a pfSense interface assigned to VLAN 200 on eth0 with the proper layer3 config (ip address, netmask, firewall rules, etc.)

                  If you just need connectivity from hosts on VLAN 200 to your AD DHCP on VLAN 200 then look in the layer 2 (switch) config.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • R
                    robi
                    last edited by

                    The principle is that in pfSense you have a separate virtual network port for each VLAN. Just as if you had as many separate network cards in pfSense, each plugged directly with separate cables in those LANs. But with VLANs, you have them all in the same cable.

                    1 Reply Last reply Reply Quote 0
                    • G
                      Gerard64
                      last edited by

                      See this screen pic.

                      Untitled-1.jpg
                      Untitled-1.jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • V
                        vbentley
                        last edited by

                        @Derelict:

                        Inherited a network and you're not a network guy, huh.  Must not be very important to TPTB that their network actually work.

                        Artecs, don't worry. You don't need to be a network guy to setup pfSense but it helps if you are willing to learn what you do need to know.

                        VLANs are far easier to conceptualize if you understand why they exist.

                        To expand on robi's comments…

                        You have 5 LANs. In the old days, you would need 5 physical ethernet interfaces in your firewall to service them.
                        VLANs enable you to collapse 5 physical networks into just 1 physical network so that only 1 physical interface is required to service them all. This cuts down on cabling and hardware and can make remote moves and changes much easier.

                        VLANs do this by tagging packets with the label that you assigned to them so that they can be identified and separated later.

                        If you have a physical cable plugged into a pfSense ethernet interface that is running one or more tagged VLANs, the other end of the cable should be plugged into a tagged port on a VLAN switch. It is usual to make this port a member of each VLAN that it is servicing.

                        If you have a physical cable plugged into a pfSense ethernet interface that is not declared as a VLAN, the other end of the cable should be plugged into an UNtagged port on a VLAN switch. This port only needs to be a member of the one LAN that it services. Alternatively you could just use a regular Non-VLAN capable switch or even a hub!

                        I hope this helps.

                        Trademark Attribution and Credit
                        pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.