Best Practice - VLANs, PFSense and ESXi

  • Hi all

    I am looking to add some VLANs to my home system.  I have PFSense running in ESXi.  Two physical NIC's, one for WAN, one for LAN.  Managed switch for LAN.

    What is the optimal way to add 2 (or more) VLAN's.

    do I

    a - create two more adapters in ESXi and have ESXi tag the packets. This presents a total of four adapters to PFSense (will it detect the new adapters easily?).


    b - Use VLans in PFsense and have the packets tagged there instead.

    Option B means I need to create VLans in the W2k8 server (as long as the intel driver supports the creation of VLans which I believe initial testing shows it does).  Any other guest on the bare metal also needs to tag it packets or the switch will use the default VLan ID.

    I'll keep reading, there is just so much to read through though.



  • LAYER 8 Global Moderator

    I let pfsense handle it..  I change the vswitch to 4095 in esxi, I then trunk that connection on the switch.. Pfsense has vnic with vlans on it connected to that vswitch

    How exactly are you going to let esxi tag them??

  • You can do it either way. Trunk your VLANs into pfsense, or create a port group on your virtual switch and have a separate vnic for each subnet.

    I don't understand your part about why the second option requires trunks into your w2k8 server (which I presume is a virtual).

  • Thanks for the reply's.  I'm still coming to grips with VLAN's

    The server also needs access to both VLAN's, so if I create a new vSwitch in ESXi, the server and pfSense both get a new vNIC to work with (and tagging is done by the vSwitch).

    If I use VLAN's in pfSense and tag there with the vSwitch passing the tagged packet then the server also needs to have VLAN's set up on it so it can work with both networks (without being routed through pfsense).  Ahh - I think I see now, the server can just be routed through pfSense without the need for a vNIC being added.


    How exactly are you going to let esxi tag them??

    By creating a new vSwitch on the nic and adding the VLAN ID instead of being none(0) - I assume that's how that works, but I am still learning.

    Once again - thankyou guys

  • LAYER 8 Global Moderator

    How exactly do you get this new vswitch to your network??  When you have only 1 nic??  you can not connet multiple vswitches to the same nic..  You can create a port group..

    If it was me since you only have the 1 physical nic, I would just do the vlans in pfsense..  If your just going to create new vswitches with no nic to assign to pfsense for new newtorks those would not have to be vlans.. Ie there does not have to be any tagging done there..

    ? Are you wanting/needing these vlans in the real phsyical network or do you just want to create some new networks for vms that will go through pfsense to access your real world network?  If so then you have no real need of vlans or tags..  The only need for vlans is if you want to run multiple networks on your physical wire.

  • As far as pfsense goes, it is six of one, and a half-dozen of the other - you can trunk all your VLANs into your pfsense virtual and create sub interfaces, or you can create port-groups on the virtual switch, and use separate vnics (one for each VLAN) on the pfsense virtual. The only caveat is that an ESX virtual is limited to a handful of vnics (5 or 6), so if you think you'd ever grow beyond a couple of VLANs, trunk your VLANs into pfsense instead of using separate vnics.

    I'm not sure there is a way to trunk VLANs into Server 2008R2 and assign IP addresses to multiple VLANs. Even if there is, you probably don't want to do that. While you could have multiple vnics on the w2k8r2 (one for each VLAN/subnet), a multi-homed windows server creates some issues that while are not insurmountable, can still be a PITA to deal with.

    I think your best bet is to trunk your VLANs into pfsense. Put your w2k8r2 server on one VLAN or the other and let pfsense route between your internal VLANs.

    Why do you want multiple VLANs?

  • OK, Port Group - I miss referenced the name and called it a vSwitch - my bad.

    IoT devices are going to be the bane of security and I am moving all IoT devices to a separate network.  The server needs access to that subnet as well as the general home network.  There is also a third control network for all HA equipment, PLC's and other network interfaced devices that are not IoT and not for the home network.

    @GomezAddams - YOu can create vNIC's in windows IF the driver allows it.  Intel does it, but you need to load the "extras" to get the feature.  The physical NIC loses it's IP address (TCP/IP is turned off) and the vNIC all get addressed and tag the data that goes through them.  THe physical NIC on the system is now just a "conduit" for all the other vNIC's - thats how I understand it and see it on my system.

  • OK, I have got it sort of working.

    Created three new vLANS

    ESXi has been set to pass all ID's

    New interfaces enabled in pfSense and DNS server enabled for each.

    Switch is a Netgear GS748Tv3.  Port 48 is a trunked port for all VLANS ID's (1,100,200,360), other ports setup as untagged as required.  Port 48 has its PVID set to 1.

    If I connect the server to port 48, I lose connection to it on the LAN connection.  If I connect the laptop to a port in VLAN 100, it gets an IP address from the DHCP server, same for VLAN 200.  So I know its working with pfSense on the other VLANS, just not on the default LAN.

    Its almost like the LAN interface is untagged and the switch is not obeying its own rules that if an untagged packet comes in then its treated with the default PVID for that port.

    In that case, packets from teh LAN interface are untagged, but treated as VLAN1 packets by the switch and thus part of VLAN 1, which is the default VLAN ID for the switch.

    Have I made a mistake here with this thinking or done something obviously wrong?

    Next is to learn how to route between the interfaces on pfsense - is there a how-to for that somewhere?

    Thanks for the help so far.


  • I don't really understand all of your last post, but I think perhaps you have a misunderstanding of what the default VLAN is. By definition, packets on the default VLAN do not get VLAN tags.

    I'd recommend setting your default VLAN to 1, and then not using it for anything. Assign other VLAN numbers to your VLANs.

    If switch port 48 is connected to the windows server, what port is connected to the ESX server?

    If you are actually going to use your default VLAN, in the ESX vSwitch portgroup, make sure to leave a VLAN tag field empty.

  • Thanks, and I don't quite understand your reply.

    Set the default VLAN to 1 and then not use it.  So at the moment the whole network before I started with VLANs was using the default of 1.  PFSense was set up with all the rules on the LAN interface.

    What I think you are suggesting is that I create a new VLAN, move all the ports on the switch to that VLAN (effectively not using VLAN1) add that to pfsense and change all the firewall rules and DHCP server to match the new interface created on the new VLAN.

    The server is connected to port 48 because it is a guest in the ESXi system, hence using the same physical card as pfsense on the LAN - thus it will be untagged when it leaves the NIC.  This is where the switch is suppose to tag with the default ID (for that port) when an untagged packet arrives - so I am led to believe.

Log in to reply