Intro:

In this article I will go over how to configure routing between multiple VLANs by using our pfSense router and a switch that supports 802.1Q. On our pfSense router we will configure our LAN port with multiple sub interfaces and assign each one to a certain VLAN. The uplink port on the switch side connecting to our pfSense router will be set to tag all the traffic using the 802.1Q protocol. This configuration is known as a router on a stick and the diagram below gives you an idea of the configuration that we will accomplish. In the diagram, we have five VLANs and a different subnet assigned to each. Our pfSense box will have an IP address in each VLAN(192.168.1.1, 10.1.1.1, etc…) which will function as the default gateway for clients assigned to those VLANs.

001

The switch configuration will vary from manufacturer to manufacturer which means that what applies to my switch might not necessarily apply to yours. I will cover Cisco, Dell, and Avaya switch configuration commands for configuring trunks, VLANs, and access ports since I am familiar with all three.

pfSense Configuration:

Before we start, we are going to configure our WAN interface firewall rules to allow us to connect to our pfSense web GUI from the WAN. We are doing this because while configuring our LAN port to trunk multiple VLANs we will lose connection to pfSense should we be accessing it via the LAN. For this reason, it is better if we connect a laptop directly to the WAN port while we are configuring the router’s LAN port so that we do not lock ourselves out. By default, pfSense will block connections destined to port 443 so we must allow it by creating a firewall rule. You can create a firewall rule by heading over to firewall–>rules–>WAN.

002

In here you want to add a new rule at the bottom. See below for the settings for this new rule.

003

You must also modify the WAN interface and give it a static IP address since it is most likely configured to grab one via DHCP. If it is not configured for DHCP then you should be fine, otherwise modify it by going over to interfaces–>WAN.

004

You should now be able to plug your laptop or desktop directly to the WAN interface on your pfSense router and access it via the web by going over to https://IPADDRESS where IPADDRESS is the IPv4 address you chose above. Note: You should assign your laptop or desktop a static IP address in the same subnet as the WAN IP Address. If you chose 192.168.8.1/24 as your WAN IP address then 192.168.8.2 through 192.168.8.254 are all valid IP addresses that you can assign the network adapter on your laptop or desktop.

Once you have gained access to your pfSense box by plugging into the WAN port then the next step is to head over to Interfaces–>VLANs. You should have two Interfaces currently configured which should be your LAN and WAN interfaces respectively and each one should be mapped to a physical port on your pfSense box.

005

In the VLANs tab you want to add a new VLAN and assign it to the interface that your managed switch will be plugging into. Each VLAN that you create must get a TAG between 1 and 4094 which will match the VLAN number that you configured on your switch that plugs into this port. Below is an example of a VLAN creation.

006

Note: If for some reason the parent interface is not listing all your network adapters then that means that your network adapters do not support 802.1Q tagging and therefore they cannot tag traffic.

Hit save when done and add other VLANs should you need to create more.

007

We must now head back to the interface assignments tab and start adding interfaces for each VLAN that we created.

008

When you are done, you want to click on your interfaces which should have a name starting with OPT# and enable them.

009

After enabling the VLANs, you should have more settings available. Below is one of my VLANs that I have configured with a static IPv4 address. The IP address that I assigned to this VLAN will be the default gateway for my clients that will be assigned to this VLAN.

010

Note: You should restart your pfSense box once you are done configuring all your settings for each VLAN. I noticed that my settings did not take effect until I restarted my box.

Now that all my VLANs are setup and each one has been assigned an IP address then the next thing that I did was configured DHCP for each one of those VLANs. DHCP will allow my clients to get an IP address automatically when they connect to any of those VLANs. Configuring DHCP is simple and once you enable the DHCP server on each VLAN interface then all you have to do is assign a range of IP addresses that your clients will receive on this VLAN.

011

Note: There are a lot more DHCP options that you can set should you decide to use them but I will not cover them here.

Now that we have the VLAN interfaces created, DHCP configured in each VLAN, then the next thing that we have to do is to enable DNS in each VLAN interface. Most people will configured their pfSense box to forward all DNS request to either their ISP, Google Public DNS, or another third-party DNS server. This means that for DNS forwarding to work properly then you must enable it on the interfaces that your clients will be connecting to. In our case our clients will be connecting to the VLANs that we created and they will most likely be behind private IP addresses with their DNS servers being set to their VLAN default gateway IP address.

012

The last thing that we will do is modify our firewall rule for each VLAN interface and create an allow rule similar to the one below. The reason for creating this firewall rule is so that NAT can work since it is most likely the case that our clients will be behind private IP addresses and will need their traffic to be NATed in order to reach the internet.

013

The specific settings for the firewall rule above is shown below.

014

Now that our pfSense box is configured with VLANs then the next step is to configure our switch that will be connecting to the pfSense box.

Switch Configuration:

Below are some commands that you use to configure a trunk port on switches for different vendors that I am familiar with. Assume that your switch is named SW1 and that interface 1/1 is used to connect to your pfSense box. We will start with the VLAN configuration followed by the trunk configuration and then the access port configuration.

Cisco Configuration:

VLAN Configuration

 SW1(config)#vlan #

This will create a layer 2 VLAN

 SW1(config-vlan)#name NAMEHERE

Assign a name

 SW1(config-vlan)#exit

Exit VLAN configuration mode

Trunk Configuration

 SW1(config)#interface gig 1/1

 SW1(config-if)#Switchport trunk encapsulation dot1q

Switches the encapsulation to 802.1Q

 SW1(config-if)#Switchport mode trunk

changes the port to a trunk port

 SW1(config-if)#Switchport trunk allowed vlan {add|all|except|remove}

configures which VLANs can be allowed on a trunk. By default, all the VLANs are allowed.

Access Port Configuration

 SW1(config)#interface Fastethernet #/#

 SW1(config-if)#switchport mode access

Make it an access port

 SW1(config-if)#switchport access VLAN#

Assign the VLAN that it belongs to.

Dell Configuration:

On Dell PowerConnect switches the configuration is very similar to Cisco switches.

VLAN Configuration

 SW1(config)#Vlan database

Enter VLAN configuration mode

 SW1(config-vlan)#Vlan #

Create VLAN

 SW1(config-vlan)#exit

Exit VLAN configuration mode

Trunk Configuration

 SW1(config)#Interface ethernet 1/1

 SW1(config-if)#Switchport mode trunk

Switches the encapsulation to 802.1Q

 SW1(config-if)#Switchport trunk allowed vlan add

configures which VLANs can be allowed on a trunk.

Access Port Configuration

 SW1(config)#interface ethernet #/#

 SW1(config-if)#switchport mode access

Make it an access port

 SW1(config-if)#switchport access VLAN#

Assign the VLAN that it belongs to.

Avaya Configuration:

On an Avaya switch the configuration differs from the Dell and Cisco configuration.

VLAN Configuration

 SW1(config)#vlan create VLAN# name NAMEHERE type port

Create the VLAN, give it a name, and make it be a port based VLAN.

Trunk Configuration

 SW1(config)#vlan ports 1/1 tagging tagAll

Configure our port to tag all traffic

 SW1(config)#vlan members add VLAN# 1/1

Configure which VLANs you will be tagging on this interface

Access Port Configuration

 SW1(config)#vlan members add VLAN# PORT#/#

Assign VLANs to ports

 SW1(config)#vlan ports #/# pvid VLAN#

Assign the Port VLAN ID to the port

Note: A port can be a member of multiple VLANs but can only have one PVID(Port VLAN ID) associated with it which tells us what VLAN you transmit on. Most people make this a 1 to 1 relationship so that the VLAN assigned to the port matches the PVID.

This will conclude another pfSense article. As I experiment more with the platform and decide to use other features then I will keep documenting the configuration for reference here. As always, thank you for taking your time to read this blog post and I hope that it was helpful. Any feedback and comments are greatly appreciated.

73 Responses to “Configuring VLANs on pfSense”

  1. very helpful thanks

  2. I am banging my head against the wall. Prior to me reading up on your VLAN tutorial, I had set up all of the interfaces and even did the VLANS. I also had set up my CIsco Catalyst 2950 with VLANS. I just didn’t understand how to make the two talk correctly!

    I was very surprised and excited to run into your tutorial, and also it was great because I had already did most of this tasks. As soon as I changed things over to the VLANs on pfsense, I was no long able to ping or reach the GUI. Of course as soon as I change the interface back to the regular interface, everything is phone.

    Like you, I have a lot of different devices running, wifi, cameras, pbx, etc. I need to get this working and soon. Any pointer to help me troubleshoot and get this working would be greatly appreciative.

    • How many interfaces does you pfsense box have? Do you have 1 for LAN and 1 for WAN?

      It looks like you created the VLANs in the VLAN tab. You then went over to the interface assignments tab and added an interface for every VLAN and tied that VLAN to the interface on your pfSense box that connects to your switch? After adding the interfaces for each VLAN did you enable them?

      To make things simple I would start with one VLAN on your pfSense box and create that VLAN on your switch as well. Connect a laptop on an access port in your switch that is assigned to that VLAN and make sure that you are tagging the VLAN on the trunk port in the switch that connects to your pfsense box. Prior to enabling the VLAN in pfSense I would give your laptop a static IP address in the network which that VLAN will be serving in pfsense e.g. if you assign the VLAN interface a 10.10.10.1/24 address then make your laptop 10.10.10.2. Once you enable the VLAN in pfSense and if your connection drops try doing a reboot of the box(power button) as I noticed that the same thing happened to me and I had to physically reboot my box and then it came online with the settings taking effect. I am not sure why changing the interface from being untag to tagged required a reboot to take effect. I was locked out like you too and I couldn’t do a graceful restart from the management console. Once the initial VLAN was working, creating the other ones and configuring them was a breeze and did not require a restart.

      • K. Callis says:

        You are correct in the process of my setup. I first assigned interfaces (I have a total of 6) to WAN, LAN, WIFI, Office and gave then address. I then went to the Interfaces|VLANs and and create a VLAN for LAN (re1), Office (re2) and WiFI (re3).

        So after reading your posting, I immediately switch the Interface Assignments to the respective VLAN. Needless to say, that when I plug my laptop into one of the access ports for the LAN on the Cisco, I am no longer able to ping to another devices on the LAN. Only when I change the Interface Assignment back to my standard setting am I able to ping or access devices on the LAN.

        I am quite sure what you mean about tagging. I have set up the default setting that I know about setting up VLANs on the Cisco, and it is in line with the info that you listed in your tutorial. Everythings should be working correctly, since the access ports are assigned to the appropriate VLANs, but I am getting nothing.

        • I forgot to add but the VLANs in pfsense will not talk to each other by default unless you create specific firewall rules in each VLAN interface that allows them to talk to each other. Make sure that you check these settings.

        • Vlan is kill me :(…I have a pfsense with one two nic tow ports (intel) the lan port connected to a Cisco 3750G switch. I have watched videos, read docs and google search.
          I cannot get vlan to work. I create the vlan on pfsense, add DHCP, firewall rule to allow any access. I then create vlan on the switch and assign ports and make them access ports.
          Then create trunk port and make it 802.1Q. Then add the vlan allowed and add the vlans to it. I’m not a Cisco guy, first time touching this router so newbie.
          From Cisco CLI and my desktop connected to default vlan 1 I can ping all vlans but if I plug my laptop in one of the vlan ports I can’t get an ip or network access to anything.
          This is driving me mad because I know this is possible.
          Please Help!!!

          • Try assigning a static IP address on your laptop for the specific VLAN it is connected to. Make sure that the laptop can ping the default gateway (router IP) for that VLAN.

            Regards,

            Glenn

    • K. Callis says:

      I just noticed that you are creating the VLANs on a single interface. I am running pfsense on a Watchguard X700 which has 6 interfaces. So I have re0-re5, which is each configured with an IP address and DHCP. My Cisco is setup with the same same commands that you have listed before.

      • Ok, so you have multiple interfaces in your pfsense box. You can take one of the six interfaces in your pfSense box and start assigning multiple VLANs to it. Connect your desktop/laptop to another interface in your pfsense box that is not your WAN so that you don’t lose connectivity during this process. This interface that you are assigning VLANs to has to connect to your cisco switch and you have to enable tagging on the cisco side as I have above(trunk configuration). Don’t forget to enable the VLAN after you assign them over to the interface in your pfsense box and setup the ip address, dhcp, and firewall rules for it.

        Make sure that on the cisco side that the interface that connects to your pfsense box is in an up/up state.

        Regards,

        Glenn

      • K. Callis says:

        It took me awhile to get it, but basically, instead of using the additional the additional interfaces and trying to create VLAN, you are suggesting that we multiplex several VLANS through on interface. Is that correct?

        • Yes, push multiple VLANs through the trunk interface. Since you have multiple interfaces in your pfSense box and your Cisco switch most likely with the right IOS version provides support for a link aggregation group(LAG) via LACP then I would take a few ports and create a bundle. pfSense does support link aggregation groups via LACP, see: https://doc.pfsense.org/index.php/LAGG_Interfaces

  3. Superb write up, sorted me out so that within 15 minutes I had a working VLAN setup in pfSense.

    I’m looking at separating our vmkernel traffic into four separate VLANs. I understand what Vmotion is, but in your image above what is VMOTIONMGMT?

    • Leonroy,

      VMOTIONMGMT is the VLAN that I used for my ESXi host vMotion and Management traffic. I use the same VLAN for both in my home lab. If you are using ESXi in production then you should separate your iSCSI, vMotion, Management, VSAN, and Fault Tolerance into separate networks.

      • Thanks will do. Semi production. It’s just a home lab for now.

        Had fun separating voice, cctv, management and vSphere (thanks your article helped on that front!) in the home office this week.

        Whilst I love pfSense the value of
        those £2k L3 gigabit switches does make itself clearer now when it comes to routing VLANs.

        Is there any upside to pfSense over a full featured L3 Cisco switch if all I want to is VLAN, provide a gateway address and route the subnet?

        • I use pfSense for my home lab and it is routing all my VLANs. My pfSense box connects to a multilayer switch and I have trunk between them both. All my devices connect to the switch and I have separate VLANs like you do for management, video, etc…

          I could have used the existing switch for the L3 capabilities that pfSense provides but there are certains things that pfSense does that you wouldn’t get from a L3 switch. I used the firewall functionality, Snort for the IPS, OpenVPN for remoting, ntop for traffic analysis, plus there are other things that you can do such as a squid proxy, captive portal, etc..Overall I think that pfSense gives you a lot of value for a free solution. You certainly can do the above with many different solutions but if you are not doing any complex routing OSPF, BGP, IS-IS, etc… then pfSense will do a good job for a home network.

  4. It’s New Years Eve and I decided to reconfigure my pfsense and switch to incorporate 802.1Q. In a nutshell I have successfully trunked an interface talking to my switch in a remote building and bringing my internet feed into my pfsense box using a DHCP vlan (there’s no authentication its delivered as ethernet).

    I have a pfsense box with 4 nics, 1 used for trunking to my switch in a remote building and the other nics directly to small switches for each network (home and guests) locally.

    What I would like to do is have the home and guest networks not only locally available via the physical interface on my pfsense box, but trunked back to the other building with the existing trunk (hence the reason of converting the link to a trunk)

    I can’t work out how to do this, certainly I can create a vlan and trunk it across the link as well and it works fine, but how to merge is with the physical interface on pfsense box without the use of different subnets and routes?

    Brilliant write up, it took me a while to work out how to set the untagged 802.1Q PVID ports on my old Netgear, but once I had that sorted, all was well.

    • So you have a pfSense box with 4 interfaces. One interface(let’s call this em1) is connected to a switch in a different building and it has been configured as an 802.1Q trunk. The other two interfaces on the pfSense box are for your home(em2) and guest(em3) network and the last interface is for your internet(em4) connection?

      Do the two interfaces(em2 and em3) connecting to your home and guest network uplink to switches that support tagging? If they do then you can create two VLANs for Home(e.g VLAN 20) and Guest(e.g VLAN 30) and tag VLAN 20 on em2 and VLAN 30 on em3. Don’t forget to create the 802.1Q trunk on the other side of each interface and tagged the VLANs as well on those switches. You can then configure a separate network for home (e.g 192.168.20.0/24) and similarly do the same for Guest (192.168.30.0/24). Once you have that then you can enable DHCP, DNS, etc… on each VLAN and it should work fine.

      You can then easily Tag VLAN 20 and VLAN 30 on em1 and this will allow you to access both Home and Guest network on the other switch in the separate building as long as you create the VLANs and tag them on the uplink for that switch. On the client facing(access) ports on the separate building switch you would untag VLAN 20 if you want computers connecting to this port to be part of the Home network and untag VLAN 30 on another port etc… if you want computers connecting to that port to be in the Guest VLAN.

      If you don’t have switches that support tagging connected to em2 and em3 then you can still create VLANs 20 and VLANs 30 on pfsense. What you would then do is untag VLAN 20 on em2 and untag VLAN 30 on em3. em2 and em3 will then be able to receive traffic destined for VLAN 20 and VLAN 30 respectively. When traffic is received on em2 and em3 then they will put it into the proper VLANs based on the VLAN that you untagged for each interface. You would then Tag VLAN 20 and 30 on em1 and configure the VLANs and tag them on the uplink on the switch connected to em1. For access ports connected to the switch on em1 you would untag VLAN 20 and VLAN 30. The problem with this second setup is that I am not sure if you can configure an interface and “untag” a VLAN for it using pfSense. I will have to look through the configuration to verify since I have not done it in this platform.

      • I just went through the pfSense definitive guide and found no reference there on how to untag a VLAN on an interface in a pfSense box. This means that the option of not having a switch that supports 802.1Q tagging on em2 and em3 will not work.

        • Thanks for your replies (whilst I slept 2015 in)

          My setup yesterday was such:

          em0 – Direct connection to internet (Gateway) in another building.
          em1 – Home LAN
          em2 – Guest LAN
          em3 – Unused

          The Ethernet link that plugged directly into em0 comes via a single link from another building directly from the providers terminating unit, the link is mine, I installed it to bring it to this building.

          The em1 and em2 ports are directly connected to stupid non 802.1q switches for very local distribution in the house.

          I do have 1 switch that’s capable of 802.1q that was unused.

          What I was trying to achieve based on this awesome post was the following:

          I would love to be able to use the Home and Guest LAN in the remote building.

          To do this I configured the appropriate VLANS 666 (Internet), 10 (Home) 11 (Guest). I then trunked them all over the link to the switch I configured and Voilà, it works.

          The link that was single purpose now has the raw internet traversing the trunk on VLAN 666, it also has VLAN 10 and 11 being taken back to the remote building and presented on the appropriate ports on the switch.

          So the guide was excellent, I was able to re-purpose the link and convert it to a trunk without dramas, that part I have under control no worries.

          The only problem is that that VLAN 10 and VLAN 11 are not the same Home and Guest subnets presented on em1 and em2.

          I tried a few things and read a bit and I think you’ve confirmed in your second post that dropping an untagged port on the physical pfsense interface wont work. Dang!

          At this stage I see the solution would be to buy another small (and capable) switch and place it in the middle, that is trunk to the switch from pfsense, then trunk from that switch to the other switch in the remote building and then drop out the appropriate ports on either switch.

          I will soon be converting the pfsense physical box to a virtual machine within ESXi, so i might have a look at using virtual switching to present an untagged port on the physical interface. I think it might be possible that way too.

          Thanks for your input, much appreciated…

          • “At this stage I see the solution would be to buy another small (and capable) switch and place it in the middle, that is trunk to the switch from pfsense, then trunk from that switch to the other switch in the remote building and then drop out the appropriate ports on either switch.”

            This option would work fine. You can also plug the new switch into em1 or em2 or both(if your switch supports LAG) and create a trunk to the new switch and tag VLAN 10 and 11. You can then untag on your access ports either 10 or 11 depending what VLAN you want your clients to be in and plug them in directly to the switch. You can even plug in your dumb switches to the access port and connect your clients to the dumb switches. This might cause some congestion depending on how much traffic the uplink will see.

          • Well since this post thanks to your messages Glenn this is what I’ve done over my Christmas break.

            I built up a new VMWare ESXi server to run pfsense as a virtual machine, not as a standalone box on old hardware. I also acquired 2 capable switches off ebay (Netgear GS724T’s). I created the VLAN’s I wanted 5 (Home Lan (Trusted), 10/11 (Guest/Workshop), 666 (Internet) and then also created a 2x1Gb 802.1ad (LACP) link from the switch to the ESXi box (using standard vswitches) to pfsense to get 2Gb of bandwidth.

            I was able to get this all working without too much hassle, I can now place any network I like on either switch without any problems. I was confused about PVID on trunk ports initially but everything seems to be working aok so I’m happy.

            I would have loved to use Cisco switching to learn more, but the Netgear’s are very capable and we’re relatively cheap especially off ebay (40% of retail price, the current model) and enabled me thanks to your blog Glen to finally setup my network the way I want.

            Next step would be to play more with distributed vswitches and trunking from ESX itself rather than pass through directly to pfsense, but heck its working well now 😀

            Thanks again.

          • Nice! Distributed switches are great when you have multiple hosts in your ESXi cluster as it makes the management easier. You will also need the premium license to enable them and you would also have to get vCenter setup.

            The netgear switches are pretty good. I have a POE gigabit switch of theirs at my home that is solid. The Cisco stuff is pretty expensive even when it is used if you are looking for anything that is gigabit with a decent amount of ports. If you want to play with Cisco routing/switching devices then I recommend looking at GNS3.

            I buy Nortel switching gear(now own by Avaya) for my home lab as you can get decent prices for high performance equipment. You can find good deals on ebay every now and again for devices that Avaya is still supporting with software and firmware upgrades.

  5. I have been trying to implement the same solution as you described in my network but facing some challenges with the IP assignment on pfsense. I have two internet connections coming into my office and i want to create two vlans on the wan interface on pfsense, which i perfectly did. from the two internet connection into two different vlans each for an ISP on a cisco switch which is trunked into pfsense.

    Now the issue am facing is this, i don’t want to assign an IP from the ISP to the physical WAN port but to the Vlans created under the wan however pfsense i wouldn’t allow that. am able to assign the point to point IP(/30) to the vlans interfaces created under the wan interface.

    Am doing all this because I want to use the load balance and failover feature of pfsense with the two internet connection i have.

    Do i assign one of the public IP from my ISP to the wan physical port?

    Am asking all this because I know for instance if u do router on a stick with a cisco router, the IP are actually assigned to virtual interfaces and not the physical interface.

    What do you think i can do in this situation with pfsense?

    • I want to make sure that I understand what you are trying to accomplish in order to help you out. You have two internet connections coming into your office. Each internet connection terminates to a separate interface on a CISCO router. Each of these interfaces is on a separate VLAN and from the CISCO router you created a trunk to your pfSense box?

      I am not sure how many interfaces your pfSense box has but if you have multiple interfaces(3 or more) then what I would personally do is to connect your two internet connections to the pfSense box and the remaining interface in your pfSense box should connect to your home switch for your internal devices.

      With regards to your two internet connections and the IP addresses. Are the IPs in two separate /30 subnets? For example do you have an IP for one of your connections in one subnet 10.10.7.1/30 and another IP in another subnet 10.10.8.1/30? What I am trying to find out is if you have two separate gateways rather than just one for both of your internet connections? A /30 gives you two usable addresses in the subnet but sometimes you can get more if you enable the use of the zero subnet and the broadcast address.

  6. Hi, I have a question regarding pfSense VLAN configuration.
    When I create VLANs and assign then to a LAN interface, the LAN port becomes a Trunk 802.1Q port, right? in the Trunk port each VLAN is tagged according to the ID configured, how can I configure an untagged VLAN?

    • I think you are at the same stage I was in Dec, that is you want to use a NIC on your pfsense box and untag it. Alas, it can’t be done.. You need to trunk from pfsense to a switch, then break out the untagged VLAN’s from there. It works great when you do this, trust me :).

      As per Glenn on December 31, 2014 at 3:36 PM:
      just went through the pfSense definitive guide and found no reference there on how to untag a VLAN on an interface in a pfSense box. This means that the option of not having a switch that supports 802.1Q tagging on em2 and em3 will not work.

    • Pepe,

      As tjaus replied below, I do not know of a way to modify the native VLAN on a trunk interface configured in pfSense. Furthermore, if you are trying to configure an untagged interface in pfSense(access port) then you would have to trunk it to a switch and break it out from there.

  7. Nathan Wiering says:

    Excellent Guide. thank you very much, this is greatly appreciated.

  8. I would like more details on trunk between pfsense with more dynamic VLANs dhcp mac-based server and active layer 3 switch with clients connected

    • Kleber,

      Thanks for the feedback. I will take this into consideration when I write my next article on pfSense. I have been thinking of doing a configuration writeup on deploying in VMware ESXi.

  9. Ismail Khan says:

    Hi
    Hope you will be fine. i have implemented the same solution as you described in this article but i am facing an issue. i have created the Vlan 10, 172, 192 and 193 on the pfsense box as well as on my Cisco 3560 L3 switch. DHCP , DNS and internet are working but i cannot ping from Vlan 10 host to Vlan 192 or 172 or 193 host. i can ping Vlan 10 gateway from other Vlan like 192 or 193 or 172 this is just because these are the interface ip of the vlans but cannot ping host ip from vlan10 to other vlans. In simple words intervlan communication is not working please help.

    Thanks waiting for your reply.

    • Have you created firewall rules under each VLAN interface to allow for communication between VLANs? Can you make sure that it is not the client side firewall that could be blocking the pings by putting them both in the same VLAN and testing to make sure that they can talk there before moving them over to separate VLANs?

    • Ismail Khan says:

      Glenn thanks for reply 🙂
      Today i make changes in Pfsense box. First i changed the LAN ip to none and second i disabled the dhcp on LAN.
      Then i pinged the PC from VLAN 10 to VLAN 192 but no luck.
      But surprisingly when i disabled the firewall of both PC’s it started ping reply from both sides:)
      What was the issue ? Was it physical LAN ip or the Windows Firewall ?

      Thanks

  10. plz how to configure pfsense limit bandwidth per vlan

  11. Can I configure the same method using an L3 switch (Cisco catalyst 3750). At present the vlans are configured in the L3 switch and it is the dhcp source. I want to configure Vlans in pfsense and assign them to the interfaces in the switch. Also I want to configure DHCP in for every Vlans. The main objective is to obtain and store the DHCP logs from pfsense.

    • Yes, I have done this before. You just need to configure a trunk port on the Cisco switch that connects to pfSense. On pfSense you have to tag the VLANs on the interface that leads to your cisco switch.

      Regards,

      Glenn

  12. Pavan Ayyagari says:

    Can I configure the same method using an L3 switch (Cisco catalyst 3750). At present the vlans are configured in the L3 switch and ip routing has been enabled for inter VLAN ROUTING.I want to configure Vlans in pfsense and assign them to the interfaces in the switch.

    • Yes, I have done this before. You just need to configure a trunk port on the Cisco switch that connects to pfSense. On pfSense you have to tag the VLANs on the interface that leads to your cisco switch. The access ports on the cisco switch that leads to your client need to have the VLANs untagged. On pfSense you can setup DHCP for each VLAN. In essence your Cisco L3 router will be performing only L2 switching functionality while pfSense will take care of the rest.

      Regards,

      Glenn

      • Pavan Ayyagari says:

        Thanks for your advise Glenn. Much appreciate it. I will tried this last night but no luck yet. Below is my setup:
        I have a cisco catalyst 3750 in which i have created about 6 VLANS, created interfaces for each of them and ip routing has been enabled. I can ping all VLAN interfaces from the switch thats all good. I am running pfsense as a virtual machine and has two nics to it. One is going to the WAN ( Internet) and one to the LAN with the port group for that vswitch has all VLAN tagged. I cannot attach the picture for more information.
        So do you advise creating the same VLANS on the pfsense box too and with the same interfaces as the cisco switch? What will be the default route on the cisco switch? Should that be pointing to the pfsense box? Do i need to add any static route on the pfsense box too pointing to the switch. been struggling for a while on this and any help on this will be greatly appreciated.

        Hope to hear from you soon.

        Thanks,
        Pavan

        • Since you are running pfSense as a virtual machine with two physical NICs on the server the configuration is a little bit different. One of the physical interfaces on the server must connect to a port on your cisco switch. This port must be configured as a trunk port on the switch:

          Trunk Configuration:
          SW1(config)#interface gig #/#

          SW1(config-if)#Switchport trunk encapsulation dot1q
          Switches the encapsulation to 802.1Q

          SW1(config-if)#Switchport mode trunk
          changes the port to a trunk port

          SW1(config-if)#Switchport trunk allowed vlan {add|all|except|remove}
          configures which VLANs can be allowed on a trunk. By default, all the VLANs are allowed.

          Additionally you can create your VLANs as well:

          SW1(config)#vlan #
          This will create a layer 2 VLAN

          SW1(config-vlan)#name NAMEHERE
          Assign a name

          SW1(config-vlan)#exit

          You shouldn’t need to do anything else on the switch besides configure the access ports:

          SW1(config)#interface Fastethernet #/#

          SW1(config-if)#switchport mode access
          Make it an access port

          SW1(config-if)#switchport access VLAN#
          Assign the VLAN that it belongs to.

          Going back to the VMware side of things the next steps will differ if you are using standard virtual switch or distributed virtual switch. The portgroup that is mapped to the physical NIC on the server which connects to the trunk port on the switch must be configured for Virtual Guest Tagging. The pfSense virtual ethernet adapter(Known as LAN in pfSense) that belongs to this port group is tagging frames and they must be preserved between the VM networking stack and the external switch when frames are passed to/from virtual switches. Assuming that you are using Standard Virtual Switch see below for how to set this:

          To set a standard vSwitch portgroup to trunk mode:

          Edit host networking via the Virtual infrastructure Client.

          Navigate to Host > Configuration > Networking > vSwitch > Properties.
          Click Ports > Portgroup > Edit.
          Click the General tab.
          Set the VLAN ID to 4095.
          A VLAN ID of 4095 represents all trunked VLANs.
          Click OK.

          See:

          http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1004252

          for more information.

          Your cisco switch will not be doing any routing as this will all happen at the pfSense level. The VLANs on the cisco side must match the VLANs on the pfSense side of things or else it won’t work. There is no need for a default route as the cisco switch is just a layer 2 device that does not need to do any routing. There is no need for static routes on the pfsense box either.

          • Pavan Ayyagari says:

            Thanks you very much Glenn. Kind of newbie when it comes to networking but trying to get there. Will give this a go in next few days and will let you know the result.

            Have a good weekend!

            Cheers,
            Pavan

          • Pavan Ayyagari says:

            Hello Glenn,
            Hope you are well mate. Tried it over the weekend and it worked. Firewall was blocking the ICMP and managed to configure the ANY rule and i am back to business. I would like to thank you for all your help.

            Cheers,
            Pavan

          • Pavan Ayyagari says:

            Hello Glenn,

            Thanks for your help setting up pfsense and VLANS everything working great. I need to introduce one more host and configure a cluster for vMotion etc and want to check if i need to setup another pfsense VM on the new host as well same as the first host or one firewall should do?
            Please advise.

            Many thanks,
            Pavan

          • Pavan,

            You should be fine with having one pfSense firewall for the entire cluster. Assuming that the secondary host that you are adding has the same number of interfaces as the first host then you should be good. Make sure that the portgroup that is mapped to the physical NIC on the first server which connects to the trunk port on the switch that is configured for Virtual Guest Tagging also exist on the secondary host. You will need the same port group on the secondary host and it must be named exactly the same for vMotion to work properly. The port group should have the same configuration as the existing port group and also on the switch side must be configured as a trunk port.

            Regards,

            Glenn

  13. Pavan Ayyagari says:

    Hello Glenn,

    I have introduced second host as per your instructions and it worked. Thank you very much for that. I was looking at Sophos UTM and looks like it has more features than pfsense and easy to use as well. Do you agree on that? If i want to replace pfsense with Sophos can I follow the same instructions you have provided for pfsense creating vlans on the layer 2 switch as well as on the sophos UTM and connect them as a trunk ports. Can you please advise how to create VLANS on sophos if possible. Thank you very much for your help till date mate. much appreciate it!!!

    Cheers,
    Pavan

    • Hello Pavan,

      I wanted to take the time to reply to this email as I also followed the information here long ago and also moved to a Sophos UTM from pfsense. I’ve gotta say, its the way to go and works very very well. I did find that I had trouble trunking to the UTM and setting one for the vlans as my DHCP capable wan port. It should have worked but just didn’t. Maybe this has been fixed in later releases. To resolve this I just broke out the WAN connection at the switch and brought it to my ESX box on a dedicated port and all was well. Trunking and firewalling all other vlans over a trunk to UTM were no problem at all.

      Regards,

      Terry

    • To continue, my setup https://drive.google.com/file/d/0B5FsI0NIr8KlaTZZZUVxYnNZNHc/view?usp=sharing which was birthed from my original posts here nearly a year ago with pfsense (which I still have as a backup VM too). A lot of the magic is obviously done in the UTM VM on my ESX box, but it gives an idea.

      • Pavan Ayyagari says:

        Thanks Terry. I did try Sophos last night and it did not work and no too much information over the web as well. Is there anyway i can get configuration screenshots or steps for setting up VLANS inside sophos and allowing internet for those VLANS? I would like to set it up inside ESXI 5.5. My email is payyagari@outlook.com if you can help here please.
        Much appreciated.
        Thanks,
        Pavan

  14. Hello Glenn,

    thank you very much for your wonderful configuration report. As I am using a Cisco SG300-28 switch in layer 3 mode I would prefer to do the inter VLAN routing on the switch. I have read that pfsense is able to manage this scenario and that you should create another VLAN for internet connection taht ist routed by pfsense. Unfortunately I have actually no idea how to do this so far. It would be great if you could help me with the issue.

    Best regards,

    Volker

    • If you have the switch configured for inter VLAN routing and connect pfSense to it then the only way for you to actually make this work is to install the RIP or OSPF routing packages on the pfSense box. If this is a small home/office scenario going with RIP makes sense since it simple to configure. You would use the same routing protocol on the switch side and create a neighbor relationship. On your switch side you can create a static default route to send everything on to the pfSense box in order to keep things simple.

      Regards,

      Glenn

  15. Works with Netgear switches.

    Big thanks and very useful guide.
    Long life to the author 😉
    Regards,
    Veig.

  16. NetSys Pro says:

    Hello,

    Just 1 question: I haven’t read all the comments, so apologies if this has been addressed, but after you’ve configured the VLANs, do you disable the default LAN interface on pfSense?

    Thank you.

  17. Hi Glenn,

    thank you very much for this great post. Based on your article I would like to implement a similar setup, but I’m fairly new to pfSense, VLAN, etc..
    I think I’ll manage to implement my project following this guide, but I was hoping for your advise and tips about best practice for a little different setup(s).

    SETUP I:

    * pfSense box with 4 NIC-s

    – port 1
    WAN with 2 IP-s (1 ISP – same subnet – same gateway)

    – port 2
    LAN1 (class C private subnet)
    + connected to “dumb” switch
    “WORK NETWORK” (my home-office)

    – port 3
    LAN2
    +VLAN10 (management for AP)
    +VLAN20 (Wifi privat / home)
    +VLAN30 (Wifi guest)
    (VLANS on class B private subnets)

    => Trunk from switch
    + VLAN10 (AP, “controller/server”, switch, …) untagged
    + VLAN20 (Wifi network for private use) tagged
    + VLAN30 (Wifi network for guests) tagged

    – port 4
    LAN3 (spare or?)

    – DHCP server on LAN/VLANS

    +++ My goal is to:
    – separate VLAN30 from all other VLANS/LANS
    (only one possible route – WAN)
    – VLAN30 uses IP1 on WAN / all other networks use IP2
    – access to “controller/server” on VLAN10 from VLAN20 & LAN1
    – access to “controller/server” from WAN side trough IP2
    (this shouldn’t be a problem – NAT?)

    SETUP II:
    * Same as “SETUP I” but 2x WAN (2 different ISPs with different subnets and gateways)
    +++ The goal is the same – guest wifi network on VLAN30 trough ISP1, the rest through ISP2 ….

    Could you please tell me if this setup will work and whether it’s good practice or not.

    I must be sure that, no matter what happens, the guest network can not access any of the other networks.

    How do I set up correctly FW rules and routing?

    Any suggestions and corrections would be highly appreciated.

    FYI: My home/office is not in the same building as my “home”, I’ve only 2 network cables between the sites (ca. 50m), so I can’t connect everything from office to the other switch at home (there are not enough free ports anyway) and I can’t afford a new manageable switch and/or other equipment at the moment.

    thx/Andy

    • Andy,

      Looking at the two setups I think that number 2 is better. If you have 4 ports on your device then with this setup two of them will be taken by the WAN from two different ISPs. This is how I would lay out your configuration:

      Port 1: WAN
      Port 2: OPT WAN
      Port 3: LAN –> connects to switch that supports tagging
      VLAN 10 (Management, Class B) –> Tagged
      VLAN # (Work, Class C) –> Tagged
      Port 4: WAP –> connects to switch that supports tagging, APs will connect to the switch ports
      VLAN 10 (Management, Class B) –> Tagged
      VLAN 20 (WiFi Private, Class B) –> Tagged
      VLAN 30 (WiFi Guest, Class B) –> Tagged

      I am pretty sure that pfSense does not support untagging a VLAN on an interface so you need a switch that supports 802.1Q tagging.

      General Setup Instructions:
      1. Setup WAN interface (Follow my guide and use static addressing if you have the information from ISP 1)
      2. Setup OPT WAN DHCP or Static (Under the interface tab in pfSense. Use static addressing if you have the information from ISP 2)
      3. Configure pfSense with DNS servers from each WAN interface ISP. You want to do this so that you don’t have an outage if one interface goes down. (System–>General Setup)
      4. Setup static routes to reach each DNS server from the respective WAN interface because otherwise the DNS servers will always be reach via the primary WAN interface. Static routes must be configured so that DNS server can be reach using the secondary WAN interface so that in case of an outage you can reach the secondary DNS servers using the OPT WAN(secondary) interface. (System–>routing–>routes)
      5. Setup Load balancing pool. This allows you to distribute traffic over both WAN interfaces in a round robin fashion. (Services–>Load balancer)
      6. Optional: Setup Captive portal on WiFi interface or Port 4. The captivate portal can only be enabled on one interface and it will give you extra security by directing users to a web page before access is permitted. You can require users to authenticate before they use the wireless.

      Once you have multiple VLANs created you can head over to the firewall–>rules and create a catch all rule for VLAN 30 and under the advanced features select the option under ‘Gateway’. In here you can choose which interface this VLAN will used to go out(WAN or OPT WAN(Secondary)). Additionally, you can create rules under VLAN 30 blocking it from reaching the other internal VLANs etc…Just make sure that you verify the order as rules are evaluated on a first match basis which means that you should have the block rules at the top and the catch all rule to go out to the internet near the bottom. I Hope this helps.

      Regards,

      Glenn

      • Thank you very much for your exhaustive reply.
        Without people like you, who are sharing their knowledge and are willing to sacrifice their time to help others, most of us “amateurs” would have to hire professionals to get things done. Thumbs up!

        I’ll try to set up things like you suggested but I only have one switch that supports tagging.
        (Port 3: LAN => connected to a “dumb” switch)
        Can this still be done in conjunction with Port 4: WAP with VLANs?
        Is there a way I can access the VLAN10 (management) from LAN which is on a different subnet? Some kind of NAT maybe?

        I don’t need load balancing but failover would be nice if I stick with 2 ISPs ….
        Actually I wanted to stay with just 1ISP (glass fiber) and dump the other (xDSL) to lower my expenses.

        What do you mean by “catch all rule for VLAN 30”? Default allow LAN to any rule?

        Regards,
        Andy

        • Andy,

          If you only have one switch that does tagging then you can use that for port 3 and plug all your devices to the switch. On port 3 you will tag both VLAN 20 and 30 for your wireless as well as the other ones and untag/tag them on the access ports for the switch.

          With regards to VLAN 10 and accessing it from other VLANs there should be no issue with accessing it as long as you create rules in the firewall that allows this access.

          You can configure failover instead of loadbalancing when you setup the pool if you prefer this option. The catch all rule will allow everything that you haven’t explicitly block. You can also do it the other way so that you block everything except everything that you have explicitly allow. Think of whitelisting vs. blacklisting just two different methods of doing things.

      • Glenn,

        so practically you are saying I have to buy new switches?
        You can see what I have/like to have in this diagram (https://owncloud.slovenia-travel.net:50970/index.php/s/IkQDwcz1aePhNwT).
        I can NOT connect all devices to the switch capable of tagging, because of location, # of ports, …
        I’d like to know if access to VLAN10 & VLAN20 (home – location 2) from LAN (office – location 1) would work in my setup before I start implementing.

        regards,
        Andy

        • Getting two switches would be cleaner. There are some decent netgear switches that have 802.1Q support for low prices. I am not sure what VLAN # your LAN is but for example purposes call it 60. When you create VLAN 60 which is some class C network 192.168.x.x you can’t go on port 3 and untag VLAN 60. I haven’t seen this functionality in pfSense of untagging a VLAN even though it exist in every switch that supports 802.1Q.

  18. Yogi_al says:

    Hi,

    Thanks for the awesome guide. Though I still am not able to get my VM in one VLAN to talk to another server that is on another VLAN.
    this is how my setup is. Iam using pfsense and hyper-v. The Hyper-v host machine has 2-physical nic cards – em1 and em2. I have created 2 virtual switches in hyper-v VSWT2(em1) and VSWT3(em2).
    I have setup pfsense as a VM, and configured the WAN(em1) and LAN(em2) interface and also created vlans, VLAN1(em2) and VLAN2(em2). Everything works fine the VMs in each of the LANs is able to talk to each other, but am not able to get a client VM in VLAN1 to talk to the server in VLAN2. I have set up a Pass firewall rule in each of the VLAN interfaces to allow any traffic between any source and any destination but still Iam not able to get the client to connect to the server.
    Any guidance will be greatly appreciated..
    – Yogi

    • Yogi,

      Try the following simple thing first. Move the client VM in VLAN1 to VLAN2 where the server is located. Can you ping the server when the client VM is in the same VLAN? Move the client VM back to VLAN1 and make sure that you get a new IP address. Try pinging the gateway for VLAN1 from the client VM. Are you successful? Try pinging the gateway for VLAN2 from the client VM. Are you successful?

      Regards,

      Glenn

      • Hi Glenn,

        thanks for your response. I did as you suggested, I am able to ping and the applications are able to interact with each other when the client and the server are in the same VLAN. I tried this in each VLAN, and it worked, the only problem is when they are in seperate VLANs.
        Also, would like you to know is that when they are in separate VLANs, I am only able to ping each other, but the applications don’t communicate with each other. I guess its because of allow all rule (any source any destination, any protocol) on both the VLAN1 and VLAN2 interfaces.
        I have the VLANs with the following configuration
        VLAN1 – 10.20.1.0/26
        VLAN2 – 10.60.1.0/26
        and have dhcp configured on each interface.
        From VLAN1 I am able to ping the gateway on VLAN1(10.20.1.1) and VLAN2(10.60.1.1)
        Am I missing something?

        -Yogi_al.

        • I agree with the comment from Ismail below. It looks like you might have a firewall rule on the client or server side that is blocking the communication.

          Regards,

          Glenn

          • Hi Glenn,
            I did as Ismail said, I dropped the firewall on pfsense, but still the client server apps dont talk to each other when they are in different VLANs. I guess its got to do something with the apps itself. But Iam just not able to figure out what it could be.
            In the production environment client servers are on VLANs having CISCO routers and switches, they have ACLs that control the access to the VLANs and ports. Iam trying to create a lab version of the environment using pfsense.
            I think I might have to implement the CISCO version of ACL’s in pfsense to open up specific ports so that the apps can communicate . I cant see any option for creating ACLs in pfsense, or is it that I need to slimply implement these as firewall rules?

            Thanks a ton for your suggestions.

            -Yogi_al

          • What he was saying was to disable the firewall on the server and client. That is, within the operating system itself. If you are using windows you can do this from the control panel. Based on what you posted above, you turned off the firewall on pfSense and you still were not able to have the client and server communicate. This points to the built in firewall in the operating system.

    • Disable firewall for each node (Server, PC etc). This should work.

      Regards

      Ismail

  19. Hi Glenn,

    Thank you so much for this guide.. I searching the internet for 2days just to make thing work about my vlans issue.

    I try to simulate your setup first then I will post here what I gone thru…

    Again, thank you for your unwavering support and help to those users like me who are not so familiar this kind of technology. Kudos to you my friend! 😀

  20. Nice one. Good post.

Trackbacks/Pingbacks

  1. How To Block Https Port In Pfsense | Kalataso-3 - […] Configuring VLANs on pfSense | HIGHLNK – Ok, so you have multiple interfaces in your pfsense box. You can…
  2. devolo WiFi pro 1200e, ZyXEL GS1920 und pfSense – VLAN einrichten | Andys Blog – Linux, Mac, Windows - […] HIGHLNK – Configuring VLANs on pfSense […]

Leave a Reply