Wiki

User Tools

Site Tools

Trace:
pfsense:vlan_virtual_lan:set_up_a_vlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:vlan_virtual_lan:set_up_a_vlan [2021/02/16 13:31] peterpfsense:vlan_virtual_lan:set_up_a_vlan [2021/02/16 14:58] (current) – [Block Access to LAN when on VLAN 20] peter
Line 1: Line 1:
 ====== PFSense - VLAN (Virtual LAN) - Set up a VLAN ====== ====== PFSense - VLAN (Virtual LAN) - Set up a VLAN ======
  
 +===== Create the VLAN =====
  
-<WRAP info> +Navigate to **Interfaces -> Assignments**.
-**NOTE:**  A few things to keep in mind:+
  
-VLAN 20 will be used in this example. You can substitute a different VLAN but for the purposes of this tutorial VLAN 20 is used.+Select **VLANs**.
  
-VLAN 20 will be assigned to LAN port along with the normal LAN traffic.+  * Click the **Add** button. 
 +  * Parent Interface:  **em1**.  Typically this is the LAN port. 
 +  * VLAN Tag:  **20**.  Use any unique number from 2 to 4096.  Here 20 is used as an example. 
 +  * VLAN Priority: **0**.  Keep the default. 
 +  * Description: **VLAN 20**.  Any description will do. 
 +  * Click **Save**. 
 + 
 +<WRAP info> 
 +**NOTE**:
  
-DNS Resolver is enabled for ALL interfaces (Services –> DNS Resolver).  If it’s not enabledClients on VLAN 20 will not be able to get out to the Internet.+  * **VLAN Tag**:  A unique number between 0 and 4096 for the VLAN.  Here we use 20 as an example. 
 +    * VLAN 0 is used when a device needs to send priority-tagged frames but does not know in which particular VLAN it resides. 
 +    * VLAN 1 is the default native VLAN for the LANand used for untagged traffic.  As we want an actual VLAN, we need to use an ID from 2 to 4096. 
 +  * **VLAN Priority**:  Has a value range from 0 to 7.  See https://en.wikipedia.org/wiki/IEEE_P802.1p.
  
 </WRAP> </WRAP>
Line 15: Line 26:
 ---- ----
  
-===== Steps to setup VLAN =====+===== Setup an Interface for the VLAN =====
  
-  - **Login** to **pfSense** +Navigate to **Interfaces Assignments**.
-  - **Click** on **Interfaces -> Assignments** +
-  - **Click** on **VLANs** (link on the upper menu) +
-  - **Click** on the Green **Add** button +
-  - Fill out this information below on the VLAN Configuration +
-    - Parent Interface: **em1** (typically this is the LAN port) +
-    - VLAN Tag: **20** +
-    - VLAN Priority: **0** +
-    - Description: **VLAN 20** +
-    - **Click** on the blue **Save** button +
-  - **Click** on **Interfaces Assignments** +
-    - For **“Available network ports”**: **Click** the drop down arrow and Choose **VLAN 20 on em1** +
-    - **Click** on the green **Add** +
-    - **Click** on the blue **Save** +
-  - **Click** on the interface link for **OPT1** +
-  - Fill out this information below: +
-    - General Configuration +
-      - Enable Interface: **checked** +
-      - Description: **OPT1VLAN20** +
-      - IPv4 Configuration Type: **Static IPv4** +
-    - Static IPv4 Configuration +
-      - IPv4 Address: 192.168.20.1 +
-      - **Click** the **dropdown** for the Subnet Mask and select **24**. +
-    - **Click** on the blue **Save** +
-    - **Click** on the green **Apply Changes** button at the top.+
  
-**Great! You’ve got a VLAN.**+Against **Available network ports**, click the drop down arrow and Choose **VLAN 20 on em1**.
  
-It’s on VLAN 20 and it’s IP interface is set to 192.168.20.1.+  * Click **Add**. 
 +  * Click **Save**.
  
-Keep in mind, just because it’s VLAN 20 doesn’t mean the subnet has to contain the “20” in it’s IP of 192.168.20.1.+Click the interface link for **OPT1**.
  
-We just find it makes it easier to keep the numbers the same as it’s easier in identifying particular settings and connected clients later.+In **General Configuration**:
  
-Now in order for this VLAN interface to start issuing IP addresses we need to configure DHCP Server for it. Read on.+  * Enable:  **Checked**. 
 +  * Description:  **VLAN20**.  Give the VLAN a nicer name. 
 +  * IPv4 Configuration Type:  **Static IPv4**. 
 +  * IPv6 Configuration Type:  **None**. 
 + 
 + 
 +In **Static IPv4 Configuration**: 
 + 
 +  * IPv4 Address:  **192.168.20.1**. 
 +  * Click the drop-down for the Subnet Mask and select **24**. 
 +  * Click **Save**. 
 +  * Click **Apply Changes** at the top. 
 + 
 +<WRAP info> 
 +**NOTE:**  The VLAN interface is now created. 
 + 
 +  * It has a VLAN ID of 20. 
 +  * It has an IP address of 192.168.20.1. 
 +    * Notice that the IP Address and VLAN ID both have a **20**. 
 +    * This is simply used for convenience, and makes it easier to remember which IP range is associated with which VLAN. 
 +    * However just because the VLAN ID is 20 does NOT mean that the IP also has to have **20** in it.  The IP can be any internal IP. 
 + 
 +</WRAP>
  
 ---- ----
Line 57: Line 67:
 ===== DHCP Server for VLAN 20 ===== ===== DHCP Server for VLAN 20 =====
  
-  - **Login** to **pfSense** (you’re probably still in pfSense but just in case you’re not you gotta log back in) +Navigate to **Services -> DHCP Server**.
-  - **Click** on **Services -> DHCP Server** +
-  - **Click** on **Opt1VLAN20** (link on the upper menu) +
-    - Enable: **Checked** +
-    - Range: **168.20.100** to **192.168.20.150** (We’re simply going to issue 50 leases out for this VLAN.  You can change this if you need more DHCP IP addresses) +
-    - **Click** on the blue **Save**+
  
-**Perfect!  We’ve now got the VLAN 20 interface issuing IP addresses.**+  Select the VLAN Name along the top.  For this example select **VLAN20** or whatever name you gave the VLAN. 
 +   
 +In **General Options**:
  
-However, we have to create some firewall rules to get out to the Internet.  We may want to create some other rules as well restricting what exactly a client on VLAN 20 can get to.+  * Enable: **Checked**. 
 +  * Range: **192.168.20.100** to **192.168.20.199**.   
 +  * Click **Save**. 
 + 
 +<WRAP info> 
 +**NOTE:**  The Range is limited to those 100 addresses.  
 + 
 +Change this as needed. 
 + 
 +</WRAP>
  
 ---- ----
Line 72: Line 88:
 ===== Firewall Rules ===== ===== Firewall Rules =====
  
-There are a few rules we need to setup for VLAN 20.+To allow the VLAN to get out to the Internet a firewall rule is needed.
  
-Most importantly, if you want VLAN 20 to get out to the Internet we have to create a rule for that.+Additional restrictions can be set against client of the VLAN with additional firewall rules.
  
-Perhaps you want to restrict clients on VLAN from accessing devices on the LAN.  We need a rule for that.+----
  
-What about NOT allowing clients on VLAN 20 to even get to the pfSense web interface.  Well, we need a rule for that.+===== Allowing VLAN 20 Clients Internet Access =====
  
-So below are some rules you may need to configure depending on what you want VLAN 20 to have access to.+Navigate to **Firewall –> Rules**:
  
 +  * Select the VLAN Name along the top.  For this example select **VLAN20** or whatever name you gave the VLAN.
 +
 +  * Click on an **Add** button.
 +  * Action: **Pass**.
 +  * Interface:  **VLAN20**.   Or whatever name you gave the VLAN.
 +  * Protocol: **Any**
 +  * Source:
 +    * Invert Match:  **Not Checked**.
 +    * Source: **Any**
 +  * Description: **Allow OPT1VLAN20 to any**
 +  * Click **Save**.
 +  * Click **Apply Changes** at the top.
 +
 +<WRAP info>
 +**NOTE:**  At this point, clients on VLAN 20 that are issued IP addresses on the 192.168.20.0 subnet should be able to get out to the Internet.
 +</WRAP>
 +
 +
 +<WRAP info>
 +**NOTE:**  When you create a firewall rule, it may not seem as if it goes into effect immediately.
  
-**One hugely important thing about Firewall Rules**.  When you create a rule, it may not seem as if it goes into effect immediately. The reason:+The reason:
  
   * Let’s say a device is on the VLAN20 network and it is constantly accessing something on the LAN.   * Let’s say a device is on the VLAN20 network and it is constantly accessing something on the LAN.
Line 93: Line 129:
     * When you do this any and all open states that exist will be broken.  So there will be a brief hiccup in Internet access.  However, it is usually very quick.  Just be aware of that before you go off and **Reset States**.     * When you do this any and all open states that exist will be broken.  So there will be a brief hiccup in Internet access.  However, it is usually very quick.  Just be aware of that before you go off and **Reset States**.
  
----- +</WRAP>
- +
-===== Allowing VLAN 20 Clients Internet Access ===== +
- +
-  - **Login** to **pfSense** (once again, you’re probably still in pfSense but just in case you’re not you know the drill) +
-  - **Click** on **Firewall –Rules** +
-  - **Click** on **Opt1VLAN20** (link on the upper menu) +
-  - **Click** on the green **Add** button +
-  - Fill out this information below: +
-    - Edit Firewall Rule +
-      - Action: **Pass** +
-      - Interface: **OPT1VLAN20** +
-      - Protocol: **Any** +
-      - Source +
-        - Source: **Any** +
-      - Extra Options +
-        - Description: **Allow OPT1VLAN20 to any** +
-      - **Click** on the blue **Save** +
-      - **Click** on **Apply Changes**. +
- +
-At this point, clients on VLAN 20 that are issued IP addresses on the 192.168.20.0 subnet should be able to get out to the Internet.+
  
 ---- ----
Line 119: Line 135:
 ===== Denying VLAN 20 Clients to the pfSense Web GUI ===== ===== Denying VLAN 20 Clients to the pfSense Web GUI =====
  
-Often times when setting up VLANs you are doing this for a reason.+===== Add an Alias for the pfSense GUI =====
  
-You are restricting VLAN clients from accessing certain things on your network.+Navigate to **Firewall –> Aliases**.
  
-Typicallywe use VLANs for our Wireless Guest Clients.+  * **Click** on the green **Add** 
 +  * Name: **pfSenseGUI** 
 +  * Description: **Disable Access to pfSense GUI** 
 +  * Type: **Hosts(s)** 
 +  * IP or FQDN: **Enter the IP of the actual pfSense**.  Example192.168.1.1.
  
-It’s fine for them to have Internet.+----
  
-However, you probably don’t want them even seeing the pfSense web GUI….why should they?  So let’s block them from getting to the pfSense Web GUI when on VLAN 20.+==== Firewall Rules ====
  
 +Navigate to **Firewall –> Rules**.
 +
 +  * Select **Floating**:
 +  * **Click** on a green **Add** button.
 +  * Action: **Block**.
 +  * Quick: **Checked**.
 +  * Interface:  **Select the VLAN(s) to be denied access**.
 +  * Direction: **in**.
 +  * Address family:  **IPv4**.
 +  * Protocol: **TCP\UDP**.
 +  * Source:
 +    * Invert Match:  **Not Checked**.
 +    * Source: **any**
 +  * Destination:
 +    * Invert Match:  **Not Checked**.
 +    * Destination:
 +      * **Single host or alias**
 +      * Destination Address:  **pfSenseGUI**.
 +  * Destination Port Range:
 +    * From:  **HTTPS (443)**.   If pfSense is set to HTTP this needs to be HTTP (80).
 +    * To:  **HTTPS (443)**.  If pfSense is set to HTTP this needs to be HTTP (80).
 +  * Description:  **VLAN 20 – no access to pfSense GUI**
 +  * Click **Save**.
 +  * Click **Apply Changes** at the top.
  
 <WRAP info> <WRAP info>
-**Keep in mind:**  These instructions are written if you are running pfSense in the HTTP setting (**System–>Advanced** where **HTTP** is set).+**NOTE:**  Navigate to **System–>Advanced** to see whether the actual pfSense GUI is set to run on either HTTP or HTTPS.
  
-However, if this is in the HTTPS setting we will need to change port number in these instructions.  I’ve noted that as well in these instructions.  Good idea to check this before you start these instructions.+To ensure that access is denied against both HTTP and HTTPS, setup similar firewall rule for both.
 </WRAP> </WRAP>
- 
-  - **Click** on **Firewall –> Aliases** 
-  - **Click** on the green **Add** 
-  - Fill out this information below: 
-    - Properties 
-      - Name: **pfSenseGUIAccess** 
-      - Description: **Disable Access to pfSense GUI** 
-      - Type: **Hosts(s)** 
-    - Host(s) 
-      - IP or FQDN: **this will be the IP of pfSense**.  (ex, 192.168.10.1) 
-      - **Note:**  to add another entry you will need to Click on the green Add Host button. 
-        - IP or FQDN: **168.20.1** (this is the IP of the VLAN 20 we used earlier) 
-      - **Click** on the blue **Save** 
-      - **Click** on the green **Apply Changes** button at the top. 
-  - **Click** on **Firewall –> Rules** 
-  - **Click** on **Floating** (link on the upper menu) 
-  - **Click** on the green **Add** 
-  - Fill out this information below: 
-    - Edit Firewall Rule 
-      - Action: **Block** 
-      - Quick: **Checked** 
-      - Interface: **Click** on **OPT1VLAN20** to select it 
-      - Protocol: **TCP\UDP** 
-      - Direction: **in** 
-    - Source 
-      - Source: **any** 
-    - Destination 
-      - Destination: 
-        - **Single host or alias** 
-        - **pfSenseGUIAccess** (you have to type that in) 
-      - Destination Port Range: 
-        - From: **HTTP (80)** (Keep in mind, if pfSense is set to HTTPS this needs to be HTTPS (443) 
-        - To: **HTTP (80)** (Keep in mind, if pfSense is set to HTTPS this needs to be HTTPS (443) 
-     - Extra Options 
-       - Description: **VLAN 20 – no access to pfSense GUI** 
-     - **Click** on the blue **Save** 
-     - **Click** on the green **Apply Changes** button at the top. 
  
 ---- ----
  
 ===== Block Access to LAN when on VLAN 20 ===== ===== Block Access to LAN when on VLAN 20 =====
 +
 +Navigate to **Firewall -> Rules**
 +
 +  * Click on **VLAN20**:
 +  * Click the **Add** button (up arrow), so this needs to be the first rule in the list.
 +  * Action:  **Block**.
 +  * Interface: **VLAN20**.
 +  * Protocol: **Any**.
 +  * Source:
 +    * Source:  **VLAN20 net**.
 +  * Destination:  **LAN net**.
 +  * Description:  **VLAN 20 – cannot access LAN**.
 +  * Click **Save**.
 +  * Click **Apply Changes** at the top.
  
 <WRAP important> <WRAP important>
-**IMPORTANT NOTE:**  If you use an **unmanaged switch** this will not work as trying to restrict a client on VLAN 20 from accessing a device on the LAN doesn’t have anything to do with pfSense at that point.+**IMPORTANT NOTE:**  Trying to restrict a client on VLAN from accessing a device on the LAN will not work if used with an **unmanaged switch**.
  
-The unmanaged switch is “before” pfSense.  It has to do with only the switch and since it is unmanaged you have no way of preventing one device from getting to another due to how unmanaged switches work.  You need a managed switch for this.+  * An unmanaged switch just does not have the capability built into it to handle VLAN traffic. 
 +  * Trying to restrict a client on a VLAN from accessing a device on the LAN has nothing to do with pfSense at that point. 
 +  * A managed switch is needed for this.
  
-When we setup Wireless Access Points that have VLAN capabilities they have managed switches built into them.  We often use Ubiquiti Wireless Access Points.+This limitation does not necessarily apply to Wireless Access Points that have VLAN capabilities (such as Ubiquiti Wireless Access Points); as they have managed switches built into them.
 </WRAP> </WRAP>
- 
-  - **Click** on **Firewall -> Rules** 
-  - **Click** on **Opt1VLAN20** (link on the upper menu) 
-  - **Click** on the green **Add** button (up arrow), so this needs to be the first rule in the list. 
-  - Fill out this information below: 
-    - Edit Firewall Rule 
-      * Action: **Block** 
-      * Interface: **OPT1VLAN20** 
-      * Protocol: **Any** 
-    - Source 
-      * Source: **OPT1VLAN20 net** 
-      * Destination: **LAN net** 
-    - Extra Options 
-      * Description: **VLAN 20 – cannot access LAN** 
-  - **Click** on the blue **Save** button. 
-  - **Click** on the green **Apply Changes** button at the top. 
- 
- 
  
pfsense/vlan_virtual_lan/set_up_a_vlan.1613482286.txt.gz · Last modified: 2021/02/16 13:31 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki