Differences

This shows you the differences between two versions of the page.

--- pfsense:vlan_virtual_lan:set_up_a_vlan [2021/02/16 14:07] – peter
+++ pfsense:vlan_virtual_lan:set_up_a_vlan [2021/02/16 14:58] (current) – [Block Access to LAN when on VLAN 20] peter
@@ Line 1: / Line 1: @@
 ====== PFSense - VLAN (Virtual LAN) - Set up a VLAN ======
+===== Create the VLAN =====
-<WRAP info>
+Navigate to **Interfaces -> Assignments**.
-**NOTE:**  A few things to keep in mind:
-VLAN 20 will be used in this example. You can substitute a different VLAN but for the purposes of this tutorial VLAN 20 is used.
+Select **VLANs**.
-VLAN 20 will be assigned to LAN port along with the normal LAN traffic.
+  * Click the **Add** button.
+  * Parent Interface:  **em1**.  Typically this is the LAN port.
+  * VLAN Tag:  **20**.  Use any unique number from 2 to 4096.  Here 20 is used as an example.
+  * VLAN Priority: **0**.  Keep the default.
+  * Description: **VLAN 20**.  Any description will do.
+  * Click **Save**.
-DNS Resolver is enabled for ALL interfaces (Services –> DNS Resolver).  If it’s not enabled, Clients on VLAN 20 will not be able to get out to the Internet.
+<WRAP info>
+**NOTE**:
+  * **VLAN Tag**:  A unique number between 0 and 4096 for the VLAN.  Here we use 20 as an example.
+    * VLAN 0 is used when a device needs to send priority-tagged frames but does not know in which particular VLAN it resides.
+    * VLAN 1 is the default native VLAN for the LAN, and used for untagged traffic.  As we want an actual VLAN, we need to use an ID from 2 to 4096.
+  * **VLAN Priority**:  Has a value range from 0 to 7.  See https://en.wikipedia.org/wiki/IEEE_P802.1p.
 </WRAP>
@@ Line 15: / Line 26: @@
 ----
-===== Steps to setup VLAN =====
+===== Setup an Interface for the VLAN =====
-==== Create the VLAN ====
+Navigate to **Interfaces Assignments**.
-Navigate to **Interfaces -> Assignments**.
+Against **Available network ports**, click the drop down arrow and Choose **VLAN 20 on em1**.
-Select **VLANs**.
+  * Click **Add**.
+  * Click **Save**.
-  * * Click on the **Add** button.
+Click the interface link for **OPT1**.
-  * Parent Interface:  **em1**.  Typically this is the LAN port.
-  * VLAN Tag:  **20**.  Use a unique number from 2 to 4096.  1 is reserved as the default VLAN tag and should not be used.
+In **General Configuration**:
-  * VLAN Priority: **0**.  VLAN priority has a value range from 0 to 7.
-  * Description: **VLAN 20**.
+  * Enable:  **Checked**.
+  * Description:  **VLAN20**.  Give the VLAN a nicer name.
+  * IPv4 Configuration Type:  **Static IPv4**.
+  * IPv6 Configuration Type:  **None**.
+In **Static IPv4 Configuration**:
+  * IPv4 Address:  **192.168.20.1**.
+  * Click the drop-down for the Subnet Mask and select **24**.
   * Click **Save**.
+  * Click **Apply Changes** at the top.
 <WRAP info>
-**NOTE:
+**NOTE:**  The VLAN interface is now created.
-  * **VLAN TAG**:  A unique number between 0 and 4096 for the VLAN.
+  * It has a VLAN ID of 20.
-    * VLAN 0 is used when a device needs to send priority-tagged frames but does not know in which particular VLAN it resides.
+  * It has an IP address of 192.168.20.1.
-    * VLAN 1 is the default native VLAN for the LAN, and used for untagged traffic.  As we want an actual VLAN use a figure from 2 to 4096.
+    * Notice that the IP Address and VLAN ID both have a **20**.
-  * **VLAN Priority**:  Has a value range from 0 to 7.  See https://en.wikipedia.org/wiki/IEEE_P802.1p.
+    * This is simply used for convenience, and makes it easier to remember which IP range is associated with which VLAN.
+    * However just because the VLAN ID is 20 does NOT mean that the IP also has to have a **20** in it.  The IP can be any internal IP.
 </WRAP>
@@ Line 42: / Line 65: @@
 ----
-Navigate to **Interfaces Assignments**.
+===== DHCP Server for VLAN 20 =====
-    - For **“Available network ports”**: **Click** the drop down arrow and Choose **VLAN 20 on em1**
+Navigate to **Services -> DHCP Server**.
-    - **Click** on the green **Add**
-    - **Click** on the blue **Save**
-  - **Click** on the interface link for **OPT1**
-  - Fill out this information below:
-    - General Configuration
-      - Enable Interface: **checked**
-      - Description: **OPT1VLAN20**
-      - IPv4 Configuration Type: **Static IPv4**
-    - Static IPv4 Configuration
-      - IPv4 Address: 192.168.20.1
-      - **Click** the **dropdown** for the Subnet Mask and select **24**.
-    - **Click** on the blue **Save**
-    - **Click** on the green **Apply Changes** button at the top.
-**Great! You’ve got a VLAN.**
+  * Select the VLAN Name along the top.  For this example select **VLAN20** or whatever name you gave the VLAN.
+In **General Options**:
-It’s on VLAN 20 and it’s IP interface is set to 192.168.20.1.
+  * Enable: **Checked**.
+  * Range: **192.168.20.100** to **192.168.20.199**.
+  * Click **Save**.
-Keep in mind, just because it’s VLAN 20 doesn’t mean the subnet has to contain the “20” in it’s IP of 192.168.20.1.
+<WRAP info>
+**NOTE:**  The Range is limited to those 100 addresses.
-We just find it makes it easier to keep the numbers the same as it’s easier in identifying particular settings and connected clients later.
+Change this as needed.
-Now in order for this VLAN interface to start issuing IP addresses we need to configure a DHCP Server for it. Read on.
+</WRAP>
 ----
-===== DHCP Server for VLAN 20 =====
+===== Firewall Rules =====
-  - **Login** to **pfSense** (you’re probably still in pfSense but just in case you’re not you gotta log back in)
+To allow the VLAN to get out to the Internet a firewall rule is needed.
-  - **Click** on **Services -> DHCP Server**
-  - **Click** on **Opt1VLAN20** (link on the upper menu)
-    - Enable: **Checked**
-    - Range: **168.20.100** to **192.168.20.150** (We’re simply going to issue 50 leases out for this VLAN.  You can change this if you need more DHCP IP addresses)
-    - **Click** on the blue **Save**
-**Perfect!  We’ve now got the VLAN 20 interface issuing IP addresses.**
+Additional restrictions can be set against client of the VLAN with additional firewall rules.
-However, we have to create some firewall rules to get out to the Internet.  We may want to create some other rules as well restricting what exactly a client on VLAN 20 can get to.
 ----
-===== Firewall Rules =====
+===== Allowing VLAN 20 Clients Internet Access =====
-There are a few rules we need to setup for VLAN 20.
+Navigate to **Firewall –> Rules**:
-Most importantly, if you want VLAN 20 to get out to the Internet we have to create a rule for that.
+  * Select the VLAN Name along the top.  For this example select **VLAN20** or whatever name you gave the VLAN.
-Perhaps you want to restrict clients on VLAN from accessing devices on the LAN.  We need a rule for that.
+  * Click on an **Add** button.
+  * Action: **Pass**.
+  * Interface:  **VLAN20**.   Or whatever name you gave the VLAN.
+  * Protocol: **Any**
+  * Source:
+    * Invert Match:  **Not Checked**.
+    * Source: **Any**
+  * Description: **Allow OPT1VLAN20 to any**
+  * Click **Save**.
+  * Click **Apply Changes** at the top.
-What about NOT allowing clients on VLAN 20 to even get to the pfSense web interface.  Well, we need a rule for that.
+<WRAP info>
+**NOTE:**  At this point, clients on VLAN 20 that are issued IP addresses on the 192.168.20.0 subnet should be able to get out to the Internet.
+</WRAP>
-So below are some rules you may need to configure depending on what you want VLAN 20 to have access to.
+<WRAP info>
+**NOTE:**  When you create a firewall rule, it may not seem as if it goes into effect immediately.
-**One hugely important thing about Firewall Rules**.  When you create a rule, it may not seem as if it goes into effect immediately. The reason:
+The reason:
   * Let’s say a device is on the VLAN20 network and it is constantly accessing something on the LAN.
@@ Line 109: / Line 129: @@
     * When you do this any and all open states that exist will be broken.  So there will be a brief hiccup in Internet access.  However, it is usually very quick.  Just be aware of that before you go off and **Reset States**.
-----
+</WRAP>
-===== Allowing VLAN 20 Clients Internet Access =====
-  - **Login** to **pfSense** (once again, you’re probably still in pfSense but just in case you’re not you know the drill)
-  - **Click** on **Firewall –> Rules**
-  - **Click** on **Opt1VLAN20** (link on the upper menu)
-  - **Click** on the green **Add** button
-  - Fill out this information below:
-    - Edit Firewall Rule
-      - Action: **Pass**
-      - Interface: **OPT1VLAN20**
-      - Protocol: **Any**
-      - Source
-        - Source: **Any**
-      - Extra Options
-        - Description: **Allow OPT1VLAN20 to any**
-      - **Click** on the blue **Save**
-      - **Click** on **Apply Changes**.
-At this point, clients on VLAN 20 that are issued IP addresses on the 192.168.20.0 subnet should be able to get out to the Internet.
 ----
@@ Line 184: / Line 184: @@
 ===== Block Access to LAN when on VLAN 20 =====
-<WRAP important>
+Navigate to **Firewall -> Rules**
-**IMPORTANT NOTE:**  If you use an **unmanaged switch** this will not work as trying to restrict a client on VLAN 20 from accessing a device on the LAN doesn’t have anything to do with pfSense at that point.
-The unmanaged switch is “before” pfSense.  It has to do with only the switch and since it is unmanaged you have no way of preventing one device from getting to another due to how unmanaged switches work.  You need a managed switch for this.
+  * Click on **VLAN20**:
+  * Click the **Add** button (up arrow), so this needs to be the first rule in the list.
+  * Action:  **Block**.
+  * Interface: **VLAN20**.
+  * Protocol: **Any**.
+  * Source:
+    * Source:  **VLAN20 net**.
+  * Destination:  **LAN net**.
+  * Description:  **VLAN 20 – cannot access LAN**.
+  * Click **Save**.
+  * Click **Apply Changes** at the top.
-When we setup Wireless Access Points that have VLAN capabilities they have managed switches built into them.  We often use Ubiquiti Wireless Access Points.
+<WRAP important>
-</WRAP>
+**IMPORTANT NOTE:**  Trying to restrict a client on a VLAN from accessing a device on the LAN will not work if used with an **unmanaged switch**.
-  - **Click** on **Firewall -> Rules**
-  - **Click** on **Opt1VLAN20** (link on the upper menu)
-  - **Click** on the green **Add** button (up arrow), so this needs to be the first rule in the list.
-  - Fill out this information below:
-    - Edit Firewall Rule
-      * Action: **Block**
-      * Interface: **OPT1VLAN20**
-      * Protocol: **Any**
-    - Source
-      * Source: **OPT1VLAN20 net**
-      * Destination: **LAN net**
-    - Extra Options
-      * Description: **VLAN 20 – cannot access LAN**
-  - **Click** on the blue **Save** button.
-  - **Click** on the green **Apply Changes** button at the top.
+  * An unmanaged switch just does not have the capability built into it to handle VLAN traffic.
+  * Trying to restrict a client on a VLAN from accessing a device on the LAN has nothing to do with pfSense at that point.
+  * A managed switch is needed for this.
+This limitation does not necessarily apply to Wireless Access Points that have VLAN capabilities (such as Ubiquiti Wireless Access Points); as they have managed switches built into them.
+</WRAP>