Wiki

User Tools

Site Tools

Trace:
pfsense:vlan_virtual_lan:set_up_a_vlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:vlan_virtual_lan:set_up_a_vlan [2021/02/16 14:35] peterpfsense:vlan_virtual_lan:set_up_a_vlan [2021/02/16 14:58] (current) – [Block Access to LAN when on VLAN 20] peter
Line 7: Line 7:
 Select **VLANs**. Select **VLANs**.
  
-  * Click on the **Add** button.+  * Click the **Add** button.
   * Parent Interface:  **em1**.  Typically this is the LAN port.   * Parent Interface:  **em1**.  Typically this is the LAN port.
   * VLAN Tag:  **20**.  Use any unique number from 2 to 4096.  Here 20 is used as an example.   * VLAN Tag:  **20**.  Use any unique number from 2 to 4096.  Here 20 is used as an example.
-  * VLAN Priority: **0**.  VLAN priority has a value range from 0 to 7+  * VLAN Priority: **0**.  Keep the default
-  * Description: **VLAN 20**.+  * Description: **VLAN 20**.  Any description will do.
   * Click **Save**.   * Click **Save**.
  
Line 17: Line 17:
 **NOTE**: **NOTE**:
  
-  * **VLAN TAG**:  A unique number between 0 and 4096 for the VLAN.  Here we use 20 as an example.+  * **VLAN Tag**:  A unique number between 0 and 4096 for the VLAN.  Here we use 20 as an example.
     * VLAN 0 is used when a device needs to send priority-tagged frames but does not know in which particular VLAN it resides.     * VLAN 0 is used when a device needs to send priority-tagged frames but does not know in which particular VLAN it resides.
-    * VLAN 1 is the default native VLAN for the LAN, and used for untagged traffic.  As we want an actual VLAN use a figure from 2 to 4096.+    * VLAN 1 is the default native VLAN for the LAN, and used for untagged traffic.  As we want an actual VLAN, we need to use an ID from 2 to 4096.
   * **VLAN Priority**:  Has a value range from 0 to 7.  See https://en.wikipedia.org/wiki/IEEE_P802.1p.   * **VLAN Priority**:  Has a value range from 0 to 7.  See https://en.wikipedia.org/wiki/IEEE_P802.1p.
  
Line 30: Line 30:
 Navigate to **Interfaces Assignments**. Navigate to **Interfaces Assignments**.
  
-Against "Available network ports"**:  Click the drop down arrow and Choose **VLAN 20 on em1**.+Against **Available network ports**, click the drop down arrow and Choose **VLAN 20 on em1**.
  
   * Click **Add**.   * Click **Add**.
-  * Click** **Save**.+  * Click **Save**.
  
 Click the interface link for **OPT1**. Click the interface link for **OPT1**.
Line 55: Line 55:
 **NOTE:**  The VLAN interface is now created. **NOTE:**  The VLAN interface is now created.
  
-It has a VLAN ID of 20. +  * It has a VLAN ID of 20. 
- +  It has an IP address of 192.168.20.1. 
-It has an IP address of 192.168.20.1. +    * Notice that the IP Address and VLAN ID both have a **20**. 
- +    This is simply used for convenience, and makes it easier to remember which IP range is associated with which VLAN
-Keep in mind, just because it is VLAN 20 does NOT mean that the subnet has to contain the **20** in it’s IP of 192.168.20.1+    * However just because the VLAN ID is 20 does NOT mean that the IP also has to have a **20** in it.  The IP can be any internal IP.
- +
-  It is simply for convenience that the numbers are kept the same to make it easier to remember which IP range is associated with which VLAN.+
  
 </WRAP> </WRAP>
Line 186: Line 184:
 ===== Block Access to LAN when on VLAN 20 ===== ===== Block Access to LAN when on VLAN 20 =====
  
-<WRAP important> +Navigate to **Firewall -> Rules**
-**IMPORTANT NOTE:**  If you use an **unmanaged switch** this will not work as trying to restrict a client on VLAN 20 from accessing a device on the LAN doesn’t have anything to do with pfSense at that point.+
  
-The unmanaged switch is “before” pfSense.  It has to do with only the switch and since it is unmanaged you have no way of preventing one device from getting to another due to how unmanaged switches work.  You need a managed switch for this.+  * Click on **VLAN20**: 
 +  * Click the **Add** button (up arrow), so this needs to be the first rule in the list. 
 +  * Action:  **Block**. 
 +  * Interface: **VLAN20**. 
 +  * Protocol: **Any**. 
 +  * Source: 
 +    * Source:  **VLAN20 net**. 
 +  * Destination:  **LAN net**. 
 +  * Description:  **VLAN 20 – cannot access LAN**. 
 +  * Click **Save**. 
 +  * Click **Apply Changes** at the top.
  
-When we setup Wireless Access Points that have VLAN capabilities they have managed switches built into them.  We often use Ubiquiti Wireless Access Points. +<WRAP important
-</WRAP> +**IMPORTANT NOTE:**  Trying to restrict a client on a VLAN from accessing a device on the LAN will not work if used with an **unmanaged switch**.
- +
-  - **Click** on **Firewall -> Rules** +
-  - **Click** on **Opt1VLAN20** (link on the upper menu) +
-  - **Click** on the green **Add** button (up arrow), so this needs to be the first rule in the list. +
-  - Fill out this information below: +
-    - Edit Firewall Rule +
-      * Action: **Block** +
-      * Interface: **OPT1VLAN20** +
-      * Protocol: **Any** +
-    - Source +
-      * Source: **OPT1VLAN20 net** +
-      * Destination: **LAN net** +
-    - Extra Options +
-      Description: **VLAN 20 – cannot access LAN** +
-  - **Click** on the blue **Save** button. +
-  - **Click** on the green **Apply Changes** button at the top.+
  
 +  * An unmanaged switch just does not have the capability built into it to handle VLAN traffic.
 +  * Trying to restrict a client on a VLAN from accessing a device on the LAN has nothing to do with pfSense at that point.
 +  * A managed switch is needed for this.
  
 +This limitation does not necessarily apply to Wireless Access Points that have VLAN capabilities (such as Ubiquiti Wireless Access Points); as they have managed switches built into them.
 +</WRAP>
  
pfsense/vlan_virtual_lan/set_up_a_vlan.1613486116.txt.gz · Last modified: 2021/02/16 14:35 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki