NOTE: * VLAN TAG: A unique number between 0 and 4096 for the VLAN. Here we use 20 as an example. * VLAN 0 is used when a device needs to send priority-tagged frames but does not know in which particular VLAN it resides. * VLAN 1 is the default native VLAN for the LAN, and used for untagged traffic. As we want an actual VLAN use a figure from 2 to 4096. * VLAN Priority: Has a value range from 0 to 7. See https://en.wikipedia.org/wiki/IEEE_P802.1p. </WRAP> —- ===== Setup an Interface for the VLAN ===== Navigate to Interfaces Assignments. Against “Available network ports”: Click the drop down arrow and Choose VLAN 20 on em1.

• Click Add.
• Click Save. Click the interface link for OPT1. In General Configuration: * Enable: Checked. * Description: VLAN20. Give the VLAN a nicer name. * IPv4 Configuration Type: Static IPv4. * IPv6 Configuration Type: None. In Static IPv4 Configuration: * IPv4 Address: 192.168.20.1. * Click the drop-down for the Subnet Mask and select 24. * Click Save. * Click Apply Changes at the top.

  NOTE: The VLAN interface is now created.

  It has a VLAN ID of 20.

  It has an IP address of 192.168.20.1.

  Keep in mind, just because it is VLAN 20 does NOT mean that the subnet has to contain the 20 in it’s IP of 192.168.20.1.

  • It is simply for convenience that the numbers are kept the same to make it easier to remember which IP range is associated with which VLAN.

  —- ===== DHCP Server for VLAN 20 ===== Navigate to Services → DHCP Server. * Select the VLAN Name along the top. For this example select VLAN20 or whatever name you gave the VLAN. In General Options: * Enable: Checked. * Range: 192.168.20.100 to 192.168.20.199. * Click Save.

  NOTE: The Range is limited to those 100 addresses.

  Change this as needed.

  —- ===== Firewall Rules ===== To allow the VLAN to get out to the Internet a firewall rule is needed. Additional restrictions can be set against client of the VLAN with additional firewall rules. —- ===== Allowing VLAN 20 Clients Internet Access ===== Navigate to Firewall –> Rules: * Select the VLAN Name along the top. For this example select VLAN20 or whatever name you gave the VLAN. * Click on an Add button. * Action: Pass. * Interface: VLAN20. Or whatever name you gave the VLAN. * Protocol: Any * Source: * Invert Match: Not Checked. * Source: Any * Description: Allow OPT1VLAN20 to any * Click Save. * Click Apply Changes at the top.

  NOTE: At this point, clients on VLAN 20 that are issued IP addresses on the 192.168.20.0 subnet should be able to get out to the Internet.

  NOTE: When you create a firewall rule, it may not seem as if it goes into effect immediately.

  The reason:

  • Let’s say a device is on the VLAN20 network and it is constantly accessing something on the LAN.
  • You haven’t activated a firewall rule yet to block VLAN20 from the LAN.
  • Even if you create that rule it won’t affect the device that’s constantly hitting something on the LAN due to something called a “Firewall State” or “Network State”.
  • The only way to make the rule go into effect immediately is to:
    • Create the rule (or any rule for example)
    • Click on Diagnostic –> States –> Reset States
    • When you do this any and all open states that exist will be broken. So there will be a brief hiccup in Internet access. However, it is usually very quick. Just be aware of that before you go off and Reset States.

  —- ===== Denying VLAN 20 Clients to the pfSense Web GUI ===== ===== Add an Alias for the pfSense GUI ===== Navigate to Firewall –> Aliases. * Click on the green Add * Name: pfSenseGUI * Description: Disable Access to pfSense GUI * Type: Hosts(s) * IP or FQDN: Enter the IP of the actual pfSense. Example, 192.168.1.1. —- ==== Firewall Rules ==== Navigate to Firewall –> Rules. * Select Floating: * Click on a green Add button. * Action: Block. * Quick: Checked. * Interface: Select the VLAN(s) to be denied access. * Direction: in. * Address family: IPv4. * Protocol: TCP\UDP. * Source: * Invert Match: Not Checked. * Source: any * Destination: * Invert Match: Not Checked. * Destination: * Single host or alias * Destination Address: pfSenseGUI. * Destination Port Range: * From: HTTPS (443). If pfSense is set to HTTP this needs to be HTTP (80). * To: HTTPS (443). If pfSense is set to HTTP this needs to be HTTP (80). * Description: VLAN 20 – no access to pfSense GUI * Click Save. * Click Apply Changes at the top.

  NOTE: Navigate to System–>Advanced to see whether the actual pfSense GUI is set to run on either HTTP or HTTPS.

  To ensure that access is denied against both HTTP and HTTPS, setup a similar firewall rule for both.

  —- ===== Block Access to LAN when on VLAN 20 =====

  IMPORTANT NOTE: If you use an unmanaged switch this will not work as trying to restrict a client on VLAN 20 from accessing a device on the LAN doesn’t have anything to do with pfSense at that point.

  The unmanaged switch is “before” pfSense. It has to do with only the switch and since it is unmanaged you have no way of preventing one device from getting to another due to how unmanaged switches work. You need a managed switch for this.

  When we setup Wireless Access Points that have VLAN capabilities they have managed switches built into them. We often use Ubiquiti Wireless Access Points.

  - Click on Firewall → Rules - Click on Opt1VLAN20 (link on the upper menu) - Click on the green Add button (up arrow), so this needs to be the first rule in the list. - Fill out this information below: - Edit Firewall Rule * Action: Block * Interface: OPT1VLAN20 * Protocol: Any - Source * Source: OPT1VLAN20 net * Destination: LAN net - Extra Options * Description: VLAN 20 – cannot access LAN - Click on the blue Save button. - Click on the green Apply Changes** button at the top.