Last Updated on October 16, 2022 by Thiago Crepaldi
This is another topic that I have referenced so many times that I decided to dedicate a post just for it and save some typing. The goal is to configure a VLAN subnet that has DHCP server and basic firewall rules to allow any traffic on your pfSense. This VLAN will be created from the LAN interface unless otherwise stated. Future posts can make other changes to achieve different results too, but they will be highlighted in advance.
The basic parameters are listed below. I recommend using a VLAN between 2 and 254, so that we can use VLAN ID as part of the third IP octet. For this post, the following values will be used:
- LAN Address: 10.20.100.1/24
- VLAN ID: 100
- DHCP Range: 10.20.0.100-10.20.100.199
- NTP/DNS server: 10.20.100.1
- Domain name: lan.domain.com
- Firewall: Default allow all traffic
For this example, not that the network address has the third octet matching the VLAN ID (aka 100). This is intentional to help identifying traffic during packet capture in future investigation.
Future posts will specify these values for their use, so pay attention!
On your pfSense, go to Interfaces >> Assignments >> VLANs, click on Add and do as follow:
- VLAN Configuration
- Parent Interface: Select the interface created for the LAN
- VLAN Tag: 100
- Description: VLAN 100 – Descriptive name for this VLAN
Press Save and Apply changes. Now go to Interfaces >> Assignments >> Interface assignments and add a new interface with the newly created VLAN:
- General Configuration
- Enable interface: checked
- Description: Any descriptive name, such as VLAN100
- IPv4 Configuration Type: Static IPv4
- Static IPv4 Configuration
- IPv4 address: 10.20.100.0/24
Click on Save and Apply changes. As before, the next step is to configure DHCP for the new interface. Navigate to Services >> DHCP Server >> VLAN100 (or however you named your interface):
- General Options
- Enabled: checked
- Range: 10.20.100.100 to 10.20.100.199
- Servers
- DNS servers: 10.20.100.1
- Other Options
- Domain name: lan.domain.com
- NTP Server 1: 10.20.100.1
Leave the rest as is and press Save at the bottom. As before, the next step is to create firewall rules to allow internet traffic. As discussed before, you can duplicate each firewall rule from the main LAN interface if you have pfBlockerNG and/or DNS stuff. We will also add a new rule to allow all traffic. Go to Firewall >> Rules and press Add
- Edit Firewall Rule
- Action: Pass
- Interface: VLAN100
- Address Family: IPv4
- Protocol: Any
- Source
- Source: VLAN100
- Destination
- Destination: Any
- Extra Options
- Description: Default allow all rule
Finish by clicking on Save and Apply changes. Now your VLAN network has internet access.
(Optional) Configuring VLAN on Unifi switches
At this point, the VLAN on the pfSense is up and running, allowing traffic to flow towards Internet. However, in order to devices in the network to be able send/receive packets to/from the VLAN, all switches between the pfSense (where the VLAN was created) and the devices need to allow traffic from this VLAN. Only managed switches can handle VLAN traffic; while non-managed switches do not understand this concept and drop packages that arrive on its port targeting the VLAN.
For this post, I will use a Unifi switch as an example.
On your Unifi web UI, go to Settings >> Networks page and click on Add a new network:
- Name: VLAN_100
- Router:
- VLAN-only network: checked
- VLAN ID: 100
- IGMP Snooping:
- Enabled: unchecked
- DHCP Guarding:
- Enable: unchecked
Click Add network to finalize the configuration. From now on, any device connected to this switch and reach the pfSense/Internet through the VLAN. This happens because, by default, all ports of the Unifi switches are configured to allow traffic from all “port profiles”. This behavior can be changed to constraint which physical port can accept traffic from which VLAN, but we don’t need this for now.
1 thought on “Setup VLAN subnets on pfSense”