This post will describe how to setup VLAN subnets for your home network.

This is the part 2 of a 3 steps guide to protect home network using subnets, based on using a pfSense firewall.

Home network with 2 subnets using pfSense

This would be how the home network looks like after completing Part 1 to create 2 physical subnets. Now we will use VLAN technology to add more logical subnets to the home network.

Virtual LAN (VLAN)

VLAN is a logical group of devices to form a sub-network. Each VLAN has an associated VLAN ID (802.1Q tag). Tagged network traffic contains VLAN ID info and would only be accepted by devices that carry the same VLAN ID.

The major benefits of VLANs are to improve performance, security and ease of management through software configuration. Our purpose of using VLAN is it’s flexibility of creating multiple subnets to further improve the home network protection.

home network with vlans

This exercise will create 4 VLANs to further separate the wired and wireless devices.

VLAN requirements

  • VLAN capable router/firewall: responsible for routing VLAN network traffic and defining access control rules for each VLAN. pfSense supports 802.1Q vlans using router-on-a-stick configuration. So we are good to go.
  • L2 VLAN managed switch: responsible for assigning VLAN IDs to switch ports for devices to connect and create trunk ports to connect to the router/firewall.

    We will be using Netgear ProSAFE GS108Ev3 in this guide. Netgear ProSAFE GS108Ev3 is a L2 8-port gigabit Ethernet Managed Switch which is not expensive.

VLAN setup using Netgear GS108Ev3

The switch has 8 ports and this guide will setup 4 VLANs using first 6 ports, port 7 for management. port 8 would be the trunk port connecting to pfSense.

We are using 802.1Q VLAN tagging to define the 4 VLANs + a native management VLAN. Each VLAN would be assigned a VLAN ID: 10, 20, 30, 40, 99 (for native VLAN) and will be configuring the switch using following settings:

  • Port 1 and 2 are for the same VLAN with VLAN ID = 10
  • Port 3 and 4 are for the same VLAN with VLAN ID = 20
  • Port 5 is for VLAN with VLAN ID = 30
  • Port 6 is for VLAN with VLAN ID = 40
  • Port 7 is for native management VLAN with VLAN ID = 99
  • Port 8 is the trunk port

Note: this guide will use browser running on Microsoft Windows 10 to perform the configuration.

This guide may look long and complex. But actually most of them are configuration settings.

Connecting to the switch

A computer (desktop or laptop) with administrative access is required to connect and configure the switch. It is assumed that the switch is brand new or has been reset to factory default settings.

The default IP address of the switch is 192.168.0.239/255.255.255.0. We need to assign a static IP address (let’s use 192.168.0.99/255.255.255.0) to the computer so that it can communicate with the switch:

Set static IP address

  1. In windows 10, go to Windows Settings > Network & Internet > Change adapter options
  2. right click on the Ethernet adapter, then Properties
  3. select Internet Protocol Version 4 (TCP/IPv4) and click on Properties
  4. Set the static IP address as follow and the click OK

Optionally, you can use the command ipconfig at a command prompt to verify that the network adapter is assigned the IP address 192.168.0.99 correctly. We can switch back to Obtain an IP address automatically once the setup of the switch part is complete.

Now connect the computer to port 7 of the switch using an ethernet cable. Then start a browser and enter http://192.168.0.239 as the URL. You should be greeted by the login screen asking for password to manage the switch.

GS108Ev3 login

Enter the default password shown at bottom of the switch and you will arrive at the main page.

GS108Ev3 main page

At main page, please note and write down the MAC Address of the switch. We would want to assign a static IPv4 address to the switch when connecting to the pfSense firewall later.

Enable 802.1Q Advanced VLAN Configuration

This switch has several ways of setting up the VLANs. We will be using 802.1Q Advanced VLAN Configuration.

Go to VLAN > 802.1Q > Advanced > VLAN Configuration:

GS108Ev3 802.1Q

Select Enable and then click OK to confirm

GS108Ev3 802.1Q enabled

Define VLAN IDs

  • Enter ID ’10’ at VLAN ID field
  • Click Add

Do the same for VLAN ID ’20’, ’30’, ’40’ and ’99’.

GS108Ev3 802.1Q vlanIDs

Assign VLAN ID to each port

  • click on VLAN Membership
  • select VLAN ID ’10’
  • Click on both port 1 & port 2 once to show ‘U‘ (untagged).
  • Click on port 8 twice to show ‘T‘ (tagged).
  • Click Apply

Repeat VLAN ID ‘20‘ for port 3 & port 4, VLAN ID ‘30‘ for port 5, VLAN ID ‘40‘ for port 6. Note: all VLAN IDs should be tagged on port 8.

For VLAN ID ‘99‘, click both port 7 & port 8 once to make them ‘U‘ (untagged). It’s the native VLAN, so don’t need to be tagged at the trunk port 8.

After finishing the assignments, click on VLAN Configuration and the screen should be shown as below.

GS108Ev3 802.1Q assignments

Set corresponding PVID for each port

PVID stands for port VLAN ID.

  • Click on Port PVID
  • Enable port 1‘s checkbox
  • Enter 10 to PVID text box
  • Click Apply

Repeat the same for:

  • port 2 using 10
  • port 3 & port 4 using 20
  • port 5 using 30
  • port 6 using 40
  • port 7 & port 8 using 99

Screen should look like this now.

GS108Ev3 802.1Q pvids

Clear VLAN 1 assignments

For security reasons, the default VLAN 1 would not be used. So we would clear it’s assignments.

  • click on VLAN Membership
  • select VLAN ID ‘1
  • click on every port to clear all assignments
  • click Apply
Netgear VLAN configuration
VLAN Configuration

That is. Setting up the switch part is finished. Don’t forget to change the password with a strong one. And the computer IPv4 address can change back to Obtain an IP address automatically and Obtain DNS server address automatically.

Setup VLAN interfaces at pfSense firewall

Except for the management VLAN 99, a corresponding VLAN interface will be created for each VLAN ID 10, 20, 30 & 40. Use computer to connect to the pfSense web configurator.

Preparation: Setup private IP address alias

This alias is setup already if you completed Part 1: Create initial subnets using pfSense firewall.

It would be used to setup firewall rules for Internet access.

  1. go to Firewall > Aliases > IP
  2. click Add
  3. enter ‘Private_IPv4s‘ as Name
  4. select Network(s) as Type
  5. add following 3 networks:
    • enter 192.168.0.0 / 16
    • click Add Network and enter 10.0.0.0 / 8
    • click Add Network and enter 172.16.0.0 / 12
  6. click Save then Apply Changes

Step 1: Create VLAN interface

  • go to Interfaces > Assignments > VLANs
  • click Add
  • select OPT1 for Parent Interface
  • enter 10 for VLAN Tag
  • click Save

This would create VLAN interface for VLAN ID 10.

Create VLAN 10

Repeat for VLAN 20, 30 & 40.

created 4 VLANs

Step 2: Setup new network interface to use the VLAN interface

  • go to Interfaces > Assignments
  • select ‘VLAN 10 on igb2 – opt1‘ (exact network interface name ‘igb2’ may vary)
  • click Add
create Network Interface from VLAN
  • click on new interface created. Probably named ‘OPT2‘. Configuration screen of the interface will appear.
  • check Enable interface checkbox
  • enter ‘VLAN 10‘ for Description, or a preferred name you want for the subnet
  • select Static IPv4 for IPv4 Configuration Type
  • scroll down to Static IPv4 Configuration section
  • enter 192.168.10.1  /  24 for IPv4 Address. 192.168.10.x would be the private address space used for the subnet. 192.168.10.1 would be the gateway for the subnet.
  • click Save at the bottom and then click Apply Changes
configure VLAN interface

Repeat this step for:

  • VLAN 20 with IPv4 address 192.168.20.1  /  24
  • VLAN 30 with IPv4 address 192.168.30.1 / 24
  • VLAN 40 with IPv4 address 192.168.40.1 / 24
configured 4 VLAN interfaces

Step 3: Enable DHCP Server to auto assign IP address

  1. go to Services > DHCP Server, then click on ‘VLAN10
  2. check the Enable DHCP server on VLAN10 interface checkbox
  3. in the same section, go to Range. Specify a range of IP address that can be use for assignment (e.g. from 192.168.10.201 to 192.168.10.254)
  4. click Save near end of the page.
configure DHCP for VLAN interface

Repeat this step for:

  • VLAN 20 with IPv4 address 192.168.20.201
  • to 192.168.20.254
  • VLAN 30 with IPv4 address 192.168.30.201 to 192.168.30.254
  • VLAN 40 with IPv4 address 192.168.40.201 to 192.168.40.254

Step 4: Setup firewall rules to allow Internet access only

New subnet created, by default, has no access to anything. So we need to setup rules to define what is allowed for the subnet. The rules we are creating will grant access to communicate with other devices within the same subnet and access to the Internet.

  • go to Firewall > Rules > VLAN10
  • click Add to create 1st rule (allow access to other devices within the same subnet)
  • for Address Family, select IPv4+IPv6
  • for Protocol, select Any
  • for both Source and Destination, select VLAN10 net
  • for Description, enter ‘allow access within subnet’
  • click Save
add firewall rule for VLAN 10 to access within same subnet
  • click Add again to create 2nd rule (allow Internet access)
  • for Address Family, select IPv4+IPv6
  • for Protocol, select Any
  • for Source, select VLAN10 net
  • for Destination, check Invert match checkbox; select Single host or alias, then type Private_IPv4s as the Destination Address
  • for Description, enter ‘allow Internet access’
  • click Save, then Apply Changes
add firewall rule for VLAN 10 to access Internet

Repeat this step for VLAN20, VLAN30 & VLAN40. Based on your needs, you can customize the rules here to limit access or grant more access for the subnet accordingly.

firewall rules created

Hook them up together

We are almost there. Before connecting them together. Let’s first assign a static IPv4 address for the switch at the DHCP server of pfSense.

  • go to Services > DHCP Server > OPT1
  • scroll down to DHCP Static Mappings for this Interface
  • click Add
  • enter mac address of the switch for MAC Address
  • enter ‘GS108Ev3‘ for both Client Identifier and Hostname
  • enter 192.168.99.108 for IP Address. (or a different IP address for your liking, as long as it is not within the range for automatic IP assignments)
  • click Save then Apply Changes
static IP mapping for the Netgear switch

All right! It’s time to put them together.

  • connect port 8 of the switch to OPT1 port of pfSense.
  • Reboot the switch so that it will receive the new assigned static IPv4 address.

That’s it. By connecting your computer to port 7 of the switch, you can manage the switch using the browser at 192.168.99.108. And you can manage pfSense at 192.168.99.1.

Connecting any device to port 1 or port 2 of the switch will join VLAN 10 and auto assign IPv4 address in the range of 192.168.10.x.

Similarly,

  • port 3 & 4 would be VLAN 20 with IPv4 range 192.168.20.x
  • port 5 for VLAN 30 with IPv4 range 192.168.30.x
  • port 6 for VLAN 40 with IPv4 range 192.168.40.x

To verify, connect your computer to the port and run the command ipconfig at the command prompt and you should see the IPv4 changes to the specified range correctly. If they don’t, that means some settings probably are mis-configured. Fix the settings and check again.

Once verified, you can connect your devices to their corresponding ports for the correct VLAN subnet assignements.

Note: if you need more Ethernet port connections (more devices) for a particular VLAN, you can connect a simple switch to the VLAN port and your devices to the simple switch instead.

Next > Part 3: Setup Wi-Fi subnets using VLANs

This Post Has 22 Comments

  1. hi
    your tutorial its great i try and all work except my box tv, i connect this on vlan20
    i think its because vlan don’t communique directly with the isp routeur.
    i try something like igmp proxy but doesn’t work

    sorry for my english

    1. TV service and VoIP phone usually requires direct connection to ISP. You may have a double NAT inside the pfSense LAN network that is causing the trouble.
      If possible, place your box TV outside pfSense (i.e. connect directly to ISP router). Or you may need more advance config/settings to eliminate double NAT if box TV must reside inside phSense LAN network.
      Hope this helps. Thanks for your comment.

  2. Hi,
    Your tutorial is wonderful!, one question, as I have subnets LAN(default) and VLAN10(manual), and VLAN10 have subnets:192.168.10.1/24, there devices in VLAN10 is capable to talk with each other in VLAN10 subnet, but how can I make devices in VLAN10 talk with other subnets devices for example `LAN`? I’ve know LAN has a default rule to access to any subnets, but seems like set destination set as `any` is not safe for VLAN10, any idea? thanks.

    1. Each subnet has it’s own firewall rules. Go to Firewall > Rules > VLAN10. There, you can create rule to allow VLAN10 to talk to LAN by setting Destination to ‘LAN net’.
      However, bear in mind that 1 main purpose of using VLAN is security (other than reducing broadcast domain size), to separate subnets so that they can’t talk to each other generally.
      If you allow them to talk to each other, any one device get infected/compromised in VLAN10 can also access your LAN subnet.
      Thanks

  3. Yeah, what you said is right, I just want to take a POC to prove everything is run like I imagine, and set destination as `any` or `LAN net` did help me to talk to LAN, and I’ve realize any device in VLAN10 get infected will influence LAN, will block this situation in real environment lately, and your article are really helpful for me to prove my thoughts, thanks again!

    1. Awesome. Great that it’s helpful.

  4. Thanks Alan! Helped me a lot getting started
    cheers

    1. awesome. Glad it helped! cheers Alan

  5. Thanks Alan for this great guide. As you mention before, is not good to allow a VLAN to access the whole LAN address, but if I have some services in the LAN Computer, how I allow only access to does services? I suppose is to allow access the the Server IP (on LAN network) for the specific ports, it’s that ok? Another questión, as one of the subnets it’s for the printers, I guest you should add a rule to allow access that subnet from the other subnets, should the access/comunication should be bi-directional? or only allowing PCs subnet > Printers Subnet. Thanks for your help

    1. Yes, under the vlan network firewall rules, you can allow access to specific server ip-address & port #. Just bear in mind that if the service has vulnerability that is exploitable, it could potential allow break in from vlan network to your LAN network by exploiting the service.

      You don’t need to grant access at Printers subnet. Just need to add rule at PCs subnet to allow access to Printers subnet.

  6. Hi Alan, thanks for the wonderful guide! I was able to set VLANs up in my Netgear switch. One thing tho, I noticed that Port 7, which is set to PVID 99 couldn’t access the internet. Is this the intended behavior or did I miss something somewhere? I could access Netgear’s WebUI from device connected to port 7 but I couldn’t ping this device’s ID from a device connected in Subnet 1.

    1. thanks. Port 7 should be able to connect to Netgear’s WebUI and pfSense (192.168.99.1) that serves as gateway.
      whether 192.168.99.0/24 subnet can access Internet depends on the if there is a firewall rule to allow that.
      Similarly, Subnet 1 needs firewall rule to allow access to 192.168.99.0/24 subnet for ping to happen.

      Test the connection to pfSense (192.168.99.1) from the device connected to port 7. If connection is successful, most likely firewall rules are the issue.
      If unable to connect to pfSense, either pfSense hasn’t setup 192.168.99.0/24 subnet correctly or vlan tagging issue at Netgear switch. In this case, try connect device directly to pfSense interface to further troubleshoot.

  7. Hello Alan thank for all tutorial reply…
    i ‘ve a little question

    my printers is in the vlan20 ok
    how i can allow aces from other vlan like a pc in vlan 10 try to print a printer in vlan 20
    i know a rules who work : IPv4 * VLAN10 * VLAN20* * * aucun
    But i do created a rule for each VLAN 10-30-40-….
    it’s possible to created in the vlan20 a generic rules ?

    1. You set the rules correctly. You need to define rules at the source interface. Alan

  8. Hello Alan, i used Netgear GS108tv2 Switch. when i configured PVID 99 on port 7 & 8 & clicked save i got disconnected while i was connected via port 7. Now i cannot access the WEBGUI and the switch won’t connect to pfSense (Get Internet) on port 7 or 8 and any of the devices connected on port 1-6 wont get IP (Only autoconfiguration IP). Can you please tell me how i fix it.
    If i don’t configure PVID on port 7 or 8 i can get DHCP from pfsense on port 7/8 from its DHCP server on that port.

    1. VLAN 99 is used to replace the default VALN 1 and does not need to be tagged.
      So when you configure PVID 99 on port 7 & 8, make sure they are untagged.

      Alan

  9. Both port 7&8 are Untagged. when i Click on port membership i can see both of them are untagged. I’ve made a video of what i’ve done. Can you please tell me where i am going wrong.
    https://drive.google.com/file/d/1XAKgJ7sDRPbo80L0J8YbSPUaVossruO4
    Once i have changed PVID to 99 i loose access to WebGUI.

    1. Your config looks fine.
      I suggest you keep the default VLAN 1 and don’t change it to 99.
      There are switches that mandate use of default VLAN 1 and changing it would cause problems. Maybe that’s the case here.

      Alan

  10. Thanks Alan, Should i still clear all assignments for VLAN1 or just leave port 7 & 8 as Tagged.

    1. You should clear VLAN1 for port 1 – 6 and leave default VLAN1 (untagged) at port 7 & port 8 with PVID 1.

  11. That works perfectly. Also i can ping the Switch IP from LAN port but cannot access the WebGUI. Do i need to create any rules for that.

    1. For a device from a vlan to access switch WebGui, create a firewall rule at vlan interface to allow that vlan net (source) access to LAN net (destination).
      But only do that for vlan that is safe and secure to minimize risk.
      Safest way is to only access WebGui through port 7.

Leave a Reply

Close Menu