Setup VLAN subnets for home network

Alan Chan
January 29, 2019

This post will describe how to setup VLAN subnets for your home network.

This is the part 2 of a 3 steps guide to protect home network using subnets, based on using a pfSense firewall.

Part 1: Create initial subnets using pfSense firewall
Part 2: Setup more subnets using VLANs
Part 3: Setup Wi-Fi subnets using VLANs

Home network with 2 subnets using pfSense

This would be how the home network looks like after completing Part 1 to create 2 physical subnets. Now we will use VLAN technology to add more logical subnets to the home network.

Virtual LAN (VLAN)

VLAN is a logical group of devices to form a sub-network. Each VLAN has an associated VLAN ID (802.1Q tag). Tagged network traffic contains VLAN ID info and would only be accepted by devices that carry the same VLAN ID.

The major benefits of VLANs are to improve performance, security and ease of management through software configuration. Our purpose of using VLAN is it’s flexibility of creating multiple subnets to further improve the home network protection.

This exercise will create 4 VLANs to further separate the wired and wireless devices.

VLAN requirements

VLAN capable router/firewall: responsible for routing VLAN network traffic and defining access control rules for each VLAN. pfSense supports 802.1Q vlans using router-on-a-stick configuration. So we are good to go.
L2 VLAN managed switch: responsible for assigning VLAN IDs to switch ports for devices to connect and create trunk ports to connect to the router/firewall.
We will be using Netgear ProSAFE GS108Ev3 in this guide. Netgear ProSAFE GS108Ev3 is a L2 8-port gigabit Ethernet Managed Switch which is not expensive.

VLAN setup using Netgear GS108Ev3

The switch has 8 ports and this guide will setup 4 VLANs using first 6 ports, port 7 for management. port 8 would be the trunk port connecting to pfSense.

We are using 802.1Q VLAN tagging to define the 4 VLANs + a native management VLAN. Each VLAN would be assigned a VLAN ID: 10, 20, 30, 40, 99 (for native VLAN) and will be configuring the switch using following settings:

Port 1 and 2 are for the same VLAN with VLAN ID = 10
Port 3 and 4 are for the same VLAN with VLAN ID = 20
Port 5 is for VLAN with VLAN ID = 30
Port 6 is for VLAN with VLAN ID = 40
Port 7 is for native management VLAN with VLAN ID = 99
Port 8 is the trunk port

Note: this guide will use browser running on Microsoft Windows 10 to perform the configuration.

This guide may look long and complex. But actually most of them are configuration settings.

Connecting to the switch

A computer (desktop or laptop) with administrative access is required to connect and configure the switch. It is assumed that the switch is brand new or has been reset to factory default settings.

The default IP address of the switch is 192.168.0.239/255.255.255.0. We need to assign a static IP address (let’s use 192.168.0.99/255.255.255.0) to the computer so that it can communicate with the switch:

Set static IP address

In windows 10, go to Windows Settings > Network & Internet > Change adapter options
right click on the Ethernet adapter, then Properties
select Internet Protocol Version 4 (TCP/IPv4) and click on Properties
Set the static IP address as follow and the click OK

Optionally, you can use the command ipconfig at a command prompt to verify that the network adapter is assigned the IP address 192.168.0.99 correctly. We can switch back to Obtain an IP address automatically once the setup of the switch part is complete.

Now connect the computer to port 7 of the switch using an ethernet cable. Then start a browser and enter http://192.168.0.239 as the URL. You should be greeted by the login screen asking for password to manage the switch.

Enter the default password shown at bottom of the switch and you will arrive at the main page.

At main page, please note and write down the MAC Address of the switch. We would want to assign a static IPv4 address to the switch when connecting to the pfSense firewall later.

Enable 802.1Q Advanced VLAN Configuration

This switch has several ways of setting up the VLANs. We will be using 802.1Q Advanced VLAN Configuration.

Go to VLAN > 802.1Q > Advanced > VLAN Configuration:

Select Enable and then click OK to confirm

Define VLAN IDs

Enter ID ’10’ at VLAN ID field
Click Add

Do the same for VLAN ID ’20’, ’30’, ’40’ and ’99’.

Assign VLAN ID to each port

click on VLAN Membership
select VLAN ID ’10’
Click on both port 1 & port 2 once to show ‘U‘ (untagged).
Click on port 8 twice to show ‘T‘ (tagged).
Click Apply

Repeat VLAN ID ‘20‘ for port 3 & port 4, VLAN ID ‘30‘ for port 5, VLAN ID ‘40‘ for port 6. Note: all VLAN IDs should be tagged on port 8.

For VLAN ID ‘99‘, click both port 7 & port 8 once to make them ‘U‘ (untagged). It’s the native VLAN, so don’t need to be tagged at the trunk port 8.

After finishing the assignments, click on VLAN Configuration and the screen should be shown as below.

Set corresponding PVID for each port

PVID stands for port VLAN ID.

Click on Port PVID
Enable port 1‘s checkbox
Enter 10 to PVID text box
Click Apply

Repeat the same for:

port 2 using 10
port 3 & port 4 using 20
port 5 using 30
port 6 using 40
port 7 & port 8 using 99

Screen should look like this now.

Clear VLAN 1 assignments

For security reasons, the default VLAN 1 would not be used. So we would clear it’s assignments.

click on VLAN Membership
select VLAN ID ‘1‘
click on every port to clear all assignments
click Apply

Netgear VLAN configuration — VLAN Configuration

That is. Setting up the switch part is finished. Don’t forget to change the password with a strong one. And the computer IPv4 address can change back to Obtain an IP address automatically and Obtain DNS server address automatically.

Setup VLAN interfaces at pfSense firewall

Except for the management VLAN 99, a corresponding VLAN interface will be created for each VLAN ID 10, 20, 30 & 40. Use computer to connect to the pfSense web configurator.

Preparation: Setup private IP address alias

This alias is setup already if you completed Part 1: Create initial subnets using pfSense firewall.

It would be used to setup firewall rules for Internet access.

go to Firewall > Aliases > IP
click Add
enter ‘Private_IPv4s‘ as Name
select Network(s) as Type
add following 3 networks:
- enter 192.168.0.0 / 16
- click Add Network and enter 10.0.0.0 / 8
- click Add Network and enter 172.16.0.0 / 12
click Save then Apply Changes

Step 1: Create VLAN interface

go to Interfaces > Assignments > VLANs
click Add
select OPT1 for Parent Interface
enter 10 for VLAN Tag
click Save

This would create VLAN interface for VLAN ID 10.

Repeat for VLAN 20, 30 & 40.

Step 2: Setup new network interface to use the VLAN interface

go to Interfaces > Assignments
select ‘VLAN 10 on igb2 – opt1‘ (exact network interface name ‘igb2’ may vary)
click Add

click on new interface created. Probably named ‘OPT2‘. Configuration screen of the interface will appear.
check Enable interface checkbox
enter ‘VLAN 10‘ for Description, or a preferred name you want for the subnet
select Static IPv4 for IPv4 Configuration Type
scroll down to Static IPv4 Configuration section
enter 192.168.10.1 / 24 for IPv4 Address. 192.168.10.x would be the private address space used for the subnet. 192.168.10.1 would be the gateway for the subnet.
click Save at the bottom and then click Apply Changes

Repeat this step for:

VLAN 20 with IPv4 address 192.168.20.1 / 24
VLAN 30 with IPv4 address 192.168.30.1 / 24
VLAN 40 with IPv4 address 192.168.40.1 / 24

Step 3: Enable DHCP Server to auto assign IP address

go to Services > DHCP Server, then click on ‘VLAN10‘
check the Enable DHCP server on VLAN10 interface checkbox
in the same section, go to Range. Specify a range of IP address that can be use for assignment (e.g. from 192.168.10.201 to 192.168.10.254)
click Save near end of the page.

Repeat this step for:

VLAN 20 with IPv4 address 192.168.20.201
to 192.168.20.254
VLAN 30 with IPv4 address 192.168.30.201 to 192.168.30.254
VLAN 40 with IPv4 address 192.168.40.201 to 192.168.40.254

Step 4: Setup firewall rules to allow Internet access only

New subnet created, by default, has no access to anything. So we need to setup rules to define what is allowed for the subnet. The rules we are creating will grant access to communicate with other devices within the same subnet and access to the Internet.

go to Firewall > Rules > VLAN10
click Add to create 1st rule (allow access to other devices within the same subnet)
for Address Family, select IPv4+IPv6
for Protocol, select Any
for both Source and Destination, select VLAN10 net
for Description, enter ‘allow access within subnet’
click Save

add firewall rule for VLAN 10 to access within same subnet

click Add again to create 2nd rule (allow Internet access)
for Address Family, select IPv4+IPv6
for Protocol, select Any
for Source, select VLAN10 net
for Destination, check Invert match checkbox; select Single host or alias, then type Private_IPv4s as the Destination Address
for Description, enter ‘allow Internet access’
click Save, then Apply Changes

add firewall rule for VLAN 10 to access Internet

Repeat this step for VLAN20, VLAN30 & VLAN40. Based on your needs, you can customize the rules here to limit access or grant more access for the subnet accordingly.

Hook them up together

We are almost there. Before connecting them together. Let’s first assign a static IPv4 address for the switch at the DHCP server of pfSense.

go to Services > DHCP Server > OPT1
scroll down to DHCP Static Mappings for this Interface
click Add
enter mac address of the switch for MAC Address
enter ‘GS108Ev3‘ for both Client Identifier and Hostname
enter 192.168.99.108 for IP Address. (or a different IP address for your liking, as long as it is not within the range for automatic IP assignments)
click Save then Apply Changes

static IP mapping for the Netgear switch

All right! It’s time to put them together.

connect port 8 of the switch to OPT1 port of pfSense.
Reboot the switch so that it will receive the new assigned static IPv4 address.

That’s it. By connecting your computer to port 7 of the switch, you can manage the switch using the browser at 192.168.99.108. And you can manage pfSense at 192.168.99.1.

Connecting any device to port 1 or port 2 of the switch will join VLAN 10 and auto assign IPv4 address in the range of 192.168.10.x.

Similarly,

port 3 & 4 would be VLAN 20 with IPv4 range 192.168.20.x
port 5 for VLAN 30 with IPv4 range 192.168.30.x
port 6 for VLAN 40 with IPv4 range 192.168.40.x

To verify, connect your computer to the port and run the command ipconfig at the command prompt and you should see the IPv4 changes to the specified range correctly. If they don’t, that means some settings probably are mis-configured. Fix the settings and check again.

Once verified, you can connect your devices to their corresponding ports for the correct VLAN subnet assignements.

Note: if you need more Ethernet port connections (more devices) for a particular VLAN, you can connect a simple switch to the VLAN port and your devices to the simple switch instead.

Next > Part 3: Setup Wi-Fi subnets using VLANs

This Post Has 67 Comments

Orionis
4 Dec 2019 Reply

hi
your tutorial its great i try and all work except my box tv, i connect this on vlan20
i think its because vlan don’t communique directly with the isp routeur.
i try something like igmp proxy but doesn’t work

sorry for my english
1. Alan Chan
  4 Dec 2019 Reply
  
  TV service and VoIP phone usually requires direct connection to ISP. You may have a double NAT inside the pfSense LAN network that is causing the trouble.
  If possible, place your box TV outside pfSense (i.e. connect directly to ISP router). Or you may need more advance config/settings to eliminate double NAT if box TV must reside inside phSense LAN network.
  Hope this helps. Thanks for your comment.
David
19 Dec 2019 Reply

Hi,
Your tutorial is wonderful!, one question, as I have subnets LAN(default) and VLAN10(manual), and VLAN10 have subnets:192.168.10.1/24, there devices in VLAN10 is capable to talk with each other in VLAN10 subnet, but how can I make devices in VLAN10 talk with other subnets devices for example `LAN`? I’ve know LAN has a default rule to access to any subnets, but seems like set destination set as `any` is not safe for VLAN10, any idea? thanks.
1. Alan Chan
  19 Dec 2019 Reply
  
  Each subnet has it’s own firewall rules. Go to Firewall > Rules > VLAN10. There, you can create rule to allow VLAN10 to talk to LAN by setting Destination to ‘LAN net’.
  However, bear in mind that 1 main purpose of using VLAN is security (other than reducing broadcast domain size), to separate subnets so that they can’t talk to each other generally.
  If you allow them to talk to each other, any one device get infected/compromised in VLAN10 can also access your LAN subnet.
  Thanks
David
19 Dec 2019 Reply

Yeah, what you said is right, I just want to take a POC to prove everything is run like I imagine, and set destination as `any` or `LAN net` did help me to talk to LAN, and I’ve realize any device in VLAN10 get infected will influence LAN, will block this situation in real environment lately, and your article are really helpful for me to prove my thoughts, thanks again!
1. Alan Chan
  19 Dec 2019 Reply
  
  Awesome. Great that it’s helpful.
Max
11 Feb 2020 Reply

Thanks Alan! Helped me a lot getting started
cheers
1. Alan Chan
  12 Feb 2020 Reply
  
  awesome. Glad it helped! cheers Alan
Alvaro
27 Feb 2020 Reply

Thanks Alan for this great guide. As you mention before, is not good to allow a VLAN to access the whole LAN address, but if I have some services in the LAN Computer, how I allow only access to does services? I suppose is to allow access the the Server IP (on LAN network) for the specific ports, it’s that ok? Another questión, as one of the subnets it’s for the printers, I guest you should add a rule to allow access that subnet from the other subnets, should the access/comunication should be bi-directional? or only allowing PCs subnet > Printers Subnet. Thanks for your help
1. Alan Chan
  27 Feb 2020 Reply
  
  Yes, under the vlan network firewall rules, you can allow access to specific server ip-address & port #. Just bear in mind that if the service has vulnerability that is exploitable, it could potential allow break in from vlan network to your LAN network by exploiting the service.
  
  You don’t need to grant access at Printers subnet. Just need to add rule at PCs subnet to allow access to Printers subnet.
Nagi
6 Mar 2020 Reply

Hi Alan, thanks for the wonderful guide! I was able to set VLANs up in my Netgear switch. One thing tho, I noticed that Port 7, which is set to PVID 99 couldn’t access the internet. Is this the intended behavior or did I miss something somewhere? I could access Netgear’s WebUI from device connected to port 7 but I couldn’t ping this device’s ID from a device connected in Subnet 1.
1. Alan Chan
  6 Mar 2020 Reply
  
  thanks. Port 7 should be able to connect to Netgear’s WebUI and pfSense (192.168.99.1) that serves as gateway.
  whether 192.168.99.0/24 subnet can access Internet depends on the if there is a firewall rule to allow that.
  Similarly, Subnet 1 needs firewall rule to allow access to 192.168.99.0/24 subnet for ping to happen.
  
  Test the connection to pfSense (192.168.99.1) from the device connected to port 7. If connection is successful, most likely firewall rules are the issue.
  If unable to connect to pfSense, either pfSense hasn’t setup 192.168.99.0/24 subnet correctly or vlan tagging issue at Netgear switch. In this case, try connect device directly to pfSense interface to further troubleshoot.
orionis
22 Apr 2020 Reply

Hello Alan thank for all tutorial reply…
i ‘ve a little question

my printers is in the vlan20 ok
how i can allow aces from other vlan like a pc in vlan 10 try to print a printer in vlan 20
i know a rules who work : IPv4 * VLAN10 * VLAN20* * * aucun
But i do created a rule for each VLAN 10-30-40-….
it’s possible to created in the vlan20 a generic rules ?
1. Alan Chan
  24 Apr 2020 Reply
  
  You set the rules correctly. You need to define rules at the source interface. Alan
Dev
19 Sep 2020 Reply

Hello Alan, i used Netgear GS108tv2 Switch. when i configured PVID 99 on port 7 & 8 & clicked save i got disconnected while i was connected via port 7. Now i cannot access the WEBGUI and the switch won’t connect to pfSense (Get Internet) on port 7 or 8 and any of the devices connected on port 1-6 wont get IP (Only autoconfiguration IP). Can you please tell me how i fix it.
If i don’t configure PVID on port 7 or 8 i can get DHCP from pfsense on port 7/8 from its DHCP server on that port.
1. Alan Chan
  19 Sep 2020 Reply
  
  VLAN 99 is used to replace the default VALN 1 and does not need to be tagged.
  So when you configure PVID 99 on port 7 & 8, make sure they are untagged.
  
  Alan
Dev
20 Sep 2020 Reply

Both port 7&8 are Untagged. when i Click on port membership i can see both of them are untagged. I’ve made a video of what i’ve done. Can you please tell me where i am going wrong.
https://drive.google.com/file/d/1XAKgJ7sDRPbo80L0J8YbSPUaVossruO4
Once i have changed PVID to 99 i loose access to WebGUI.
1. Alan Chan
  20 Sep 2020 Reply
  
  Your config looks fine.
  I suggest you keep the default VLAN 1 and don’t change it to 99.
  There are switches that mandate use of default VLAN 1 and changing it would cause problems. Maybe that’s the case here.
  
  Alan
Dev
21 Sep 2020 Reply

Thanks Alan, Should i still clear all assignments for VLAN1 or just leave port 7 & 8 as Tagged.
1. Alan Chan
  21 Sep 2020 Reply
  
  You should clear VLAN1 for port 1 – 6 and leave default VLAN1 (untagged) at port 7 & port 8 with PVID 1.
Dev
22 Sep 2020 Reply

That works perfectly. Also i can ping the Switch IP from LAN port but cannot access the WebGUI. Do i need to create any rules for that.
1. Alan Chan
  22 Sep 2020 Reply
  
  For a device from a vlan to access switch WebGui, create a firewall rule at vlan interface to allow that vlan net (source) access to LAN net (destination).
  But only do that for vlan that is safe and secure to minimize risk.
  Safest way is to only access WebGui through port 7.
Khandaker Shahriar Amin
23 Sep 2020 Reply

Hi
Can you explain how do I use 5 wan uplink in pfsense via vlan?
1. Alan Chan
  25 Sep 2020 Reply
  
  WAN interface in pfSense does not use vlan. All traffic in/out of WAN interface is untagged.
Dev
23 Sep 2020 Reply

Ok I will play safe and not defeat the purpose of segregation. Thanks a lot.
Dev
25 Sep 2020 Reply

Hi again Alan,
I wanted to add more devices on VLAN so i got another Netgear GS108Tv2 Switch. So Can i connect port 7 of the first Switch to port 7 of new switch after configuring the switch the same way as last one.. I will keep the same VLAN structure on new switch. Thanks
1. Alan Chan
  25 Sep 2020 Reply
  
  You need to setup trunking between 2 switches.
  
  Create same VLAN structure on new switch (with a different IP-address)
  
  On first switch, reconfigure port 7 to same settings as port 8
  
  Connect new switch’s port 8 to first switch’s port 7
  Port 7 on new switch could then be used to manage both switches.
Dev
25 Sep 2020 Reply

Thanks Alan. Giving it a go tomorrow.
Dev
26 Sep 2020 Reply

Just finished Setting up 2nd Netgear GS108Tv2 Switch and all ports are working as per your Instructions (Except port1 which is POE powered), https://imgur.com/IIPX1bp
If i want to put VLAN 10&20 on Switch 1 and VLAN 30 & 40 on Switch 2 i need to program it same way as your guide creating VLANS 10 & 20 first on SWitch 1 first and the VLAN 30 & 40 on switch 2 and them connect the same way as per your last post.

Also i want to deny my NAS Internet access but still want to be available locally for other Devices on the VLAN will this rule work properly https://imgur.com/a/gKEB0B2
1. Alan Chan
  27 Sep 2020 Reply
  
  The block rule source should be the IP address of your NAS server and the destination should be !RFC1918_Addresses.
Dev
1 Oct 2020 Reply

Many Thanks. I can verify that NAS lost Internet connectivity once i applied this rule. However i cannot access or ping NAS via hostname but when type the IP of NAS on Windows explorer i can see shared folders.. Is there something else i need to add or change in this rule or create another rule in pfsense. Here is the rule https://i.imgur.com/K0NATU7.png
1. Alan Chan
  8 Oct 2020 Reply
  
  I assume you try accessing within same VLAN. pfSense shouldn’t matter.
  looks like DNS issue (maybe you need to access using full local domain name). Ping NAS using ip address instead:
  ping -a
  
  See what hostname the ip address is associated to. Then use that to try access NAS.
Frantisek
7 Oct 2020 Reply

Using GS116Ev2 when I set up things the way described here, the switch picks up its IP address from an arbitrary VLAN, not from the 99 static assignment, and is hence part of one of that VLANs, not the management VLAN. It appears to be the same one every time, specifically the first one that was set up (in your example VLAN10). What can I do to make the switch fetch its IP over the management VLAN 99 and hence get the static 192.168.99.X address?
1. Alan Chan
  8 Oct 2020 Reply
  
  It’s strange that the switch would not stick to it’s static ip address. Double check to make sure DHCP mode is disabled.
  1. Frantisek
    8 Oct 2020 Reply
    
    It probably sticks to the IP address set up in pfSense, the problem is the switch is reaching pfSense over VLAN 10 instead of VLAN 99 so it is assigned an IP address from the VLAN 10 pool instead of the static IP address specified within VLAN 99 setup.
    1. Alan Chan
      8 Oct 2020 Reply
      
      I meant the setting at the switch, not pfSense. Connect to the switch web admin, manually assign a static ip address to the switch and disable DHCP at the switch.
      1. Frantisek
        8 Oct 2020
        
        I am sure that would work, however in your guide you state “Let’s first assign a static IPv4 address for the switch at the DHCP server of pfSense” which would seem to imply that the switch is meant to receive its IP address from the pfSense DHCP server (and thus the switch should be set in DHCP client mode, not static IP). My point is that if I do that, the switch will indeed receive an IP address from pfSense, but in my case from a pool associated with an arbitrary VLAN, not the 99 subnet you’re setting up the static IP assignment for.
      2. Alan Chan
        9 Oct 2020
        
        You got that right. It seems that GS116Ev2 switch has some different behavior than GS108Ev3.
        These DHCP request traffic (switch’s management traffic) should be sent through untagged default VLAN, not an arbitrary VLAN setup.
        
        Another thing you can try (other than assigning static IP at switch) is to leave the default VLAN 1 alone. Do not change VLAN 1 to 99.
        Some switches are hard coded to use VLAN 1 and changing it could result in unexpected behavior.
      3. Frantisek
        9 Oct 2020
        
        I got rid of VLAN 99 and made VLAN 1 the untagged one on the trunk port (16 in my case) and it still behaves the same, ie the switch IP provided by pfSense DHCP is from the VLAN10 pool. Strange.
BONFIRE
19 Oct 2020 Reply

Good Afternoon Sir,
GREAT tutorial but i am having issues getting the trunked WAN port from the ac3200 to communicate or route requests to my Windows DHCP server internally without applying an IP address on the Bridge (BR1 and Br2).
1. Alan Chan
  25 Oct 2020 Reply
  
  WAN port may behave differently. Maybe try using other port as trunk port instead.
ATM Dave
9 Nov 2020 Reply

1st off nice tutorial Alan, very well explained. Was just wondering if you had a similar tutorial for people using OpenWRT? Also is there anything that needs to be changed on the internet router e.g. disabling of DHCP? Every time I do that I lose internet so think there may be something I am doing wrong. Sorry for the noob question, sadly I am no guru at this.
1. Alan Chan
  27 Nov 2020 Reply
  
  Thanks Dave. Unfortunately I haven’t worked with OpenWRT. As for Internet router, you don’t need to change anything for typical setup. DHCP is still needed for devices (including pfSense) connecting to the Internet router. Alan
Carlo Accorsi
26 Nov 2020 Reply

Outstanding!! Wow, I couldn’t believe my luck when I stumbled across your instructions. It’s exactly what I’ve been looking for, especially the VLAN /SSID setup. I’ve replaced all my networkIng gear and then got stuck setting it all up how I wanted. Your series of articles is a meticulously detailed blueprint for a modern home network. Thank you kindly!!!
1. Alan Chan
  27 Nov 2020 Reply
  
  Awesome. Glad that these articles help! cheers Alan
Marc
29 Dec 2020 Reply

Thanks for publishing this guide – very helpful. Have you run into an instance where the host isn’t seeing the DHCP server from the VLANs? The laptop gets provisioned with an IP address on port 7, but no other port (gets the 169.258.x.x) address. I started over three times to make sure I didn’t miss anything in your instructions. Would appreciate your thoughts on what to try.
1. Alan Chan
  15 Feb 2021 Reply
  
  Seems like vlan traffic is not configured correctly and causes them dropped.
  It would be configuration at switch or at pfSense.
  Make sure DHCP is configured for each VLAN.
Stefan
18 Jan 2021 Reply

Really great Job!

Thanks a lot !!!
Anonymous
7 Feb 2021 Reply

I have referred to this article so many times it has become embarrassing. Such a nice job of explaining the Untag vs Tag at switch level and following through to Pfsense VLAN. — Greg
1. Alan Chan
  15 Feb 2021 Reply
  
  Glad that it helps. Cheers Alan
Sam
11 Feb 2021 Reply

Hi Alan,

I bought a pfsense SG-1200 and discovered whilst going through your tutorial that it only has 2 NICs. Can I use a Vlan in pfsense as a third network interface?

If not, please let me know what the best setup would be, should I choose to stick with the pfsense machine (I can no longer return it for a refund).

Thanks
1. Alan Chan
  10 Feb 2022 Reply
  
  You can use LAN interface to create VLAN interfaces. You would also need a managed VLAN switch connecting to the LAN interface.
VLAN geek
15 Feb 2021 Reply

Outstanding tutorial, thank you kindly!

My network configuration will have 2 WAN resources. My goal is to give my IoT projects their own bandwidth source without interrupting the rest of the house. Would there be any issues with feeding both WAN into a single pfSense instance, and segregating them with rules? My biggest concern was my subnet being able to reach IoT subnet, and you have explained that perfectly.
1. Alan Chan
  10 Feb 2022 Reply
  
  Yes, pfSense supports multiple WAN.
Rini
9 Mar 2021 Reply

This article is really great. It allowed me to setup a dump AP (using a TOMATO-flashed on a linksys E3000) with a quest-wifi separated from the main LAN(ports+wifi). Through a VLAN controlled from pfsense(2.4.5p1) using the instructions from this article. So no smart switch needed in my case. Regard Rini
Nicolas Boisvert
17 Sep 2021 Reply

Dear,
Following Figure 2. in your Part1, I came up with this scheme. I would now have 9 VLAN subnet.

Would it not be a bit overkill or just perfect?

With my actual single subnet, I used pfSense’s QoS wizard to manage trafic. Are you aware if the QoS wizard can mange VLANs or will I have to resort to manually set the QoS.

Since I have actually only 2 NICs on my pfSense, can the managed switches be in the same subnet “10.0.0.1” or I need to put them in a managing subnet?

Can you give advise on how to set a smart switch under an other smart switch in terms of “trunk”, “tagged” and “not tagged” ?

Thanks
1. Alan Chan
  22 Sep 2021 Reply
  
  Hi Nicolas,
  
  Typically, 4/5 VLANs are enough to separate home devices for security purpose.
  9 VLANs are totally fine too for the granularity and categories of devices you have. Just make sure your smart devices have enough ports to support all your VLANs.
  
  I believe pfSense QoS applies to the LAN interface. That means it would apply to all VLANs under your LAN interface.
  
  To chain your smart switches, the connection ports between your smart switches should be configured as trunk ports (and traffic passing thru should be tagged)
Nicolas Boisvert
17 Sep 2021 Reply

I forgot the picture

https://imgur.com/Rr1qXLc
Nicolas Boisvert
22 Sep 2021 Reply

Dear Alan,
My last post as not shown yet. Can I expect an answer from you or should I seek other sources to set my mind on this ?

Thank you
1. Alan Chan
  22 Sep 2021 Reply
  
  Replied. Cheers
  1. Nicolas Boisvert
    22 Sep 2021 Reply
    
    Thanks a lot!
    1. Alan Chan
      22 Sep 2021 Reply
      
      You are welcome.
      
      Alan
Chris
12 Oct 2021 Reply

Should the switch be getting its DHCP supplied IP address from VLAN 1 (the native VLAN, correct?) or from the management VLAN 99?
1. Alan Chan
  12 Oct 2021 Reply
  
  Yes, the IP address should be from native VLAN.
  If your switch doesn’t acquire IP address from native VLAN, you can set a static IP address for the switch.
ET
1 Apr 2022 Reply

very clean, straight forward to get you started. I bought a Ubiquiti AP to further isolate wifi devices.
I tried the DD-WRT but did not work for me.

Much appreciated
Brandon
8 May 2022 Reply

Hi Alan, I am trying to follow your guide but hit into a couple of snags:

1. I want a VLAN10 (192.168.10-244). I created it on IGB1.Should I create the VLAN off OPT1 ( from your first tutorial). Should we be having DHCP for the address assignment for the switch instead of assigning it a static IP address?

1a. How did you get the Private_IPv4s?

2. I have a Netgear GS308T 8-port as well. However , the interface is different. It has a visual interface of the ports. I want VLAN10 on Port1 and Port2 for my Qnap NAS. I believe I need to do a LAGG on QNAP . However, I am not sure how to set up the port (U or T) as NAS is a VLAN-aware device.
1. Alan Chan
  16 May 2022 Reply
  
  Hi Brandon,
  
  1. Either DHCP or static IP address would work. The benefit of static IP address is when you want to troubleshoot the switch especially when there is communication problem between pfSense and the switch
  1a. That’s the ip addresses defined in RFC 1918.
  2. You would want to use ‘T’ to tag the traffic so your NAS can know which VLAN the traffic is for.