# VLAN Implementation Quickstart Step-by-step checklist for configuring VLANs on pfSense. Use this guide to implement your 3-VLAN network. ## Pre-Implementation Before you start, gather this information: - [ ] pfSense WebUI URL (usually `https://192.168.1.1` or similar) - [ ] Admin credentials for pfSense - [ ] Your WAN/LAN interface names (check: **Interfaces → Assignments**) - [ ] Backup your current pfSense config (download before making changes) - [ ] Physical switch info (if you have one) — check if it supports VLAN tagging ## Phase 1: Create VLANs (5 minutes) 1. **Log into pfSense WebUI** - [ ] Open `https://[pfSense-IP]` - [ ] Enter admin credentials 2. **Navigate to VLAN Creation** - [ ] Go: **Interfaces → VLANs** - [ ] Click **Display Advanced** 3. **Create VLAN_AIWORKLOAD** - [ ] Click **+ Add** - [ ] Parent Interface: `em0` (or your LAN NIC name) - [ ] VLAN Tag: `2` - [ ] VLAN Priority: `0` - [ ] Description: `VLAN_AIWORKLOAD` - [ ] Click **Save** 4. **Create VLAN_IOT** - [ ] Click **+ Add** - [ ] Parent Interface: `em0` - [ ] VLAN Tag: `3` - [ ] VLAN Priority: `0` - [ ] Description: `VLAN_IOT` - [ ] Click **Save** 5. **Apply Changes** - [ ] Click **Apply Changes** button - [ ] Wait for reboot/apply to complete ## Phase 2: Assign Virtual Interfaces (5 minutes) 1. **Navigate to Assignments** - [ ] Go: **Interfaces → Assignments** 2. **Note down the OPT interfaces created** - [ ] You should see two new entries: e.g., `em0.2` and `em0.3` - [ ] These will be assigned as `OPT1` and `OPT2` (or similar) 3. **Click the OPT1 link** (VLAN_AIWORKLOAD) - [ ] Description: `VLAN_AIWORKLOAD` - [ ] IPv4 Configuration Type: `Static IPv4` - [ ] IPv4 Address: `172.27.2.1` - [ ] IPv4 Subnet Mask: `255.255.255.0` - [ ] IPv6 Configuration Type: `None` - [ ] **Enable Interface**: ✓ Check this box - [ ] Scroll down and click **Save** 4. **Repeat for OPT2** (VLAN_IOT) - [ ] Description: `VLAN_IOT` - [ ] IPv4 Configuration Type: `Static IPv4` - [ ] IPv4 Address: `172.27.3.1` - [ ] IPv4 Subnet Mask: `255.255.255.0` - [ ] **Enable Interface**: ✓ Check this box - [ ] Scroll down and click **Save** 5. **Apply Changes** - [ ] Click **Apply Changes** button ## Phase 3: Configure DHCP (10 minutes) 1. **Navigate to DHCP Server** - [ ] Go: **Services → DHCP Server** 2. **Configure VLAN_AIWORKLOAD DHCP** - [ ] Click **VLAN_AIWORKLOAD** tab - [ ] **Enable DHCP server on VLAN_AIWORKLOAD interface**: ✓ Check - [ ] **Range Start**: `172.27.2.100` - [ ] **Range End**: `172.27.2.200` - [ ] Scroll down to **Servers** section - [ ] **DNS 1**: `172.27.0.1` (pfSense) - [ ] **DNS 2**: `8.8.8.8` (optional backup) - [ ] **Gateway**: Should auto-populate as `172.27.2.1` - [ ] Scroll down and click **Save** 3. **Configure VLAN_IOT DHCP** - [ ] Click **VLAN_IOT** tab - [ ] **Enable DHCP server on VLAN_IOT interface**: ✓ Check - [ ] **Range Start**: `172.27.3.100` - [ ] **Range End**: `172.27.3.200` - [ ] Scroll down to **Servers** section - [ ] **DNS 1**: `172.27.0.1` - [ ] **DNS 2**: `8.8.8.8` - [ ] **Gateway**: Should auto-populate as `172.27.3.1` - [ ] Scroll down and click **Save** 4. **Verify LAN DHCP** - [ ] Click **LAN** tab - [ ] Confirm **Enable DHCP server on LAN interface** is ✓ checked - [ ] Verify gateway is `172.27.0.1` - [ ] Click **Save** 5. **Apply Changes** - [ ] Click **Apply Changes** button ## Phase 4: Configure Firewall Rules (15 minutes) ### LAN → VLAN Rules 1. **Go to LAN rules** - [ ] **Firewall → Rules → LAN** 2. **Add rule: Block LAN → VLAN_AIWORKLOAD** - [ ] Click **+ Add** (at bottom) - [ ] Action: `Block` - [ ] Interface: `LAN` - [ ] Direction: `in` - [ ] Address Family: `IPv4` - [ ] Protocol: `any` - [ ] Source: `LAN subnet` (or specify `172.27.0.0/24`) - [ ] Destination: `VLAN_AIWORKLOAD subnet` (specify `172.27.2.0/24`) - [ ] Description: `Block LAN → VLAN_AIWORKLOAD` - [ ] Click **Save** 3. **Add rule: Block LAN → VLAN_IOT** - [ ] Click **+ Add** - [ ] Action: `Block` - [ ] Interface: `LAN` - [ ] Source: `172.27.0.0/24` - [ ] Destination: `172.27.3.0/24` - [ ] Description: `Block LAN → VLAN_IOT` - [ ] Click **Save** ### VLAN_AIWORKLOAD Rules 1. **Go to VLAN_AIWORKLOAD rules** - [ ] **Firewall → Rules → VLAN_AIWORKLOAD** (or OPT1) 2. **Add rule: Block VLAN_AIWORKLOAD → LAN** - [ ] Click **+ Add** - [ ] Action: `Block` - [ ] Interface: `VLAN_AIWORKLOAD` - [ ] Source: `VLAN_AIWORKLOAD subnet` (specify `172.27.2.0/24`) - [ ] Destination: `LAN subnet` (specify `172.27.0.0/24`) - [ ] Description: `Block VLAN_AIWORKLOAD → LAN` - [ ] Click **Save** 3. **Add rule: Allow VLAN_AIWORKLOAD → WAN** - [ ] Click **+ Add** - [ ] Action: `Pass` - [ ] Interface: `VLAN_AIWORKLOAD` - [ ] Source: `VLAN_AIWORKLOAD subnet` (specify `172.27.2.0/24`) - [ ] Destination: `any` - [ ] Protocol: `any` - [ ] Description: `Allow VLAN_AIWORKLOAD → Internet` - [ ] Click **Save** ### VLAN_IOT Rules 1. **Go to VLAN_IOT rules** - [ ] **Firewall → Rules → VLAN_IOT** (or OPT2) 2. **Add rule: Block VLAN_IOT → LAN** - [ ] Click **+ Add** - [ ] Action: `Block` - [ ] Interface: `VLAN_IOT` - [ ] Source: `VLAN_IOT subnet` (specify `172.27.3.0/24`) - [ ] Destination: `LAN subnet` (specify `172.27.0.0/24`) - [ ] Description: `Block VLAN_IOT → LAN` - [ ] Click **Save** 3. **Add rule: Block VLAN_IOT → VLAN_AIWORKLOAD** - [ ] Click **+ Add** - [ ] Action: `Block` - [ ] Source: `172.27.3.0/24` - [ ] Destination: `172.27.2.0/24` - [ ] Description: `Block VLAN_IOT → VLAN_AIWORKLOAD` - [ ] Click **Save** 4. **Add rule: Allow VLAN_IOT → WAN** - [ ] Click **+ Add** - [ ] Action: `Pass` - [ ] Source: `VLAN_IOT subnet` (specify `172.27.3.0/24`) - [ ] Destination: `any` - [ ] Protocol: `any` - [ ] Description: `Allow VLAN_IOT → Internet` - [ ] Click **Save** ### Apply Firewall Changes - [ ] Click **Apply Changes** button (usually at top of rules) ## Phase 5: Testing (10 minutes) ### Test DHCP 1. **Connect a test device to VLAN_AIWORKLOAD** - [ ] Assign a device to this VLAN (via switch port or manually) - [ ] Check if device gets IP in range 172.27.2.100-200 - [ ] Verify gateway shows 172.27.2.1 - [ ] Test ping to gateway: `ping 172.27.2.1` ✓ 2. **Connect a test device to VLAN_IOT** - [ ] Assign a device to this VLAN - [ ] Check if device gets IP in range 172.27.3.100-200 - [ ] Verify gateway shows 172.27.3.1 - [ ] Test ping to gateway: `ping 172.27.3.1` ✓ ### Test Inter-VLAN Isolation 1. **Test VLAN_AIWORKLOAD cannot reach LAN** - [ ] From device on VLAN_AIWORKLOAD (172.27.2.x) - [ ] Try ping to LAN device (172.27.0.x) - [ ] Should timeout/fail ✗ (expected) 2. **Test VLAN_IOT cannot reach LAN** - [ ] From device on VLAN_IOT (172.27.3.x) - [ ] Try ping to LAN device (172.27.0.x) - [ ] Should timeout/fail ✗ (expected) 3. **Test LAN cannot reach VLANs** - [ ] From LAN device (172.27.0.x) - [ ] Try ping to VLAN_AIWORKLOAD device (172.27.2.x) - [ ] Should timeout/fail ✗ (expected) ### Test Internet Access 1. **Test VLAN_AIWORKLOAD → Internet** - [ ] From device on VLAN_AIWORKLOAD - [ ] Test DNS: `nslookup google.com` ✓ - [ ] Test internet: `ping 8.8.8.8` ✓ 2. **Test VLAN_IOT → Internet** - [ ] From device on VLAN_IOT - [ ] Test DNS: `nslookup google.com` ✓ - [ ] Test internet: `ping 8.8.8.8` ✓ ## Phase 6: Backup & Documentation (5 minutes) 1. **Backup pfSense Configuration** - [ ] Go: **Diagnostics → Backup & Restore** - [ ] Click **Download configuration as XML** - [ ] Save as: `pfsense-config-vlan-setup-2026-04-22.xml` 2. **Commit to Git** ```bash cd /Users/kenjim/workspace/src/personal/appa-net git add pfsense.home.arpa/ git commit -m "pfSense: Initial VLAN configuration (VLAN_AIWORKLOAD, VLAN_IOT)" git push ``` - [ ] Commit completed 3. **Document Completion** - [ ] Update this file with completion date - [ ] Note any deviations from plan - [ ] Record interface names if different from expected ## Troubleshooting | Issue | Solution | |-------|----------| | Device not getting DHCP | Check DHCP is enabled for that VLAN in **Services → DHCP Server** | | Can't ping gateway | Verify virtual interface is enabled (**Interfaces → Assignments**) | | Can't reach internet | Check WAN allow rules in firewall | | Still can reach between VLANs | Check firewall rules order (first match wins); rules may be in wrong order | | Switch not forwarding VLAN traffic | Verify trunk port on switch is tagged for all VLANs | ## Post-Implementation Once everything is working: 1. **Assign your devices** to VLANs via DHCP static mappings - See [VLAN-CONFIG.md](VLAN-CONFIG.md) for device list 2. **Monitor firewall logs** for unexpected traffic - Go: **Status → System Logs → Firewall** 3. **Update your documentation** as you add more devices 4. **Schedule regular backups** - Monthly: Export pfSense config to `backups/pfsense-config-YYYY-MM-DD.xml` --- **Estimated Total Time**: 45 minutes **Last Updated**: 2026-04-22