kenjim/appa-net
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
38f2aefecd92968f3ba3addc3bf791b30c9a76a8
appa-net/pfsense.home.arpa/VLAN-QUICKSTART.md
Kenji Morishige 38f2aefecd Add pfSense backup utility and documentation 
- Add backup-pfsense-config.sh script for automated config backups via SSH
- Auto-commits backups to git with timestamped filenames
- Includes validation, error handling, and troubleshooting guides
- Add scripts/README.md with detailed usage and crontab examples
- Add BACKUP-QUICKSTART.md for quick reference commands
- Update README.md to reference automated backup workflow
- Create backups/ directory structure

The script tests SSH connectivity successfully to pfSense.
2026-04-22 14:42:43 -05:00

292 lines
9.2 KiB
Markdown
Raw Blame History

# VLAN Implementation Quickstart
Step-by-step checklist for configuring VLANs on pfSense. Use this guide to implement your 3-VLAN network.
## Pre-Implementation
Before you start, gather this information:
- [ ] pfSense WebUI URL (usually `https://192.168.1.1` or similar)
- [ ] Admin credentials for pfSense
- [ ] Your WAN/LAN interface names (check: **Interfaces → Assignments**)
- [ ] Backup your current pfSense config (download before making changes)
- [ ] Physical switch info (if you have one) — check if it supports VLAN tagging
## Phase 1: Create VLANs (5 minutes)
1. **Log into pfSense WebUI**
- [ ] Open `https://[pfSense-IP]`
- [ ] Enter admin credentials
2. **Navigate to VLAN Creation**
- [ ] Go: **Interfaces → VLANs**
- [ ] Click **Display Advanced**
3. **Create VLAN_AIWORKLOAD**
- [ ] Click **+ Add**
- [ ] Parent Interface: `em0` (or your LAN NIC name)
- [ ] VLAN Tag: `2`
- [ ] VLAN Priority: `0`
- [ ] Description: `VLAN_AIWORKLOAD`
- [ ] Click **Save**
4. **Create VLAN_IOT**
- [ ] Click **+ Add**
- [ ] Parent Interface: `em0`
- [ ] VLAN Tag: `3`
- [ ] VLAN Priority: `0`
- [ ] Description: `VLAN_IOT`
- [ ] Click **Save**
5. **Apply Changes**
- [ ] Click **Apply Changes** button
- [ ] Wait for reboot/apply to complete
## Phase 2: Assign Virtual Interfaces (5 minutes)
1. **Navigate to Assignments**
- [ ] Go: **Interfaces → Assignments**
2. **Note down the OPT interfaces created**
- [ ] You should see two new entries: e.g., `em0.2` and `em0.3`
- [ ] These will be assigned as `OPT1` and `OPT2` (or similar)
3. **Click the OPT1 link** (VLAN_AIWORKLOAD)
- [ ] Description: `VLAN_AIWORKLOAD`
- [ ] IPv4 Configuration Type: `Static IPv4`
- [ ] IPv4 Address: `172.27.2.1`
- [ ] IPv4 Subnet Mask: `255.255.255.0`
- [ ] IPv6 Configuration Type: `None`
- [ ] **Enable Interface**: ✓ Check this box
- [ ] Scroll down and click **Save**
4. **Repeat for OPT2** (VLAN_IOT)
- [ ] Description: `VLAN_IOT`
- [ ] IPv4 Configuration Type: `Static IPv4`
- [ ] IPv4 Address: `172.27.3.1`
- [ ] IPv4 Subnet Mask: `255.255.255.0`
- [ ] **Enable Interface**: ✓ Check this box
- [ ] Scroll down and click **Save**
5. **Apply Changes**
- [ ] Click **Apply Changes** button
## Phase 3: Configure DHCP (10 minutes)
1. **Navigate to DHCP Server**
- [ ] Go: **Services → DHCP Server**
2. **Configure VLAN_AIWORKLOAD DHCP**
- [ ] Click **VLAN_AIWORKLOAD** tab
- [ ] **Enable DHCP server on VLAN_AIWORKLOAD interface**: ✓ Check
- [ ] **Range Start**: `172.27.2.100`
- [ ] **Range End**: `172.27.2.200`
- [ ] Scroll down to **Servers** section
- [ ] **DNS 1**: `172.27.0.1` (pfSense)
- [ ] **DNS 2**: `8.8.8.8` (optional backup)
- [ ] **Gateway**: Should auto-populate as `172.27.2.1`
- [ ] Scroll down and click **Save**
3. **Configure VLAN_IOT DHCP**
- [ ] Click **VLAN_IOT** tab
- [ ] **Enable DHCP server on VLAN_IOT interface**: ✓ Check
- [ ] **Range Start**: `172.27.3.100`
- [ ] **Range End**: `172.27.3.200`
- [ ] Scroll down to **Servers** section
- [ ] **DNS 1**: `172.27.0.1`
- [ ] **DNS 2**: `8.8.8.8`
- [ ] **Gateway**: Should auto-populate as `172.27.3.1`
- [ ] Scroll down and click **Save**
4. **Verify LAN DHCP**
- [ ] Click **LAN** tab
- [ ] Confirm **Enable DHCP server on LAN interface** is ✓ checked
- [ ] Verify gateway is `172.27.0.1`
- [ ] Click **Save**
5. **Apply Changes**
- [ ] Click **Apply Changes** button
## Phase 4: Configure Firewall Rules (15 minutes)
### LAN → VLAN Rules
1. **Go to LAN rules**
- [ ] **Firewall → Rules → LAN**
2. **Add rule: Block LAN → VLAN_AIWORKLOAD**
- [ ] Click **+ Add** (at bottom)
- [ ] Action: `Block`
- [ ] Interface: `LAN`
- [ ] Direction: `in`
- [ ] Address Family: `IPv4`
- [ ] Protocol: `any`
- [ ] Source: `LAN subnet` (or specify `172.27.0.0/24`)
- [ ] Destination: `VLAN_AIWORKLOAD subnet` (specify `172.27.2.0/24`)
- [ ] Description: `Block LAN → VLAN_AIWORKLOAD`
- [ ] Click **Save**
3. **Add rule: Block LAN → VLAN_IOT**
- [ ] Click **+ Add**
- [ ] Action: `Block`
- [ ] Interface: `LAN`
- [ ] Source: `172.27.0.0/24`
- [ ] Destination: `172.27.3.0/24`
- [ ] Description: `Block LAN → VLAN_IOT`
- [ ] Click **Save**
### VLAN_AIWORKLOAD Rules
1. **Go to VLAN_AIWORKLOAD rules**
- [ ] **Firewall → Rules → VLAN_AIWORKLOAD** (or OPT1)
2. **Add rule: Block VLAN_AIWORKLOAD → LAN**
- [ ] Click **+ Add**
- [ ] Action: `Block`
- [ ] Interface: `VLAN_AIWORKLOAD`
- [ ] Source: `VLAN_AIWORKLOAD subnet` (specify `172.27.2.0/24`)
- [ ] Destination: `LAN subnet` (specify `172.27.0.0/24`)
- [ ] Description: `Block VLAN_AIWORKLOAD → LAN`
- [ ] Click **Save**
3. **Add rule: Allow VLAN_AIWORKLOAD → WAN**
- [ ] Click **+ Add**
- [ ] Action: `Pass`
- [ ] Interface: `VLAN_AIWORKLOAD`
- [ ] Source: `VLAN_AIWORKLOAD subnet` (specify `172.27.2.0/24`)
- [ ] Destination: `any`
- [ ] Protocol: `any`
- [ ] Description: `Allow VLAN_AIWORKLOAD → Internet`
- [ ] Click **Save**
### VLAN_IOT Rules
1. **Go to VLAN_IOT rules**
- [ ] **Firewall → Rules → VLAN_IOT** (or OPT2)
2. **Add rule: Block VLAN_IOT → LAN**
- [ ] Click **+ Add**
- [ ] Action: `Block`
- [ ] Interface: `VLAN_IOT`
- [ ] Source: `VLAN_IOT subnet` (specify `172.27.3.0/24`)
- [ ] Destination: `LAN subnet` (specify `172.27.0.0/24`)
- [ ] Description: `Block VLAN_IOT → LAN`
- [ ] Click **Save**
3. **Add rule: Block VLAN_IOT → VLAN_AIWORKLOAD**
- [ ] Click **+ Add**
- [ ] Action: `Block`
- [ ] Source: `172.27.3.0/24`
- [ ] Destination: `172.27.2.0/24`
- [ ] Description: `Block VLAN_IOT → VLAN_AIWORKLOAD`
- [ ] Click **Save**
4. **Add rule: Allow VLAN_IOT → WAN**
- [ ] Click **+ Add**
- [ ] Action: `Pass`
- [ ] Source: `VLAN_IOT subnet` (specify `172.27.3.0/24`)
- [ ] Destination: `any`
- [ ] Protocol: `any`
- [ ] Description: `Allow VLAN_IOT → Internet`
- [ ] Click **Save**
### Apply Firewall Changes
- [ ] Click **Apply Changes** button (usually at top of rules)
## Phase 5: Testing (10 minutes)
### Test DHCP
1. **Connect a test device to VLAN_AIWORKLOAD**
- [ ] Assign a device to this VLAN (via switch port or manually)
- [ ] Check if device gets IP in range 172.27.2.100-200
- [ ] Verify gateway shows 172.27.2.1
- [ ] Test ping to gateway: `ping 172.27.2.1`
2. **Connect a test device to VLAN_IOT**
- [ ] Assign a device to this VLAN
- [ ] Check if device gets IP in range 172.27.3.100-200
- [ ] Verify gateway shows 172.27.3.1
- [ ] Test ping to gateway: `ping 172.27.3.1`
### Test Inter-VLAN Isolation
1. **Test VLAN_AIWORKLOAD cannot reach LAN**
- [ ] From device on VLAN_AIWORKLOAD (172.27.2.x)
- [ ] Try ping to LAN device (172.27.0.x)
- [ ] Should timeout/fail ✗ (expected)
2. **Test VLAN_IOT cannot reach LAN**
- [ ] From device on VLAN_IOT (172.27.3.x)
- [ ] Try ping to LAN device (172.27.0.x)
- [ ] Should timeout/fail ✗ (expected)
3. **Test LAN cannot reach VLANs**
- [ ] From LAN device (172.27.0.x)
- [ ] Try ping to VLAN_AIWORKLOAD device (172.27.2.x)
- [ ] Should timeout/fail ✗ (expected)
### Test Internet Access
1. **Test VLAN_AIWORKLOAD → Internet**
- [ ] From device on VLAN_AIWORKLOAD
- [ ] Test DNS: `nslookup google.com`
- [ ] Test internet: `ping 8.8.8.8`
2. **Test VLAN_IOT → Internet**
- [ ] From device on VLAN_IOT
- [ ] Test DNS: `nslookup google.com`
- [ ] Test internet: `ping 8.8.8.8`
## Phase 6: Backup & Documentation (5 minutes)
1. **Backup pfSense Configuration**
- [ ] Go: **Diagnostics → Backup & Restore**
- [ ] Click **Download configuration as XML**
- [ ] Save as: `pfsense-config-vlan-setup-2026-04-22.xml`
2. **Commit to Git**
```bash
cd /Users/kenjim/workspace/src/personal/appa-net
git add pfsense.home.arpa/
git commit -m "pfSense: Initial VLAN configuration (VLAN_AIWORKLOAD, VLAN_IOT)"
git push
```
- [ ] Commit completed
3. **Document Completion**
- [ ] Update this file with completion date
- [ ] Note any deviations from plan
- [ ] Record interface names if different from expected
## Troubleshooting
| Issue | Solution |
|-------|----------|
| Device not getting DHCP | Check DHCP is enabled for that VLAN in **Services → DHCP Server** |
| Can't ping gateway | Verify virtual interface is enabled (**Interfaces → Assignments**) |
| Can't reach internet | Check WAN allow rules in firewall |
| Still can reach between VLANs | Check firewall rules order (first match wins); rules may be in wrong order |
| Switch not forwarding VLAN traffic | Verify trunk port on switch is tagged for all VLANs |
## Post-Implementation
Once everything is working:
1. **Assign your devices** to VLANs via DHCP static mappings
- See [VLAN-CONFIG.md](VLAN-CONFIG.md) for device list
2. **Monitor firewall logs** for unexpected traffic
- Go: **Status → System Logs → Firewall**
3. **Update your documentation** as you add more devices
4. **Schedule regular backups**
- Monthly: Export pfSense config to `backups/pfsense-config-YYYY-MM-DD.xml`
---
**Estimated Total Time**: 45 minutes
**Last Updated**: 2026-04-22
Reference in New Issue View Git Blame Copy Permalink