kenjim/appa-net
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc92ffeb0aac18d7502ed4e09168487180122d59
appa-net/pfsense.home.arpa/VLAN-QUICKSTART.md
Kenji Morishige 38f2aefecd Add pfSense backup utility and documentation 
- Add backup-pfsense-config.sh script for automated config backups via SSH
- Auto-commits backups to git with timestamped filenames
- Includes validation, error handling, and troubleshooting guides
- Add scripts/README.md with detailed usage and crontab examples
- Add BACKUP-QUICKSTART.md for quick reference commands
- Update README.md to reference automated backup workflow
- Create backups/ directory structure

The script tests SSH connectivity successfully to pfSense.
2026-04-22 14:42:43 -05:00

9.2 KiB
Raw Blame History

VLAN Implementation Quickstart

Step-by-step checklist for configuring VLANs on pfSense. Use this guide to implement your 3-VLAN network.

Pre-Implementation

Before you start, gather this information:

  • pfSense WebUI URL (usually https://192.168.1.1 or similar)
  • Admin credentials for pfSense
  • Your WAN/LAN interface names (check: Interfaces → Assignments)
  • Backup your current pfSense config (download before making changes)
  • Physical switch info (if you have one) — check if it supports VLAN tagging

Phase 1: Create VLANs (5 minutes)

  1. Log into pfSense WebUI

    • Open https://[pfSense-IP]
    • Enter admin credentials

  2. Navigate to VLAN Creation

    • Go: Interfaces → VLANs
    • Click Display Advanced

  3. Create VLAN_AIWORKLOAD

    • Click + Add
    • Parent Interface: em0 (or your LAN NIC name)
    • VLAN Tag: 2
    • VLAN Priority: 0
    • Description: VLAN_AIWORKLOAD
    • Click Save

  4. Create VLAN_IOT

    • Click + Add
    • Parent Interface: em0
    • VLAN Tag: 3
    • VLAN Priority: 0
    • Description: VLAN_IOT
    • Click Save

  5. Apply Changes

    • Click Apply Changes button
    • Wait for reboot/apply to complete

Phase 2: Assign Virtual Interfaces (5 minutes)

  1. Navigate to Assignments

    • Go: Interfaces → Assignments

  2. Note down the OPT interfaces created

    • You should see two new entries: e.g., em0.2 and em0.3
    • These will be assigned as OPT1 and OPT2 (or similar)

  3. Click the OPT1 link (VLAN_AIWORKLOAD)

    • Description: VLAN_AIWORKLOAD
    • IPv4 Configuration Type: Static IPv4
    • IPv4 Address: 172.27.2.1
    • IPv4 Subnet Mask: 255.255.255.0
    • IPv6 Configuration Type: None
    • Enable Interface: ✓ Check this box
    • Scroll down and click Save

  4. Repeat for OPT2 (VLAN_IOT)

    • Description: VLAN_IOT
    • IPv4 Configuration Type: Static IPv4
    • IPv4 Address: 172.27.3.1
    • IPv4 Subnet Mask: 255.255.255.0
    • Enable Interface: ✓ Check this box
    • Scroll down and click Save

  5. Apply Changes

    • Click Apply Changes button

Phase 3: Configure DHCP (10 minutes)

  1. Navigate to DHCP Server

    • Go: Services → DHCP Server

  2. Configure VLAN_AIWORKLOAD DHCP

    • Click VLAN_AIWORKLOAD tab
    • Enable DHCP server on VLAN_AIWORKLOAD interface: ✓ Check
    • Range Start: 172.27.2.100
    • Range End: 172.27.2.200
    • Scroll down to Servers section
    • DNS 1: 172.27.0.1 (pfSense)
    • DNS 2: 8.8.8.8 (optional backup)
    • Gateway: Should auto-populate as 172.27.2.1
    • Scroll down and click Save

  3. Configure VLAN_IOT DHCP

    • Click VLAN_IOT tab
    • Enable DHCP server on VLAN_IOT interface: ✓ Check
    • Range Start: 172.27.3.100
    • Range End: 172.27.3.200
    • Scroll down to Servers section
    • DNS 1: 172.27.0.1
    • DNS 2: 8.8.8.8
    • Gateway: Should auto-populate as 172.27.3.1
    • Scroll down and click Save

  4. Verify LAN DHCP

    • Click LAN tab
    • Confirm Enable DHCP server on LAN interface is ✓ checked
    • Verify gateway is 172.27.0.1
    • Click Save

  5. Apply Changes

    • Click Apply Changes button

Phase 4: Configure Firewall Rules (15 minutes)

LAN → VLAN Rules

  1. Go to LAN rules

    • Firewall → Rules → LAN

  2. Add rule: Block LAN → VLAN_AIWORKLOAD

    • Click + Add (at bottom)
    • Action: Block
    • Interface: LAN
    • Direction: in
    • Address Family: IPv4
    • Protocol: any
    • Source: LAN subnet (or specify 172.27.0.0/24)
    • Destination: VLAN_AIWORKLOAD subnet (specify 172.27.2.0/24)
    • Description: Block LAN → VLAN_AIWORKLOAD
    • Click Save

  3. Add rule: Block LAN → VLAN_IOT

    • Click + Add
    • Action: Block
    • Interface: LAN
    • Source: 172.27.0.0/24
    • Destination: 172.27.3.0/24
    • Description: Block LAN → VLAN_IOT
    • Click Save

VLAN_AIWORKLOAD Rules

  1. Go to VLAN_AIWORKLOAD rules

    • Firewall → Rules → VLAN_AIWORKLOAD (or OPT1)

  2. Add rule: Block VLAN_AIWORKLOAD → LAN

    • Click + Add
    • Action: Block
    • Interface: VLAN_AIWORKLOAD
    • Source: VLAN_AIWORKLOAD subnet (specify 172.27.2.0/24)
    • Destination: LAN subnet (specify 172.27.0.0/24)
    • Description: Block VLAN_AIWORKLOAD → LAN
    • Click Save

  3. Add rule: Allow VLAN_AIWORKLOAD → WAN

    • Click + Add
    • Action: Pass
    • Interface: VLAN_AIWORKLOAD
    • Source: VLAN_AIWORKLOAD subnet (specify 172.27.2.0/24)
    • Destination: any
    • Protocol: any
    • Description: Allow VLAN_AIWORKLOAD → Internet
    • Click Save

VLAN_IOT Rules

  1. Go to VLAN_IOT rules

    • Firewall → Rules → VLAN_IOT (or OPT2)

  2. Add rule: Block VLAN_IOT → LAN

    • Click + Add
    • Action: Block
    • Interface: VLAN_IOT
    • Source: VLAN_IOT subnet (specify 172.27.3.0/24)
    • Destination: LAN subnet (specify 172.27.0.0/24)
    • Description: Block VLAN_IOT → LAN
    • Click Save

  3. Add rule: Block VLAN_IOT → VLAN_AIWORKLOAD

    • Click + Add
    • Action: Block
    • Source: 172.27.3.0/24
    • Destination: 172.27.2.0/24
    • Description: Block VLAN_IOT → VLAN_AIWORKLOAD
    • Click Save

  4. Add rule: Allow VLAN_IOT → WAN

    • Click + Add
    • Action: Pass
    • Source: VLAN_IOT subnet (specify 172.27.3.0/24)
    • Destination: any
    • Protocol: any
    • Description: Allow VLAN_IOT → Internet
    • Click Save

Apply Firewall Changes

  • Click Apply Changes button (usually at top of rules)

Phase 5: Testing (10 minutes)

Test DHCP

  1. Connect a test device to VLAN_AIWORKLOAD

    • Assign a device to this VLAN (via switch port or manually)
    • Check if device gets IP in range 172.27.2.100-200
    • Verify gateway shows 172.27.2.1
    • Test ping to gateway: ping 172.27.2.1

  2. Connect a test device to VLAN_IOT

    • Assign a device to this VLAN
    • Check if device gets IP in range 172.27.3.100-200
    • Verify gateway shows 172.27.3.1
    • Test ping to gateway: ping 172.27.3.1

Test Inter-VLAN Isolation

  1. Test VLAN_AIWORKLOAD cannot reach LAN

    • From device on VLAN_AIWORKLOAD (172.27.2.x)
    • Try ping to LAN device (172.27.0.x)
    • Should timeout/fail ✗ (expected)

  2. Test VLAN_IOT cannot reach LAN

    • From device on VLAN_IOT (172.27.3.x)
    • Try ping to LAN device (172.27.0.x)
    • Should timeout/fail ✗ (expected)

  3. Test LAN cannot reach VLANs

    • From LAN device (172.27.0.x)
    • Try ping to VLAN_AIWORKLOAD device (172.27.2.x)
    • Should timeout/fail ✗ (expected)

Test Internet Access

  1. Test VLAN_AIWORKLOAD → Internet

    • From device on VLAN_AIWORKLOAD
    • Test DNS: nslookup google.com
    • Test internet: ping 8.8.8.8

  2. Test VLAN_IOT → Internet

    • From device on VLAN_IOT
    • Test DNS: nslookup google.com
    • Test internet: ping 8.8.8.8

Phase 6: Backup & Documentation (5 minutes)

  1. Backup pfSense Configuration

    • Go: Diagnostics → Backup & Restore
    • Click Download configuration as XML
    • Save as: pfsense-config-vlan-setup-2026-04-22.xml

  2. Commit to Git

    cd /Users/kenjim/workspace/src/personal/appa-net
git add pfsense.home.arpa/
git commit -m "pfSense: Initial VLAN configuration (VLAN_AIWORKLOAD, VLAN_IOT)"
git push
    • Commit completed

  3. Document Completion

    • Update this file with completion date
    • Note any deviations from plan
    • Record interface names if different from expected

Troubleshooting

Issue Solution
Device not getting DHCP Check DHCP is enabled for that VLAN in Services → DHCP Server
Can't ping gateway Verify virtual interface is enabled (Interfaces → Assignments)
Can't reach internet Check WAN allow rules in firewall
Still can reach between VLANs Check firewall rules order (first match wins); rules may be in wrong order
Switch not forwarding VLAN traffic Verify trunk port on switch is tagged for all VLANs

Post-Implementation

Once everything is working:

  1. Assign your devices to VLANs via DHCP static mappings

  2. Monitor firewall logs for unexpected traffic

    • Go: Status → System Logs → Firewall

  3. Update your documentation as you add more devices

  4. Schedule regular backups

    • Monthly: Export pfSense config to backups/pfsense-config-YYYY-MM-DD.xml

Estimated Total Time: 45 minutes
Last Updated: 2026-04-22

Reference in New Issue View Git Blame Copy Permalink