pfSense VLANs

The interface assignment tab in the pfSense web GUI.

A Virtual LAN (VLAN) is a single layer-2 (data link layer) network that is partitioned to create multiple broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers. To share VLANs on simple devices such as hubs requires running dedicated cabling for each VLAN. More sophisticated devices such as switches or routers can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for various VLANs. Tagging is used in setting up pfSense VLANs. A VLAN tag defines a separate virtual network. The pfSense firewall can attach to each VLAN by defining VLAN tags on the firewall interfaces. pfSense VLANs can be configured via software instead of physically relocating devices or switches.

VLANs can also be used to create multiple layer 3 (network layer) networks on the same layer 2 switch. For example, if a DHCP server is plugged into a switch, it will serve any host on that switch that is configured to get its IP from a DHCP server. By using VLANs, you can easily split the network up so some hosts will not use the DHCP server and will obtain a link-local address (an IP address that is intended only for communications within the segment of a local network or a point-to-point connection that a host is connected to) or obtain an address from a different DHCP server. Another early use of VLANs was to solve a problem in which centrally located switches became bottlenecks. The solution was to set up several virtual networks within the same physical network, each with its own spanning tree: a red spanning tree, a green spanning tree, and a blue spanning tree. By sending a mix of different packet colors, aggregate bandwidth could be improved.

pfSense VLANs: Configuration

VLAN settings page in pfSense.

To set up a VLAN in pfSense, start by navigating to Interfaces -> (assign). There are several tabs on this page; click on the “VLANs” tab, and then click on the “plus” button to add a new virtual LAN. At “Parent Interface“, select a parent interface. The interface assignment page shows the interface names, and we can use this as a reference. In this case, we want to use OPT1 for the virtual LAN and it is assigned to interface vr0. We will select that.

The next option is “VLAN tag“. Select any integer from 1 to 4094. At “Description“, enter a description, such as “OPT1 virtual LAN”. Next, click on the “Save” button to save the changes.

Now, every packet destined for, or originating from the VLAN will be marked with the VLAN tag, which is how pfSense differentiates the packets from other network traffic.

