VLAN Help

I have a pfsense router with 1 gigabit nic (for the LAN) and one 100mbps NIC for the WAN. I want to use VLANs on my LAN, using both VLAN tagging AND mapping to ports on a switch. I have a Linksys LGS308 8 port gigabit smart switch. While trying to map a VLAN to a port on the switch, it makes me "create" the VLAN in the switch. This made me wonder, if I create a VLAN in pfsense, does that mean ONLY pfsense can manage it, and the switch can't do anything with it? Or does the switch manage all the VLANs? I'm confused as to what does what here, all I need to do is know how to map certain VLANs to certain ports, and allow tagged traffic to pass through the non-mapped ports.

Please help, I can explain in greater detail if I need to.

Thanks

The number you choose for the vlan will be recognised by other devices which also support vlans. So for example you would create vlan 1 and 2 on the switch and also on pfsense, then the port which connects to pfsense needs to be set up to accept both vlan 1 and 2 traffic, then other ports can be set to whatever. So now the vlan 1 interface on pfsense should only be able to talk to the vlan 1 ports on the switch and the same for vlan 2. The two vlans will not be able to communicate with each other unless you create allow rules for it in pfsense's firewall. 

I haven't tried this myself with just using a single nic with multiple vlans but I'm pretty sure that's how it works. 

Ok thank you I got this part straightened out. I managed to create VLAN 3, set it up with DHCP and a gateway interface on PFsense, and set port 5 on the switch to be on VLAN 3, but not carry the traffic with tags (so the connected devices have no idea they're on a VLAN, they see it as a normal physical LAN). What I am trying to figure out now is how to eliminate communication between 2 VLANs. For example:

Secure servers with sensitive data are on VLAN 3

Office WiFi is on VLAN 6

Obviously VLAN 6 shouldn't be able to just send packets to VLAN 3 like any other IP on VLAN 3, so how do I block communication between them? (just so you know, the example above was PURELY for example, I'm not doing this for a business, I'm not anywhere near experienced enough to do that)

Do you know how to do this? And also, I dont want to do this necessarily to EVERY SINGLE VLAN on the network, I need to be able to explicitly say "VLAN 3, your network doesn't need to accept communications from any subnet accept your own, but VLAN 2 and 5, you guys can talk just fine" or something along those lines. Any ideas?

Thank you again for all your help, you've really taught me a lot about networking

By default vlans cannot communicate, for all intents and purposes they are physically separate networks. In order for devices on one vlan  to talk to devices on another vlan you need to use a router. So in pfsense assuming you have an interface set up for each vlan you want to create firewall rules to do what you want.

So in pfsense you probably have an allow any any rule on each interface except wan right? This will allow all vlans to talk to each other as well as the internet. So to block communication between vlans create a reject rule (you can use block but reject is better on your internal network). On pfsense the rules work for traffic entering the interface, so the source address has to be something on that interface's subnet and the destination address has to be something on another subnet or the interface's address. So to block vlan2 from talking to vlan3 you'd create a rule on the vlan2 interface set to: reject, protocol any, source any, destination vlan3 subnet (whatever it is, so for example 10.1.3.0/24). (if you're using ipv6 then you'll need to make a rule for both ipv4 and ipv6, setting it to both only works when you specify a protocol) 

Now vlan2 won't be able to access vlan3 but vlan3 will be able to access vlan2, if you want to block vlan3 from accessing vlan2 you need to set a rule for that on the vlan3 interface. 

The firewall rules work on a first match basis, so rules at the top are used first, so having your block rule above your allow any rule means that traffic will be blocked to the specified network but allowed to other networks. You could add an allow rule on top of the reject rule to allow specific traffic between the vlans, like allowing TCP port 80 to a webserver. This will allow traffic on that port to the specified address but block all other traffic. 

I'll show you my rules as an example. You'll notice that I use aliases for everything, this is to make it easier for me to understand as well as allowing me to group things together so I don't need to use as many rules, I can also edit an alias and it will change all the rules which use that alias, so it's a pretty good way to simplify a complex set up. You'll also see that I don't use any allow any any rules, by default the firewall will block all traffic, so my rules allow specific traffic. Using allow any any rules is fine in a home network and is much easier to work with, I have mine set up like this so I can keep track of what traffic is leaving my network.

Floating Rule

SsmkC9O.png1366x768

The floating rules are useful if you want to make a rule which applies to multiple interfaces, like my rule to allow web traffic. You can alos use floating rules to match traffic, so they don't effect whether traffic is blocked or allow but they can be used to change some other aspect of the traffic, like putting it in to a queue for the traffic shaper or applying a bandwidth limit. At the bottom I have a couple of reject any any rules, this is to reject traffic as the default action rather than block. Rejecting is better on your internal network because it sends a message back telling the host that the traffic is rejected, when it's blocked the host will continue resending the message until it gives up which can slow things down. On you WAN interface you want to use block though because it stops someone who is probing your IP from being able to gather any information about you, it will just look like nothing is there.

WAN rules

tGVWpGv.png1366x768

These are all default rules for the port forwards

LAN rules 

OMsGSzu.png1366x768

The jist of the LAN rules is to allow the LAN network to access pretty much everything on the local network while limiting the internet traffic to only allowed ports

Public rules

wLejPpW.png1366x768

The public rules allow people on the public network to access the internet but not access my local network. The exceptions are they can access my local mail server and plex media server and hosts which I put in the the trusted group can access the lan network. This way someone can access files on my NAS without me having to tell them my wifi password.

DMZ rules

eSFnA1w.png1366x768

The DMZ network is used for any web facing hosts, like my mail and web server. The idea is that if someone hacks one of these servers there is another firewall layer between them and my trusted network. The rules here allow very specific access between the DMZ computers and the local networks.

VPN rules

t59z3cL.png1366x768

The VPN rules are pretty basic, they just allow a VPN client to access the local network the same as the LAN network.

That was a REALLY useful post. THANK YOU SO MUCH, I ACTUALLY UNDERSTAND THIS NOW.

I managed to isolate the VLANs like I wanted, but now (sigh) I have ANOTHER problem (you're probably going to want to slap me for this) I created a set of rules on my "HAMPTON" interface:

Allow, source HAMPTON net, destination HAMPTON net, protocol any, ipv4

Allow, source HAMPTON net, destination HAMPTON net, protocol any, ipv6

This works great, it blocks communications from anything EXCEPT that subnet, which is EXACTLY what I need....except for one thing... I need to be able to access the internet. You may remember I'm the same person who was asking about if you could put PFsense behind an existing gateway, and since asking I've done that and it works great. But the consequence is that instead of having direct access to the internet on my WAN interface, I have to go through my dads upstream router first. So, back to the VLAN situation. Normally, if I wanted to allow the HAMPTON net to access internet, I would create a rule like this:

Allow, source: HAMPTON net, destination: WAN net, protocol any, ipv4

But because my WAN interface just goes to my dad's network, and through a gateway from there, that only allows access to my dads local network. So with that rule, I can ping 192.168.1.1 (his gateway) but I can't ping google.com because its not in what pfsense sees as the "WAN net". Is there any way around this, or am I essentially stuck?

Again thank you SO MUCH for being so helpful and patient with me and my slow learning speed, I would still be stuck trying to get VLAN tagging set up at all if it wasnt for your help.

So you have a rule that allows traffic from Hampton to Hampton? That rule should be unnecessary as traffic between devices on the same network won't go through the router. The only exception is the pfsense interface. You will need to atleast allow the management ports (80 and 443) for the Web interface, if you don't do this on the network you will use to access pfsense then you will lock yourself out. so make sure you make an allow rule on the network which you will use to access pfsense that allows access to the interface address on TCP ports 80, 443 and 22 (for SSH). You will also want to allow dns traffic to pfsense as well on all interfaces. This is UDP and TCP port 53 (I think). You can also just make a rule that allows all TCP and UDP ports to the pfsense address if you want. Without this rule at the top you will lock yourself out of the router and you will have to reset it to get it working again. 

Once you have that rule set up you can delete the Hampton to Hampton rule as it doesn't do anything. If you had for example hampton1 and Hampton2 you could create an allow hampton1 to hampton2 rule on the Hampton1 interface to allow traffic for example.

Okay, now for your internet. Making a rule that allows traffic to the wan network won't work the way you expect. What that rule will do is allow traffic to devices on the same subnet as your wan interface, so in your case this is your dad's network but if you were connected to a modem it would only connect you to devices on whatever the upstream network is. In other words the internet is not on your WAN's subnet. 

So to allow access to the internet you can do one of two things, either create an allow to any rule and then on top of that create rules to block traffic to your other networks.  Or create an alias with all of your local networks, in my case this is 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24 etc. Then create an allow rule with the destination set to that alias and check the 'not'  box, so this rule will allow traffic to any address that is not on your local networks. 

You can either set the protocol to any and allow all traffic to the internet (this is the easiest option) but if you want to lock your network down you can specify ports. So for basic internet access you will need to allow TCP ports for http, https, ftp, mail, and whatever else you use. But now if you try to connect to a game server it won't work. So it can be a pain to specify like this and it's not really necessary in a home network which you trust.

So in  summary:

Make sure you have a rule that gives you access to your router on at least you LAN interface (needs to either allow any protocol or TCP 80, 443 and 22)

Make sure you allow TCP and UDP 53 (dns) to your interface address on all interfaces (except wan)  or devices won't be able to access the dns server. 

You only need rules for traffic leaving a network, same network traffic doesn't pass through the router. 

To get on the internet you need to allow at least web ports to any address or to not your local network. The best thing to do if you don't need to lock you network down is to allow any protocol to not your local networks. 

Glad I can help. 

Once you get your head around the logic it all makes sense but it can be a bit of a struggle. Just remember that everything is from the perspective of the pfsense box. So firewall rules only apply to traffic entering an interface, not leaving it. This means that the source address is always something on that interface's network.  So for your wan interface the source address will be something in the internet and for LAN the source address will be something on your lan network. The destination address is either pfsense or something on another interface. So for your lan network the destination address can either be pfsense's address or something on the internet. 

This means that if you have no rules on your wan interface and an allow any any rule on your lan interface then no traffic can enter your network but all traffic can leave. Or more accurately connections can only be established by something on your lan and something on the internet cannot establish a connection with you. So creating a rule only works in one direction, it only affects traffic entering an interface. 

You'll see on my rules that I have a floating TCP rule that allows traffic to not local net (! local net) on allowed ports, this rule is set for all interfaces (except wan)  and the direction is set to in. This rule is what allows internet access on my network. But you could also make a similar rule on each interface or just put an allow any any rule at the bottom and then put a rule to block traffic to other subnets above it. 

Another tip is that the default block rule will generate entries in the firewall log, if you make any other block or reject rules then check the box about logging the rule. That way if you're having problems you can check the firewall logs and see exactly what is getting blocked, then you can make a rule to allow it. Once you get everything working you can disable logging if you don't want it enabled but it makes it easier to see what's going wrong. 

Thank you so much! Your idea about the alias for all of my local networks worked! I thought I was going to have to make a seperate rule to block each individual network, I forgot all about aliases! Thank you!

No worries, let me know if you want anymore help