In this article I will go over how to configure routing between multiple VLANs by using our pfSense router and a switch that supports 802.1Q. On our pfSense router we will configure our LAN port with multiple sub interfaces and assign each one to a certain VLAN. The uplink port on the switch side connecting to our pfSense router will be set to tag all the traffic using the 802.1Q protocol. This configuration is known as a router on a stick and the diagram below gives you an idea of the configuration that we will accomplish. In the diagram, we have five VLANs and a different subnet assigned to each. Our pfSense box will have an IP address in each VLAN(192.168.1.1, 10.1.1.1, etc…) which will function as the default gateway for clients assigned to those VLANs.

001

The switch configuration will vary from manufacturer to manufacturer which means that what applies to my switch might not necessarily apply to yours. I will cover Cisco, Dell, and Avaya switch configuration commands for configuring trunks, VLANs, and access ports since I am familiar with all three.

pfSense Configuration:

Before we start, we are going to configure our WAN interface firewall rules to allow us to connect to our pfSense web GUI from the WAN. We are doing this because while configuring our LAN port to trunk multiple VLANs we will lose connection to pfSense should we be accessing it via the LAN. For this reason, it is better if we connect a laptop directly to the WAN port while we are configuring the router’s LAN port so that we do not lock ourselves out. By default, pfSense will block connections destined to port 443 so we must allow it by creating a firewall rule. You can create a firewall rule by heading over to firewall–>rules–>WAN.

002

In here you want to add a new rule at the bottom. See below for the settings for this new rule.

003

You must also modify the WAN interface and give it a static IP address since it is most likely configured to grab one via DHCP. If it is not configured for DHCP then you should be fine, otherwise modify it by going over to interfaces–>WAN.

004

You should now be able to plug your laptop or desktop directly to the WAN interface on your pfSense router and access it via the web by going over to https://IPADDRESS where IPADDRESS is the IPv4 address you chose above. Note: You should assign your laptop or desktop a static IP address in the same subnet as the WAN IP Address. If you chose 192.168.8.1/24 as your WAN IP address then 192.168.8.2 through 192.168.8.254 are all valid IP addresses that you can assign the network adapter on your laptop or desktop.

Once you have gained access to your pfSense box by plugging into the WAN port then the next step is to head over to Interfaces–>VLANs. You should have two Interfaces currently configured which should be your LAN and WAN interfaces respectively and each one should be mapped to a physical port on your pfSense box.

005

In the VLANs tab you want to add a new VLAN and assign it to the interface that your managed switch will be plugging into. Each VLAN that you create must get a TAG between 1 and 4094 which will match the VLAN number that you configured on your switch that plugs into this port. Below is an example of a VLAN creation.

006

Note: If for some reason the parent interface is not listing all your network adapters then that means that your network adapters do not support 802.1Q tagging and therefore they cannot tag traffic.

Hit save when done and add other VLANs should you need to create more.

007

We must now head back to the interface assignments tab and start adding interfaces for each VLAN that we created.

008

When you are done, you want to click on your interfaces which should have a name starting with OPT# and enable them.

009

After enabling the VLANs, you should have more settings available. Below is one of my VLANs that I have configured with a static IPv4 address. The IP address that I assigned to this VLAN will be the default gateway for my clients that will be assigned to this VLAN.

010

Note: You should restart your pfSense box once you are done configuring all your settings for each VLAN. I noticed that my settings did not take effect until I restarted my box.

Now that all my VLANs are setup and each one has been assigned an IP address then the next thing that I did was configured DHCP for each one of those VLANs. DHCP will allow my clients to get an IP address automatically when they connect to any of those VLANs. Configuring DHCP is simple and once you enable the DHCP server on each VLAN interface then all you have to do is assign a range of IP addresses that your clients will receive on this VLAN.

011

Note: There are a lot more DHCP options that you can set should you decide to use them but I will not cover them here.

Now that we have the VLAN interfaces created, DHCP configured in each VLAN, then the next thing that we have to do is to enable DNS in each VLAN interface. Most people will configured their pfSense box to forward all DNS request to either their ISP, Google Public DNS, or another third-party DNS server. This means that for DNS forwarding to work properly then you must enable it on the interfaces that your clients will be connecting to. In our case our clients will be connecting to the VLANs that we created and they will most likely be behind private IP addresses with their DNS servers being set to their VLAN default gateway IP address.

012

The last thing that we will do is modify our firewall rule for each VLAN interface and create an allow rule similar to the one below. The reason for creating this firewall rule is so that NAT can work since it is most likely the case that our clients will be behind private IP addresses and will need their traffic to be NATed in order to reach the internet.

013

The specific settings for the firewall rule above is shown below.

014

Now that our pfSense box is configured with VLANs then the next step is to configure our switch that will be connecting to the pfSense box.

Switch Configuration:

Below are some commands that you use to configure a trunk port on switches for different vendors that I am familiar with. Assume that your switch is named SW1 and that interface 1/1 is used to connect to your pfSense box. We will start with the VLAN configuration followed by the trunk configuration and then the access port configuration.

Cisco Configuration:

VLAN Configuration

SW1(config)#vlan #

This will create a layer 2 VLAN

SW1(config-vlan)#name NAMEHERE

Assign a name

SW1(config-vlan)#exit

Exit VLAN configuration mode

Trunk Configuration

SW1(config)#interface gig 1/1

SW1(config-if)#Switchport trunk encapsulation dot1q

Switches the encapsulation to 802.1Q

SW1(config-if)#Switchport mode trunk

changes the port to a trunk port

SW1(config-if)#Switchport trunk allowed vlan {add|all|except|remove}

configures which VLANs can be allowed on a trunk. By default, all the VLANs are allowed.

Access Port Configuration

SW1(config)#interface Fastethernet #/#

SW1(config-if)#switchport mode access

Make it an access port

SW1(config-if)#switchport access VLAN#

Assign the VLAN that it belongs to.

Dell Configuration:

On Dell PowerConnect switches the configuration is very similar to Cisco switches.

VLAN Configuration

SW1(config)#Vlan database

Enter VLAN configuration mode

SW1(config-vlan)#Vlan #

Create VLAN

SW1(config-vlan)#exit

Exit VLAN configuration mode

Trunk Configuration

SW1(config)#Interface ethernet 1/1

SW1(config-if)#Switchport mode trunk

Switches the encapsulation to 802.1Q

SW1(config-if)#Switchport trunk allowed vlan add

configures which VLANs can be allowed on a trunk.

Access Port Configuration

SW1(config)#interface ethernet #/#

SW1(config-if)#switchport mode access

Make it an access port

SW1(config-if)#switchport access VLAN#

Assign the VLAN that it belongs to.

Avaya Configuration:

On an Avaya switch the configuration differs from the Dell and Cisco configuration.

VLAN Configuration

SW1(config)#vlan create VLAN# name NAMEHERE type port

Create the VLAN, give it a name, and make it be a port based VLAN.

Trunk Configuration

SW1(config)#vlan ports 1/1 tagging tagAll

Configure our port to tag all traffic

SW1(config)#vlan members add VLAN# 1/1

Configure which VLANs you will be tagging on this interface

Access Port Configuration

SW1(config)#vlan members add VLAN# PORT#/#

Assign VLANs to ports

SW1(config)#vlan ports #/# pvid VLAN#

Assign the Port VLAN ID to the port

Note: A port can be a member of multiple VLANs but can only have one PVID(Port VLAN ID) associated with it which tells us what VLAN you transmit on. Most people make this a 1 to 1 relationship so that the VLAN assigned to the port matches the PVID.

This will conclude another pfSense article. As I experiment more with the platform and decide to use other features then I will keep documenting the configuration for reference here. As always, thank you for taking your time to read this blog post and I hope that it was helpful. Any feedback and comments are greatly appreciated.