Amazon Affiliate Store Things we love including computers, software, services, gadgets, and of course …

source

Last update on 2019-07-17 at 06:07 / Affiliate links / Images from Amazon Product Advertising API

50 thoughts on “How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsese”

  1. Excuse me if this question make no sense… but I am trying to eliminate my ISPs Gateway (router) from my home network. My ISP delivers fiber to the home via an ONT. That ONT normally connects to the ISP's Gateway. I have discovered that if I set up a VLAN 1000, I can remove that Gateway, and put my own router in place. So my question is: Can I assign the WAN port in my pfSense setup to VLAN 1000? That way I can connect the ONT to my pfSense box, and then connect that pfSense box to my switch. Does this make sense?

  2. Followed the steps, I have a similar setup: pfSense Firewall, Ubiquity Wifi and Switches, I'm able to join the guest network that I've assigned to my VLAN but the devices aren't receiving an IP through DHCP. Seems that's the one thing not covered in the video, it's all setup but didn't actually connect a device and show it working

  3. Thanks for such a great video. As I am very new to networking I shudder asking this question – You show two switches connected together. switch 2 is connected via port 1 to switch 1 port 5, then switch 1 is connected to wan via port 1.
    I am guessing switch 1, port 1 is a trunk port. Is switch 2 port 1 also designated as a trunk port?

  4. Great video. I've created VLAN on the pfsense, configured dhcp server with that VLAN interface, Firewall rule to allow all traffic from this VLAN. Ive configured the cisco switch uplink port which is connected to PFsense LAN port as Trunk (allowed all VLANs on this port). Problem: Clients are able to obtained an IP from the DHCP server but cannot connect to the internet. Also, client on 192.168.10.x network cannot ping PFsense (192.168.1.1)

  5. Hello, great learning videos thanks for sharing. I have a question I really could use your help… I have Pfsense setup I want to have a server outside the network but I want it to be able to talk to another server thats on the network. for One on network is a master the one off is a master…

  6. Hi Lawrence Systems,

    I used this video as a guide for setting up my network (pfsense, UBNT switch, UBNT APs) with a secure lan with a secure wifi vlan, IOT vlan (wifi and cable), guest, server…you get the idea. I also used your other video that goes over aliases to simplify the rules for blocking IOT. I have a question about the DNS blocking. I was trying to replicate what you show on this video, blocking all external DNS by IOT devices but whenever I go through the rule creation as shown above and IOT Rules screen I find that Port never stays on the 53 DNS setting and reverts to *. Any idea what is causing this? TIA!

  7. Not exactly technically accurate…. VLAN Tags are actually included in data packets. What you call "all" ports are what others call 'TRUNK' ports. They carry more than one VLAN (usually, but not always all of them). The 'native' vlan is that which has no vlan tag information in the datapacket. By default, this is VLAN 1. "Access" ports usually only have ONE VLAN, and the magic of vlan-aware switches inject the vlan tag on incoming packets, and remove the tag on outgoing packets — any devices attached believe they are on the 'default' vlan. The switch then injects the assigned vlanID tag on packets received, and sends it out any other similarly configured access ports (after removing the tag again) or trunk ports (with the assigned vlan tag intact)… way more than non-engineers NEED to know, but I always like to know HOW things work.

  8. Would you recommend using PFSense if you're going to use UniFi equipment for switches and access points?… or would it be better to run a USG instead of PFSense?
    Also, your diagram showed two switched but the UniFi only showed "8 port Switch in Rack" and a "LTF Office WiFi". Why is that?

  9. If anyone has issues getting internet to work on your VLANs, check DNS settings. I smashed my face on my keyboard for a while before getting to the point of just looking everywhere. That is when I noticed on LAN was highlighted in the DNS page. Added my VLAN and now it connects to the outside world. I never tried to ping just an IP outside. Only a URL. The thought never even occurred to me up to that point. Simple thing to overlook.

  10. Can the unifi switch tag multiple vlans on each port? say for example, I have private wifi on VLAN 30, internal LAN on VLAN 10 and printers on VLAN 20 and phones on VLAN 40. Can I configure a port that a printer is connected to to allow VLAN 10, 20 and 30 but not 40? I'm so used to banging out this stuff in Ciscos the whole GUI concept is a little confusing or is this something that would have to be done via CLI on the unifi?

  11. Hi there, great video ! Very clear and instructive.
    I'm currently configuring PFSense with multiple vlans and I followed your guide step by step. Everything seems to work fine so far except one annoying problem : I have 2 PCs, each in separate vlans (let's say one PC in vlan 102 and another in vlan 103) but they can't ping themselves despite wide-opened firewall rules. For example, the PC in vlan 102 can ping PFSense and the gateway address of vlan 103 but not the PC inside vlan 103.
    DHCP and firewall rules work fine, ports are correctly configured on my netgear switch but still, hosts can't contact each others when located in different vlans… I'm a bit stuck here. Would you have any idea/advice please ? Thanks a lot in advance !

  12. What an excellent guide and commentary. Thank you so much for this. Although I was looking for a guide on something different your explanations of your actions have helped me achieve exactly what I wanted. Thanks again this is very helpful!

  13. This is awesome! Was pulling my hair out trying to get VLANs to cooperate with PFsense and my 24 port UNIFI switch. Thank you thank you thank you! Is there a video on how to create a VLAN to separate Open VPN traffic on certain ports such as NordVPN or similar. I've created certs etc. Just want to apply it to certain ports that machines are running on.

    Thanks again this was incredibly well done. Subscribed!

  14. this is very helpful, though I just want to ask 'cause I think followed the instructions here but the issue i'm having is that I get no IP address when I connect to the SSID where VLAN is defined. and when I change the switch port profile where AP is connected, it disconnects.

    –what I did already
    .created the VLAN in pfsense and enable dhcp server
    .created a network and wireless with VLAN ID similar to that of pfsense

    –what I have
    .unifi switch poe 24 ports
    .unifi ap

    am I missing something here. cheers 🙂

  15. Thanks a lot for this tutorial, finally been able to setup VLANs on my network thanks to this! One question – I have a PiHole running as a DNS server on my 'management' (.5) VLAN. Any idea on how can I get my intranet (.10) VLAN to talk to the pihole for dns lookups? Right now can't seem to suss out how to get internet accesss on the intranet VLAN whatsoever, even when setting DNS to 1.1.1.1 on the DHCP server. Thanks for your help!

  16. Keep in mind for those that care to maintain gigabit or close to gigabit speed with firewall rules for each vlan that you need them on separate physical interfaces from pfsense to the trunk of the switches. When you share vlans this way on a single physical interface with rule processing all packets go up and down crossing vlans thus cutting your speed in half essentially. Great video.

  17. I do not have a smart switch and will not be having anything connect to my VLAN through ethernet (no computers, etc.). I have a pfSense router and Ubiquiti AP and an unmanaged switch. I've followed all the instructions here. I can connect to my new Wifi point, but get no internet access. Is a managed switch actually required? If so, I'm assuming that if i don't have anything connected hardwired I won't have to assign a port to the VLAN? Almost there.. just a little more help… thanks.

  18. Followed question, I have here 1 typical computer unit installed pfsense 2.4.3 single wan and single NIC do I need to add another NIC? thank you again and hoping on you response many many thanks

  19. Wow your videos are awesome, I've grown to like pfSense thanks to you, can you perhaps do a video on how to use DHCP Relay with a windows server as DHCP Server perhaps, or point me in the right direction, appreciate all your videos it help me a lot

  20. Tom, great videos, and I greatly appreciate all of the helpful information you put out. Question for you. Do I have to setup manual outbound NAT rules for the VLAN's? Currently my pfsense box is setup with manual, but it almost seems like it should be automatic rules.

  21. What i did for my IOT VLAN is just created an alias for all RFC1918 networks (Private IP range) and blocked everything from IOT to RFC1918 except for the gateway address of the IOT vlan.

  22. Like always, great explanation!
    I have a question: if you have a computer on the vlan50 sending data to another computer on vlan69, does the traffic of all the data will go throuph pfsense ethernet interface or once pfsense authorize the traffic, the traffic is gonna be only in the switch ?

  23. HI!! Thanks for your video it helped me A LOT!!! Maybe, can you solve a "little" issue that my PFSense have. When i check ""Enable DHCP server on VLANWIFI interface"" and Save, my DHCP over LAN stops working. Did you have seen something like this?

  24. I am using a HP DL360 G7 as my PFSense router.  I am looking at a Ubiquiti Networks 8-Port UniFi Switch, Managed PoE+ Gigabit Switch with SFP for my network switch.  Since the switch has two 10GB SFP ports, and I have access to 10GB NICs I can add to my router.  My question is this…  Does PFSense support 10GB NICs?  If so, which 10GB NICs are supported? 

    I don't want to start buying hardware until I know everything is compatible.   Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *