Noob 2 Networking

How I set up VLAN for my home network with Pfsense.

Disclaimer: I am by no mean a professional. I am just doing this for fun and enjoy learning along the way (I probably still don’t know anything 🤣). These are not meant as a guide and should not be treated as such. What I am showing you here is what I did, and it worked for me and my situation but might not apply to you. Your result could be very different from mine. Heck, I could be doing or saying something entirely wrong since I’m still considering myself a newbie (Hence the name of my site “noob to networking” 😉). Please don’t take a random person’s words on the internet too seriously, and again, ALWAYS and I mean always do your own research (Well, take this one seriously, though).

Hello there, it has been another week, and you probably have guessed it, time for another post. This week, I will be talking about VLAN and how I configure my VLAN network for my setup using my Pfsense firewall/router. Here is the breakdown:

Why VLAN?

Before we start, I would like to explain what VLAN is and what is the intended purposes I hope to achieve with this VLAN setup for my home.

What is VLAN?

As you should have already noticed by now, most things in networking are already quite literal as the words mean what it is. So if you heard something that you aren’t too sure about, by taking the words as their face value, chances are you probably get it right 😂. It is not too complicated as you might have thought. We know LAN stands for Local Area Network, which describes your home private network that is separate from the Wide Area Network (WAN) or the internet. Every device in your private network has its private IP address to be part of the network (usually 192.168.x.x). Devices on your private network are connected using wired connections or wireless (Wi-Fi), but they need to be physically connected. Therefore, LAN is what we usually refer to as the physical connection network.

What is VLAN, then? If you guessed V stands for Virtual, you are correct. VLAN stands for Virtual Local Area Network. See, it is not that hard to understand, right? LAN is an actual physical connection, while VLAN is not quite so, just like my imaginary girlfriend 🥲 .

What is the point of VLAN? There is quite a lot of advantage for VLAN. The most significant advantage, I think, is the ability to manage and organize separately from your primary network. We can do a lot of customization as we have complete control of this network by creating the rules for how we want this network to behave, thus increasing the security and making it easier to manage. Of course, there are many other great things about VLAN, but well, different people have different opinions and purposes.

VLAN is handy in networking, and you can usually find it on mid to high-end routers and firewalls. For lower-end commercial routers, it was not that VLAN does not exist. Still, since the target users usually are not tech-savvy (no offense), I think the manufacturer felt there was no need to include the full feature set in their product, and thus they simplified that to 1 simple function. That is Guest Network, and yes, Guest Network is just a strip-down version of VLAN. There is no customization, and it was just whether you want to turn it on or off though for some, that is more than sufficient. Why do I bring this up, you ask? I want to give you additional information to see that VLAN is prevalent in most everyday networking but just in a different shape or form. As for Mid to high-end users, VLAN makes their life so much easier since having to manage hundreds or even thousands of devices. It would be a nightmare to have to manage individual devices without VLAN.

What do I hope to achieve with VLAN in my home network set up?

Suppose you have read my last post about how I configure my home network. You might already have some idea of what my network’s layout looks like, but if you have not, here is the diagram to refresh your memory.

I have in mind that I will have 3 separate networks for my home set up, which are LAN, VLAN 10, and VLAN 20. Here is a fun fact about the VLAN, VLANs separate their networks by having their identifier so that traffic coming from their network will be able to sort correctly. We can then configure which ports on our network switch we would like what VLAN traffics to come through or blocked. Pretty cool, is it not? We called it tag 🏷 . So each VLAN has its unique tag. In my case, I have Tag 10 and Tag 20. LAN network by default is VLAN 1, meaning LAN is technically a VLAN with Tag #1. Is this information relevant? Of course not, but it is pretty cool to know 😉.

Back to the topic, I picked tags 10 and 20 as well. There isn’t any reason; it is all user preference. I can do VLAN 2 VLAN 3 as well, but I picked 10 and 20 to remind me of the subnet separation 🤷‍♂️ which we will talk about it later.

I planned to have LAN as my primary network where I have all my devices such as a workstation, PC, servers, and NAS. They can all freely access the WAN and talk to each other. There won’t be a lot of restrictions for my LAN.

VLAN 10 is my Internet of Things or IoT network. I have told you before that I wish to convert my home into a smart home, and that will require a lot of smart devices to be integrated into my home network. As you might have guessed, most smart home devices are required an internet connection to be able to communicate to their respective manufacturers’ cloud servers for them to work. Therefore I have to give them access to the internet, but I also do not want them to be able to see my other network devices and traffics; who knows if one of these smart devices actually got hacked and started to spy on you or steal your information… It is also a good security practice to segregate smart devices from normal devices hence why I create this virtual network to put all my smart devices there. That way, they can talk to each other and have an internet connection, but they do not have access to my primary LAN network and cannot talk to my servers and NAS that reside there.

Last but not least is VLAN 20, which is my Guest network. With Pfsense, I can do quite a lot of things with this. I can have a filter to ensure that my guests won’t be able to go to any shady website or do anything stupid using the home network that will give me trouble. I can also limit the bandwidth on how much they can use. I can also set a timer for when I want this network to stop working…The possibility is endless, and when you have that much power, you feel like you are on top of the world 😈 all the peasants…I mean, guests 😅 are at your mercy 😜. Unless they have unlimited cellphone data and do not need your network 😂.

VLAN setup with Pfsense

Now on to the good part, shall we? Let’s get the VLAN setup started. It is a very simply 3 steps process: 1. Creating the VLAN interfaces; 2. Enable DHCP services for the said interfaces and, lastly, create firewall rules for the interfaces.

1. Creating interfaces

As I have mentioned above, the idea is to create 2 VLAN interfaces, and we will be using Tag 10 and 20 respectively.

On the main dashboard site of Pfsense (you do know how to get there, right?). Navigate to Interface > Assignment.
This is the interface assignment menu, and we want to get to the VLAN tab of it, click on it.
This is what the VLANs tab should look like. There aren’t any interfaces set up just yet, so we need to add ours. Click on Add.
We should see something like this. What you need to pay attention to is the parent interface. This is Vlan for a reason, so the parent interface needs to be set to LAN. Then we can pick the tag for this VLAN interface. This is my IoT network, so I set the tag to 10, and for the description, I put in IoT to remind myself. Hit save to save the interface.
I’m repeating the same steps as above since I want to add another interface for my guest VLAN network, the same as before the LAN parent interface and VLAN tag 20. The description is guest, and hit save.
This is the result. We can see there are 2 VLAN interfaces, 10 and 20. Go back to the interface assignment tab.
We have created the VLAN interfaces. Now we need to make them available. In the available network port, select the correct VLAN 10 and hit add.
Now do the same thing for VLAN 20.
As you can see, the interface’s names are OTP1 and OPT2 by default. Click on OPT1 to edit VLAN 10.
Make sure we enable this interface by ticking the box. I want to rename my interface instead of the default OTP1 name, and I name mine IoT. IPv4 is static. And the IPv4 address is 10.11.60.1 subnet mask is /24. If you recall, my LAN IP address is 10.11.50.1/24, so that is to say VLAN is an entirely different network from my LAN (As it should be). Of course, you can pick any private IP address you want for your VLAN, and no need to copy mine. What is /24 mean, you might ask? Well, if you understand binary, the IP address is a string of 32 bits binary with 8 bits per so it is something like 8bits.8bits.8bits.8bits. And we know 8 bits binary is the value from 0-255. Therefore /24 means the subnet mask is 24 1s from left to right; it means 255.255.255.x. Therefore the range of your IP address is x.x.x.0 – x.x.x.255. Not too complicated, isn’t it. Well, I’ll explain more about the subnet mask in the future.
After making sure everything looks good, hit save.
There will be a notification on the top of the page asking if we want to apply the changes. Just click apply changes.
We have finished with the IoT interface. Click on OTP2 to work on the guest network interface.
You know the drill by now, enable the interface, change the name, and set the IP address. I picked mine to be 10.11.70.1/24. Hit save.
Of course, we have to apply the changes.

There we go. We are now finished creating and enabling the 2 VLANs interface. Still with me? Good, it’s not as scary as you think 😉.

2. Enable DHCP servers

VLAN is just like any other network; we need to set up a DHCP server for all the devices connecting to it to be able to acquire an IP address. Otherwise, the devices won’t be able to connect to the network. What is a DHCP server, you ask? DHCP stands for Dynamic Host Configuration Protocol. You can say it is a hotel receptionist that assigns you a room number and keep the record. In this case, this is an IP address in you failed to realize what I mean 😬. So yea, we need to enable the DHCP server on all our VLAN interfaces (default by Pfsense usually enables LAN interface, so we don’t need to worry about it).

Navigate to Services > DHCP server on the main dashboard.
Select on IoT interface. We should see 3 interfaces that we can work with for DHCP. As I have mentioned before, the LAN DHCP server is enabled by default so that we can skip it.
First and foremost, we want to enable the interface for IoT. Tick the box to enable. We can start with what range of IP we want to assign for the devices when they connect to this network. I have mine starting from 10 until 250, meaning when a device is connected to this network, it will be assigned an IP address that is within this range if, in some unfortunate case, you have more devices connected than your range, then well you are doing something wrong, and your network design has fundamental issues, to begin with, 😂
Scroll to the end and hit save.
There we go, the changes have been applied. Now we do the same thing for the Guest network.
You know the drill by now. Enable the interface and select the range. Hit save.

3. Creating Firewall rules

Alright, so we created the interfaces and enabled them. We also enable DHCP servers for each interface. The last thing we need to do is create firewall rules for the network to work. What are firewall rules? As the name suggests, they are some rules you create to make sure that the network function as you have designed. One particular thing about Pfsense firewall rules is that any rules that aren’t defined will be ignored, so keep that in mind. For example, if you create a rule such as “we don’t talk about Bruno,” then all the talk about Bruno won’t pass this wall 😜.

On the main dashboard, Navigate Firewall > Rules.
Now we need to create rules for IoT. There is no rule right now, so this network can not access the internet because there are no rules that mention anything like that. Remember? No rules mean Ignored. So let’s add rules to test them to make sure everything works. Select Add.
I want to add rules to pass the traffic. The action is Pass, the interface is IoT, and the address is IPv4 and IPv6. This will be a general rule for the protocol, is any. Hit save. Again this is a straightforward rule to allow everything. It is not a very good security practice to allow everything through, so you will need to customize the rules to your need. Ideally, to maximize security, you probably want to whitelist approach meaning only allow things you want and block the rest, but well, I wouldn’t worry too much about it for the time being; therefore, I am just going to with Blacklist approach of blocking something I want to block and allow the rest. It is not the best for security, so do as I say, not as I do teehee 🤭.
Once you have the rules, apply the changes for them to take effect. Also, there is a quirk of Pfsense. When the connection is already allowed through, even when you make the rule to block it, it will still go through unless you disconnect the connection and let it go over the rules again. If you make significant changes to your firewall rules, ideally, you probably want to apply the filter then reset the connection by rebooting the Pfsense (these are just some tips).
The rules table in Pfsense works from top to bottom as the top rule superseded the bottom rules. That is why the order of rules is critical. So I want to add other rules. For example, if you set the top rule to block traffic from port 80, the following rule is to allow everything. The result will be to allow everything except port 80. Remember, rule read from top to bottom, and you will be fine 😉.
This is my example of the rules for the set for my Guest network. Keep in mind this is just a basic rule set and needs a lot of refinement. The idea here is to block access to my Pfsense box from the guest network as I do not wish for anyone on my guest network to see my Pfsense box and, some rare chance, access it. Therefore I create the rule to block access. The first rule is to allow it to access my Pfsense box at port 53 with the protocol of TCP/UDP to acquire DNS with the destination is this firewall (this is necessary for this network to be able to access the internet). Next, I allow it to access this firewall UDP port 123 for NTP. Lastly, I blocked all the access from this network to my firewall. The rule read from top to bottom, so anything I allow will go through, and the rest will be blocked. That is the idea; you can be creative with your rules, the possibility is endless 😉.

Conclusion

Well, congratulations 🎉, if you managed to get this far, I hope you already have yourself a nice VLANs set up. Now you are official, join the cool kid clubs, and take a step forward with basic networking 😎. Now you can proudly be telling people you understand VLANs firewall rules…at least you know a little bit more than before. If you understand the concept, I’m sure you will be able to figure out how to do VLAN with other equipment because you understood the fundamentals. Best of luck to everyone. Thank you for your time, and have a great week. Until next time

-Laz.

admin

,
, , ,

4 responses to “How I set up VLAN for my home network with Pfsense.”

  1. I am really loving the theme/design of your site. Do you ever run into any browser compatibility problems? A number of my blog visitors have complained about my website not working correctly in Explorer but looks great in Firefox. Do you have any tips to help fix this problem?

    Reply

  2. Heya this is kind of of off topic but I was wanting to know if blogs use WYSIWYG editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding know-how so I wanted to get advice from someone with experience. Any help would be enormously appreciated!

    Reply

  3. Very helpful article. For those not technically inclined, how does one move the IoT devices from LAN to VLAN 10, for example?

    Reply

    • Hi Clark,

      Thank you for the feedback. To answer your question, you need to connect the devices to the correct network, be it LAN or VLAN. Suppose you wish to move IoT devices from LAN to VLAN 10. Let’s first say is the device is connected via Wires or wireless. For example, I configured port 10 of my switch to have a VLAN tag 10 so that every device I plug into ethernet port 10 will be assigned an IP address belonging to VLAN 10. For wireless, I have a designated Wi-Fi network called “Ai-O-Tea” which I set up to tag vlan 10 to all the connected devices. Of course, you can force the device IP addresses, but that will be different case by case, depending on your setup and network equipment, and it also requires you to know what you are doing. If you have any questions or require assistance, feel free to ask. I’m happy to help.

      -Laz

      Reply

Leave a Reply