Configuring Vlans in pfSense (And How to Use Them)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey there everyone thank you so much for being here and thank you so much for watching in today's video we are going to see how to create and configure vlans in pfsense i know this topic might seem a little intimidating at first but it really isn't and unlike a lot of other videos i saw out there online we are going to create it end to end i'm going to take you through creating the vlans configuring the interfaces for them creating dhcp scopes for them for simplicity's sake and even creating firewalls for them because in pf sense much like many other firewalls you can create villains all day long but if you're not if you're not creating firewall rules for them blocking or allowing you're really not really going anywhere so we'll dive into the creation of the firewall rules i'm even going to show you how to be a bit more granular in fireworks so definitely stick around towards the end of the video so let's dive right in and see how to configure vlans in pf sense join me [Music] alright guys so we are at the computer and as i said before this topic might seem a little bit intimidating at first might but it really isn't as long as you're configuring your vlans correctly on your pf sense firewall and you have a villain capable switch that you have configured the villains on it to match the villain specifically the villain tags to match the villains on your firewall you will have a villain segregated network without any frustration or complications so we already have in the pf sense firewall interface in front of us i will show you exactly how easy it is to create the actual villains themselves and we will also see how to create firewall rules to allow a traffic to go through them since it's a part of the process i will show you at first how to create very generalistic and simplistic and permissive firewall rules just for the sake of this demonstration and if you're interested in in figuring out or seeing how to see more granular firewall walls that are a little bit more restrictive stick around till the end of the video i will circle back to the firewall rules and to see how we can do them a little bit more restrictive so before we dive in in villains what we are actually doing is we are taking a single in in physical infrastructure meaning a single cable i am dumbing it down of course and we are virtually splitting it to different networks these are the villain tags and the connection between the firewall and the switch itself is let's say for the just for the understanding of the of the concept will be a transport it will carry all the vlans and we'll be able to take traffic from all the vlans and then on the switch itself we can configure different ports to carry different villains is attacked or untagged villains it doesn't matter for this purpose and in the end result different computers will be able to be on the on a different network than other computers even though they are sharing the same physical infrastructure for example the computers on the red network will be on their own separate networks and the computers on the blue vlan will be on their own network and according to the firewall rules that we've defined they will or will not be able to communicate with each other but they will be on their separate networks so this is this is villains really in a nutshell all right circling back to the pf sense interface we have a a web interface which is really a double net it's a lab network that will cease to exist after this video and we have a lan interface the management interface is not connected right now we don't really need it we are trying to keep it as simple as possible one one port and one lan port and what we're actually trying to achieve is now taking the lan port and virtually splitting it into different vlans the way we do it first step is going to interfaces and assignments and we're going to vlance right over here we'll click on add and the first thing that you need to get right is the parent interface meaning which of the interfaces on your firewall you want to split into different villains we in our case it will be the lan interface villain tag is something that you can choose for your own it's really up to you from one to a four thousand ninety four i've chosen ten just for that in sake of this demonstration i'm gonna call it servers just as an example click on save right i'm going to create two more again lan interface valenteg 20 let's say that this will be our workstations vlan all right now all we have done right now we have defined the villain tags actually it's like we have taken a network cable and still we haven't uh punched it or crimped it with a network jack if we want to take these vlan inter villains in take them into something pf sense can do something with we need to create interfaces for them for that we are going to go back to the interface assignments tab and now we have available network ports there are not really ports there we'll choose our vlans let's choose our vlan 10 and click on add let's choose our vlan 20 click on add vlan 30 click on add and save now we've created interfaces for all of our created villas they are not active yet but they are now entities pfsense can do something with all right so opt 2 is our vlan 10. vlan let's jump into it enable it give it a name servers and now we need to give it an ip address an interface needs to have an ip address and let's say that in our case we will do 172 172.16 and for me i will choose 10 to represent the vlan tag so i will know every device that will get the 172.16.10 is on the server network dot one slash 24 and save apply without clicking apply it will not really be written or committed and now i'm going to go back to interface into the interface tab down to opt 3 this is our vlan 20 or a workstation vlan so let's call it workstations again ipv4 give it an ip address of 172.16.20 to represent the villain tech this is just how i do things slash 24 click on save click on apply and the last vlan is opt4 which will be our iot vlan static 172.16.30.1 so i will know every device that got an ip address of 172.16.30. something is on on my iot network oh sorry my bad 24 not 14. that's great now what i'm going to do next is not something that is obligatory or mandatory but i am going to configure dhcp on all of these vlans just so it will be easier for me to connect the device especially for this demonstration and immediately get an ip address and i will see if the ip address matches my expectation in order to do that i will go to services and dhcp server servers tab enable and i'm going to create a pool of 172.16. from 100 i will go to 200 i will define dns server 8.8 today today just for simplicity's sake nothing else is needed of course if you're doing dhcp and you need other attributes this will be the place to add them i'm just going to click on save workstations again enable it create a pool i will create it 172.20.100 going to 200 dns 808.8 all right so now what we are we what we have done up to this point we have created the vlans we have created the interfaces to match the villains to actually take the villains and bring them into an entity that pfcents can do something with we have enabled them we have created dhcp for them but as it stands right now if i connect my switch and from my switcher i will connect an end point i may get a dhcp ip address but i will be able to communicate with nowhere nothing zip because unlike the default installation of psense where it it automatically creates a rule on the lan interface to be able to communicate with everything the stars is a peer sense of saying everything when you create a vlan and an interface you get no default firewall rules so if i want my servers for example to be able to communicate and get for example internet connectivity i will need to create a firewall rule now i'm going to create a very simplistic very permissive firewall wall if you want to know how to uh do firewall rules a little bit more granular of course this is a topic on its own and if you want to see a video just about managing firewall rules in pf sense let me know in the comments down below but i will circle back to this to create a little bit more granular approach but right now i'm going to create a very general and permissive firewall wall i'm going to select the actions pass the interface in servers protocol any source i'm always just for a good measure i will select the servers net meaning the server's network destination any click on save click on apply same for workstations pes protocol any source workstations net source a destination any click apply same for iot any iot net click on save click apply all right guys at this point what we have right now is a a end to end in firewall that is configured with vlans the vlans are have interfaces assigned to them and also firewall rules to allow traffic to go through them what i'm going to do right now is i'm going to connect the port that my computer is currently connected to on my pf sense firewall i'm going to connect a managed switch i have lying around this switch is already configured with a villain tags same as i configured on the pf sense and then i'm going to connect my computer to the into the switch in every port according to what i configured as a an untagged vlan and let's see if i'm getting ip addresses according to the all right guys something that i forgot to do and i have encountered an issue with it it almost never happens but it happened to me right now so i'm going to show you something that will mitigate it i got a dhcp address from the villain i was connected to but for some reason pfsense did not supply a default gateway as part of the dhcp list we don't need to rely on dhcp on pfcent's favors to give us a default gateway we can define one one right here for example if i'm on the server's dhcp server in tab i'm going to define my default gateway as 172.16.10 again this almost never happens it happened to me so i thought i will show it to you so you will know what to do if it happens to you by default pf does supply default gateway that is the ip address of the interface itself meaning the dot one address for some reason sometimes it doesn't do that but again we don't need to wait for pf senses favors all right guys so now my computer is connected again to the switch and the switch is connected to the pf sense firewall so let's see right now if we are getting an ip address according to the vlan that we are on let's do an ipconfig release and then ipconfig renew all right great looks like we are getting an ip address from the vlan that we have connected our switchboard to we're getting an ip a default gateway that's great i actually am not going to get a real internet connectivity because my pf sense is double netted and it's subjected to a firewall rule that will not allow it but let's connect our computer to a different switch port on a different villain and let's see that if we're getting an ip address from a different vlan all right let's do another ip configuring you all right great now we are getting an ip address from the workstation vlan with a default gateway that's great one last check let's see if we get an ipad from the iot vlan and as you can see that's great we've got an ip address from the iot vlan meaning that we have configured the vlans correctly on our pfsense firewall and on the managed switch to match the in the settings on the pf sense and then we've configured switch ports every manufacturer of switches has its own uh ui and the way to do things but in the end of the day you need to figure out which ports you want to be untagged on a certain villain and as you can see when it when it's configured correctly it works just fine okay so just for the simple demonstration i have configured my i have connected my pf sense firewall to my isp so now i am connected directly to the internet and not double netting my myself behind my udm pro and let's do another ip config release ipconfig renew just so we you will be able to see that there is real internet connectivity when configuring firewall rules in the way that we did let's try to pin www.google.com dot com we have internet connectivity and dns resolving so this is definitely something that is working great for us now i will be circling back to the firewall to show you how you can be more restrictive with your firewall rules let's say that i want to be more restrictive on my servers vlan right now we have a rule that allows devices on the server's network to communicate with everyone let's delete this rule and now what i have what i have pre-done is create an alias i have created an alias that contains the rfc 1918 addresses meaning all the internal networks that are not routable on the internet just create an alias it will be a network cell yes this will be the settings 10.0.8 172 12 182 168 16 that's the alias itself this alias will now be used in a firewall rule let's go back to the rules on the server's villain the first thing that i want to define is which other vlans the server network is is allowed to communicate with so the first thing that i will do again this is just how i do things you can do in a different order as as you see fit first thing i'm going to say is the devices on the server's network want to communicate to anywhere else but internal networks meaning the internet this is how you should do it the action is pass protocol is any source servers net destination click on invert match and select single host or alias rfc 1918 click on save what this firewall rule is actually doing is it's saying if you're on the server's network and you want to communicate anywhere that is not inside the rfc 1918 range of addresses you can go ahead and do that but let's create another firewall rule and say to block any protocol from the server's network to for example the iot network so what will happen then is it saying if you want to go ahead and connect to anywhere that is not in the iarfc 1918 range go ahead but if you want to to communicate with the iot network i'm not going to let you do that all right so actually something that is a very debatable and indeed in production networks i am going to do it this way i'm going to do all my blocking rules on top you can go ahead and just drag the block rules and click on save click on apply so then it will block everything and then because firewall rules are processed from top to bottom eventually it will reach a rule that allows the traffic that it's interested in and allow it according to the firewall rule again let's do just one more rule again i'm going to block any protocol from the server's network to the you know what let's click on let's make this rule as an allow from the server's network to the workstation network and then i'm going to place it below my blocking rule this is just an example again this is a firewall rules or a whole world you can dive into this is just a basic example of how you how you can be more granular by the way i already created a a video about configuring vlans in the unified ecosystem but i know a lot of people are using the unifi for example just switches and access points and firewall they're choosing pf sensor different vendors of firewalls this can communicate or inter cooperate just fine in fact you can go over to my firewall to my unifi villains video i will put a link i will put a link to it in the top right corner and even though in this video i created the vlans on a unified gateway in this case it was a udm you can skip to the second half of this video to know how to configure vlans on your unifi switches and that will work just fine with a pf sense firewall guys it can work villains is something that is universal it's not vendor dependent all right guys i hope this video was informative for you i will see you all guys in the next video bye bye everyone stay safe [Music] you
Info
Channel: Tech Me Out
Views: 33,271
Rating: undefined out of 5
Keywords: Configuring Vlans in pfSense, how to configure vlan in pfsense, vlans in pfsense, pfsense vlan switch, how to create vlan in pfsense, pfsense, pfsense setup, vlan, pfsense firewall, pfsense tutorial, pfsense vlan, pfsense router, pfsense firewall rules, pfsense (software), vlans, virtual networks, firewall rules, how to install pfsense, pfsense installation, install pfsense, netgate sg-1100 setup, pfsense download, getting started with pfsense, pfsense vlans, router setup
Id: mJrvvC-eHAE
Channel Id: undefined
Length: 21min 49sec (1309 seconds)
Published: Tue Feb 15 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.