How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

pfSense and VLANs so they seem something may be daunting at first or a little bit confusing but VLANs are really simple once you start looking at them from this perspective the physical layers of the network is your land that you're probably used to if you start with basic networking in a home once you get to a more commercial class networking you're gonna see VLANs and what they are is a logical grouping of networks regardless of their physical setup this connection right here represents all traffic VLANs and land traffic coming out of the PF sense it's one physical network cable that would plug into what they may refer to as the trunk port on the switch so you let all the VLAN traffic in there encapsulated within that traffic though we have other VLANs and I'm gonna use the example of VLAN 69 here and we're going to walk you through creating another VLAN this one happens already exist on my network then I'm actually gonna walk through step by step how you create them and how you separate them from the rest of your network on pfSense so when the traffic comes in here in yellow and we have all set it will push all the VLANs out of the port's so the import here and we're going to use this port as the example of coming out all and then the encapsulation part is when you switch to a specific VLAN on a port it filters that port and only that network comes through on that port so for example all ports come in here so all in VLAN traffic and then we segregate out VLAN 69 to this port here that means this computer becomes on this 172 network now there's a default LAN and then everything else is sub under that is a VLAN and we're gonna get to exactly how this works inside a PF sense but it's gonna give you an overview and it will come back to this because hopefully it'll make a little more sense because we're also gonna stop a SSID for the Internet of insecure things so that's a common reason people want to do this under network let's have it set up so there are wireless devices go on a separate network than there are other devices does these IOT devices and they can be a little scary and not get updated so you actually tag each port and decide what you want to have on those ports now you can have lots of different VLANs we just have to this example but we'll show you how to create one more and like I said we'll come back and redress this so let's get into the actual creation of these so you see the interface list here we have the LAN LAN LAN to opt and VLAN 69 this is the VLAN and here's the VLAN 69 so we're gonna show you how I create that so we're gonna go ahead and add another one we're gonna have a VLAN ID of 50 now just so you know the VLAN tags you can do up to 4000 94 from here so you just have to keep them consistent so you choose a number in numerical description for them we're not gonna worry about and talk about VLAN priority right now but we will name this and this is our IOT VLAN or as we call it actually with internet of insecure things because we want it to be a separate network so there's a description there's the VLAN VLAN tag 50 hit save now we have the VLAN tag but we haven't assigned it to an interface yet so step 2 assign an interface to it so we're gonna go interface assignments then we pull down here and we're choosing the new one we created VLAN 50 on land and we're gonna go ahead and click add device has been added now we're gonna click Save now you please note this says VLAN 69 on land and VLAN 50 on land land is one physical port but now we have three networks the LAN network is our first then we have VLAN 69 then we have feeling Internet of insecure things we go over here to VLAN just so you notice when I was doing this you can choose which port it was on so I have multiple network cards on there you can create VLANs on any particular one but we want them on LAN because that's physically the port that is plugged into and then from inside of land this is what we're creating the logical networks or the VLANs so now we can go over here and it was actually called opt for so if we go here to interfaces assignments you can see that is called opt for we can just click on this and we'll just call it IOT to make it simple and we're gonna enable the interface and I'm gonna go down here and choose the ipv4 configuration as static 92168 50.1 and you can pick this this is going to be a slash 24 network but there's other options in here I'm just making it pretty straightforward and simple with 192 168 50.1 slash 24 so this will become the default gateway for this network then we're gonna go ahead and hit save and we'll go ahead and apply it alright so now we have our land and we've created this IOT network and it's going to be in the 192 168 50.1 range pretty straightforward all this so far is all done right inside of pfSense we're also going to go ahead and do this we're gonna go ahead and do the services tcp server and you notice we have multiple DCP servers for each network interface you add you get another listing over here so the entity's name was there now we have this one had it pfSense does this automatically when you create these networks so we're gonna go ahead and just enable DHCP and we'll set a pool range so if there's a hundred IP addresses that can be get and you can override certain things in here if you want and create specific rules if you want your IOT devices to work differently but we're gonna leave everything at default assuming they just want to get out to the Internet and now that VLAN has its own DHCP server now things plugged in a LAN do not get this assigned to them because the default one is land so by default if you plug something in it's just going to pull whatever comes out of the land side over here versus this IOT when we created a VLAN sixty nine VLANs block broadcast so they block the broadcast from the land to the VLAN sixty nine to the IOT so each one this is what keeps them as a logical network it doesn't just broadcast all of them it breaks it out and only broadcasts in each individual VLAN and land to keep all this separate now let's talk about how the system works this is the easy part really because pfSense pretty straightforward it only takes a few clicks we've now created it the only other thing we need is a firewall rule and the way the firewall works in PF sense is each new thing you add gets more rules now we have to first have a rule to allow traffic so right here's an all traffic rule and we'll go ahead and create one over here right now things skied on it but they can't route cuz there's nothing in here so we're gonna go ahead and add protocol any source any IOT net10 can go anywhere allow all save apply we've got a wide-open rule that allows anything on this network to get out so pretty straightforward but you don't want it to do everything you want some things blocked so what we do here we add another rule destination land net block protocol make sure you change it to all's you want all the protocols blocked block land now I have more than one network on here I'll apply changes so this blocks access to land but then allows everything under here in this the way the rule sets read it's easier to demo as I have a machine already tied to the IOT site on not the IOT with the VLAN 69 I have a system over here and I'll show you how that works real quick so it's machine down here is at 172 1669 12 it's on the VLAN 69 network and you can see we have a couple rules here first this is our allow all rule this is our drop traffic tool and rule and this is our drop traffic to land to rule so what I'm gonna turn these rules off first and when you click them and I apply you see how they're grayed out that's turning the rules off that will allow me to ping different devices so if I go to ping 182 and 6 83.9 which is my computer no problem I can being it I can also paying 2.5 and I can also get out to the Internet so I can ping Google I can ping you know anything out here that networks wide open now we're gonna take these two rules and re-enable them so I can sell ping Google but it fails to ping that to network and I can't being my computer on three network anymore so that's as simple as you need to go for blocking it these two rules up here is block outside DNS now this is something you may want to do and what I did here was you go here you block protocol UDP set it to block 53 and it's any do not allow it to go anywhere for DNS so we have this as the block rule then up here above first it blocks everything then we do have one rule that says destination VLAN 69 can go here now what that does is blocks outside DNS servers and forces the PF sense because by default pfSense has DNS turned on so unless you change it that is the default and the Gateway will respond as a DNS server and the Gateway also is the default DNS server in DHCP so unless you've overrode those options that is the default so this will lock them down from not using external DNS servers so it's another testing methods you can do to make sure things are where they belong now this covers the basic getting the network set up so we have this rule here this will block the traffic and we're gonna duplicate the rule for land to so we have land net blocked land to put iodine so as long as the destination isn't either one of these it can get out to the Internet so pretty straightforward here for keeping things you know lock down and I have ipv6 turned off on mine so that's not really an issue but you can create these same rules for ipv6 now that that's taken care of now we got to talk about how we configure the switches themselves and that's why I happen to have a unified switch to us with this demo is but the concept works the same you'll just have to learn it for each individual switch so here we are inside of the network settings and unify and I like the way unify handles this this is their unified product line in a unify a port switch they make it easy because when you create a new network and we're gonna go ahead and create a VLAN so we choose VLAN we'll call it IOT and secure as the name but here's where we have to match the VLAN ID so we're gonna go over here it interfaces assignments VLAN 50 we look at the VLAN we see that the VLAN tag is 50 so we put that here now unify it likes a friendly name so you can use this name description but the tag ID is the important part to make sure that's on there so we'll leave everything else at defaults is put VLAN tag at 50 hit save and that's it now we've created this VLAN now we have VLAN 50 now the way unified works all the switches on the network which I only have one get provisioned out with that VLAN so now we're gonna open up this switch and I like to pop it out make it a little easier see and now we'll talk about how these ports work so here's the uplink port which mirrors are here so we have that's an uplink port pfsense one physical cable but now three logical networks and we have it set to all and we have this one over here set to VLAN 69 so here's your all uplink to pfSense and here's VLAN 69 it's actually going to the studio nothing's plugged in to it at the very moment this particular one so here's the VLAN 69 traffic here's the other traffic marked to all and the way you change what port that's on there's our IOT insecure Network we just created I click apply and now everything out of that port becomes part of the IOT and secure so it comes in here but this particular physical port which is port number two on the ports which now is locked down to only receive that traffic now you can also do things like this you can say land so land is like the default Network so you can say only see land and strip out the VLANs or you can say all and we talked about this with all being needed jump back over here to this because if we wanted to jump her to another switch I only have one switch but this is the grab for the demo if all comes in here and we have all out of here it can then carry on and do the same thing in each individual switch cisco has their virtual trunking protocol so there's a slightly different but the concepts the same once you tag VLAN ID and we have VLAN tag 69 and then we have VLAN tag 50 we push them out these ports become this only VLAN so it all came in here but it's filtered down to only this port or when we switched it to VLAN 10 this actually started being in 50 this changes to that and then this becomes the 192 168 50 Network 50 / 24 because if we move this over to VLAN 50 and it filters it forward that traffic now you can't escape the VLANs because the switch blocks them so you can't just change the IP address over here to this computer and force different VLAN traffic because it strips out all the VLAN traffic down to that and that's an important way VLANs are set up for security and ideally you can have one physical switch now the other advantage of VLANs is you may have an entire we deal with like a School District they have a whole bunch of switch we they have a VLAN so any port can be one of the camera ports because they have a VLAN just for cameras for example and so any switch in the building we just group off a group of ports and those become the camera but they run encapsulated along with all the other traffic but it keeps the cap cameras separate from the other networks now let's talk a little bit about how Wi-Fi gets push because this is usually where you're doing it and I'm gonna use UniFi example because we have them in here and how you create an extra network on unified for this so the same concepts and this over here we're gonna go over to the ports again LTS hallway Wi-Fi we have a unify access point plugged into port 8 yes I know it's only a hundred gig it's an older Wi-Fi but it works for our purposes it's not a gigabit one that's why it's Orange but we have all the traffic trunks so all the traffic on this one and all the traffic on this one and we also have all the traffic on a couple other things because I have VLANs inside of my Zen servers and you can get into detail on my lab video which I'll leave a link so how do you push a IOT network just to this well it's really easy with unifies as well and pfSense so we have the VLAN tag 50 here we go over here settings wireless networks now you can just edit this ones I already created it you just go in here the advanced so here's your wireless networks up for unify and this is gonna vary for each manufacturer using but unify it's really easy I just checked this box to use a VLAN I choose 50 and hit save that's it so this is tied to land because there's nothing in it by default if you don't put a IP address in there it doesn't go anywhere so this one's tied to 50 which means all the data comes through and to jump over my graph here real quick all the VLANs come through here and then all of them are allowed to come out of here and they land into here and we can separate that out and now this the SSID can be set for really oh now not every wireless device supports that if you're running a wireless device that does not support that but you still want to do this well then you're gonna need two of them because you'll have to have one for one network and one for the other network but if you as long as you have a smart switch that's capable of filtering out VLAN traffic you would actually bring it down so if you had a really basic router slash Wi-Fi unit or access that doesn't have VLAN support but you have a switch that does you can filter out and say okay filter this port to be VLAN 69 and the dumb device is behind it because it's already filtered only that network it creates that lockdown Network so hopefully this was helpful for figuring out VLANs I'm pfSense they're pretty straightforward to create not too difficult once you have the concept that it's just a breakup of a physical network down into logical networks underneath it which is why you choose which interface that that encapsulation occurs on so hopefully this was helpful if I didn't explain it well enough or if there's something I missed uh message me on my our message board or leave some comments below and I'll try my best to answer all your questions and hopefully this is helpful and get you started with VLANs and PF sense thanks for watching like and subscribe

Info

Channel: Lawrence Systems

Views: 336,304

Rating: undefined out of 5

Keywords: VLANS, vlan, trunk, how-to, vlan tagging, vlan configuration, unifi, ubiquiti, switch vlan, vlan switch, vlan port, port vlan, configure vlan, how to configure vlan, switch vlans, setup a vlan, vlan setup, configure vlans, set vlan, config vlan, vlan config, setup vlans, vlan interface, vlan routing, virtual networks, pfsense, freebsd firewall

Id: b2w1Ywt081o

Channel Id: undefined

Length: 18min 37sec (1117 seconds)

Published: Mon Dec 18 2017