VLAN Configuration

This section covers how to configure VLANs in pfSense® software.

Console VLAN configuration

VLANs can be configured at the console using the Assign Interfaces function. The following example shows how to configure two VLANs, ID 10 and 20, with igb2 as the parent interface. The VLAN interfaces are assigned as OPT1 and OPT2:

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart GUI
 3) Reset admin account and password  12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 1

Valid interfaces are:

igb0   00:08:a2:09:95:b5   (up) Intel(R) PRO/1000 Network Connection, Version -
igb1   00:08:a2:09:95:b6   (up) Intel(R) PRO/1000 Network Connection, Version -
igb2   00:08:a2:09:95:b1 (down) Intel(R) PRO/1000 Network Connection, Version -
igb3   00:08:a2:09:95:b2 (down) Intel(R) PRO/1000 Network Connection, Version -
igb4   00:08:a2:09:95:b3 (down) Intel(R) PRO/1000 Network Connection, Version -
igb5   00:08:a2:09:95:b3 (down) Intel(R) PRO/1000 Network Connection, Version -

Do VLANs need to be set up first?
If VLANs will not be used, or only for optional interfaces, it is typical to
say no here and use the webConfigurator to configure VLANs later, if required.

Should VLANs be set up now [y|n]? y

WARNING: all existing VLANs will be cleared if you proceed!

Do you want to proceed [y|n]? y

VLAN Capable interfaces:

igb0    00:08:a2:09:95:b5   (up)
igb1    00:08:a2:09:95:b6   (up)
igb2    00:08:a2:09:95:b1
igb3    00:08:a2:09:95:b2
igb4    00:08:a2:09:95:b3   (up)
igb5    00:08:a2:09:95:b3   (up)

Enter the parent interface name for the new VLAN (or nothing if finished): igb2
Enter the VLAN tag (1-4094): 10

VLAN Capable interfaces:

igb0    00:08:a2:09:95:b5   (up)
igb1    00:08:a2:09:95:b6   (up)
igb2    00:08:a2:09:95:b1
igb3    00:08:a2:09:95:b2
igb4    00:08:a2:09:95:b3   (up)
igb5    00:08:a2:09:95:b3   (up)

Enter the parent interface name for the new VLAN (or nothing if finished): igb2
Enter the VLAN tag (1-4094): 20

VLAN Capable interfaces:

igb0    00:08:a2:09:95:b5   (up)
igb1    00:08:a2:09:95:b6   (up)
igb2    00:08:a2:09:95:b1
igb3    00:08:a2:09:95:b2
igb4    00:08:a2:09:95:b3   (up)
igb5    00:08:a2:09:95:b3   (up)

Enter the parent interface name for the new VLAN (or nothing if finished): <enter>

VLAN interfaces:

igb2.10     VLAN tag 10, parent interface igb2
igb2.20     VLAN tag 20, parent interface igb2

If the names of the interfaces are not known, auto-detection can
be used instead. To use auto-detection, please disconnect all
interfaces before pressing 'a' to begin the process.

Enter the WAN interface name or 'a' for auto-detection
(igb0 igb1 igb2 igb3 igb4 igb5 igb2.10 igb2.20 or a): igb1

Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
(igb0 igb2 igb3 igb4 igb5 igb2.10 igb2.20 a or nothing if finished): igb0

Enter the Optional 1 interface name or 'a' for auto-detection
(igb2 igb3 igb4 igb5 igb2.10 igb2.20 a or nothing if finished): igb2.10

Enter the Optional 2 interface name or 'a' for auto-detection
(igb2 igb3 igb4 igb5 igb2.20 a or nothing if finished): igb2.20

Enter the Optional 3 interface name or 'a' for auto-detection
(igb2 igb3 igb4 igb5 a or nothing if finished):<enter>

The interfaces will be assigned as follows:

WAN  -> igb1
LAN  -> igb0
OPT1 -> igb2.10
OPT2 -> igb2.20

Do you want to proceed [y|n]? y

Writing configuration...done.
One moment while the settings are reloading... done!

After a few seconds, the firewall settings will reload and the console menu will reload.

Web interface VLAN configuration

In the system used for this example, WAN and LAN are assigned as igb1 and igb0 respectively. There is also an igb2 interface that will be used as the VLAN parent interface.

To configure VLANs in the firewall GUI:

  • Navigate to Interfaces > Assignments to view the interface list.

  • Click the VLANs tab.

  • Click fa-plus Add to add a new VLAN

  • Configure the VLAN as shown in Figure Edit VLAN.

    Parent Interface:

    The physical interface upon which this VLAN tag will be used. In this case, igb2

    VLAN tag:

    The VLAN ID number, in this case, 10

    VLAN Priority:

    Leave at the default value, blank

    Description:

    Some text to identify the purpose of the VLAN, such as DMZ

    ../_images/vlan-vlan10-edit.png

    Edit VLAN

  • Click Save to return to the VLAN list, which now includes the newly added VLAN 10.

  • Repeat the process to add additional VLANs, such as VLAN 20. These can be seen in Figure VLAN list

    ../_images/vlan-vlan-list.png

    VLAN list

To assign the VLANs to interfaces:

  • Navigate to Interfaces > Assignments

  • Click the Interface Assignments tab

  • Select the VLAN to add from the Available Network Ports list, such as VLAN 10 on igb2 (DMZ)

  • Click fa-plus Add to assign the network port

  • Repeat the last two steps to assign VLAN 20 on igb2 (Phones)

When finished, the interfaces will look like Figure Interfaces list with VLANs

../_images/vlan-interfaces-assign-finished.png

Interfaces list with VLANs

The VLAN-based OPT interfaces behave as any other OPT interfaces do, which means they must be enabled, configured, have firewall rules added, and services like the DHCP Server will need to be configured if needed. See Interface Configuration Basics for more information on configuring optional interfaces.