Setting Up a VLAN in pfSense

Image of proposed network design

I got a reminder today of why my VLAN project will help me out. My 6 year old son had a play date with a friend, whom I’ll call Jake. I left them watching a movie in the attic while I worked around the house, and was very surprised when my wife found me and asked why I had let them surf the web. Here is what had happened:

My son has an old laptop that he uses to ‘write’ in Microsoft Word. Mostly, he writes the word ‘Ninjago’. His friend Jake, however, knows how to google. Jake, as it happens, is also a 6-year-old who is convinced that Bigfoot is real, and apparently took the available laptop and started to google videos about Bigfoot and other ‘cousins of Bigfoot’. I don’t know if there are content filters for cryptozoology, but there will be when this project is done.

The Design

As I said before, it’s key to make a good design. Here is what I’m planning, though this might be taking it a bit too far.

Image of proposed network design
Tentative Network design

As I experimented, I think I figured out how to best do this with UniFi and pfSense.

What We Will Need

A working VLAN will need the following:

  • An SSID that uses it to associate clients (safer than messing with ports for now)
  • DHCP support to get IP Addresses
  • Routing to the internet

pfSense Setup

We’re going to set up our IOT VLAN now. It will be VLAN 2.

Interfaces

First, we navigate to Interfaces-> Assignments -> VLANs

pfSense VLAN Screen
pfSense VLAN Screen

Click ‘Add’ and input your VLAN setup. The only important thing to enter is the number of your VLAN (2, in my case) and a description.

pfSense VLAN Setup DEtail
pfSense VLAN Setup Detail

Once you’ve done that, you’ll create a new interface on your LAN that combines your LAN adapter and the VLAN tag. This is basically like a new NIC on your server:

pfSense Interface Assignments
pfSense Interface Assignments

Just click the ‘Add’ button here. Once you have added your interface, you will want to edit it and give it a name and set its IP address (it will default the mask to 32, but you’ll want 24).

Interface Details
Interface Details

Then you set up your DHCP.

 

pfSense DHCP VLAN Setup
pfSense DHCP VLAN Setup

You’ll want a pretty standard DHCP setup here:

  1. Check the ‘Enable’ check box;
  2. Pick a range. I randomly use 100 to 200 normally.
  3. Set your DNS server and gateway to the interface IP address, in my case, 192.168.2.1;
  4. Click Save;
pfSense DHCP Settings
pfSense DHCP Settings

DNS

Now that you have a working DHCP server, you need to tell your DNS server to listen on that interface too, so head to Services -> BIND DNS Server, and c0ntrol-select the IOTVLAN and save.

pfSense DNS VLAN Setup
pfSense DNS VLAN Setup

Firewall

The final thing you need to do on pfSense is to allow all traffic from the interface to the pfSense Server. Go to Firewall -> Rules. You’ll see you now have a header for IOTVLAN:

pfSense VLAN Firewall Rules
pfSense VLAN Firewall Rules

Your rule will need to look pretty basic:

pfSense FireWall Allow All Rule
pfSense Firewall Allow All Rule

At this point, we have an interface listening on a VLAN, handing out IP addresses, and capable of receiving traffic. It will even route between your VLANs since we have no rules in place yet.

I have found that the NAT outbound settings are not auto-populated, and you’ll want to toggle from auto to manual and back for the new IP setup to NAT properly.

UniFi

In order to setup UniFi, there are only two or three steps:

Add a VLAN

First, let’s add our VLAN 2.

  1. Go to Settings -> Networks and click ‘ + Create New Network’;
  2. Set it to ‘VLAN Only’ and enter your VLAN number (2);
  3. Click Save;
UniFi Add VLAN
UniFi Add VLAN

Then, we just need to associate an SSID with the VLAN. In this case I have an SSID called ‘IOT’ (I assume you have one already), so edit your wireless network:

  1. In the ‘advanced settings’, check ‘Use VLAN’ and enter ‘2’.
  2. Click ‘Save’

 

UniFi Wireless Network VLAN Setup
UniFi Wireless Network VLAN Setup

Now, you ought to be able to connect a client to that SSID, and it should receive an address on VLAN 2. It should also be able to browse the internet, and be like a regular client.

I had one other issue because I had set up port profiles, and I had to add that VLAN explicitly to my profile so that all ports using that profile would pass the VLAN out.

UniFi Port Profiles VLANS
UniFi Port Profiles VLANS

Conclusion

Now I think I have a good understanding of what it takes to set up a VLAN network that can isolate traffic from one set of clients. Ultimately, I’ll set up a squidguard content filter on the kids network.

What I’m listening to as I do this:

Professor Longhair’s Rock and Roll Gumbo. I heard this back in like 1999 when I heard the Big Easy Soundtrack, and had never head New Orleans Blues before. I remember listening to it as I rode Amtrak north from DC to visit college friends. Great piano and uptempo blues songs, plus he has a great voice.