On pfSense, you can create VLANs to create several subnets on the same network link (the same physical network interface).
Important : to be able to use the VLANs configured on pfSense, your switch (physical switch) to which your pfSense firewall, as well as your servers and/or computers will be connected, must be configured correctly.
For this tutorial, we used the VMware ESXi hypervisor which allows you to create switches where you can configure certain ports for a specific VLAN and other ports in trunk mode (= accept all VLAN IDs).
But, you will see how to configure this in this tutorial.
If you installed pfSense on a physical machine, you will need to configure the physical switch where you will use the VLANs.
But in the case of VMware ESXi, you will need to create a new Virtual Standard Switch (vSS) by going to: Networking -> Virtual switches.
Next, click: Add standard virtual switch.
Note: just for information, our pfSense virtual machine is connected to the 2 switches below via the port groups:
Name your new standard virtual switch: pfSense VLANs Switch.
The new pfSense VLANs vSwitch virtual switch has been created.
Now that your standard virtual switch has been created, you need to create ports on it.
To do this, in the "Port groups" tab, click on: Add port group.
For the 1st port group to create, configure these settings:
Note: in the case of installing pfSense on a physical machine, you will need to configure a port of your switch in trunk mode.
You will then connect the physical interface of your pfSense machine dedicated to VLANs to this port.
Source : VLAN Configuration - VMware Docs.
Your "pfSense VLANs Trunk" port group has been created.
Click again: Add port group.
In this tutorial, we will create 2 VLANs on pfSense: VLAN 10 and VLAN 20.
Create a port group for VLAN 10:
Note: in the case of a physical switch, you will need to configure the desired ports with the desired VLAN ID.
In this case, the VLAN ID: 10.
Warning : the VLAN ID must be between 1 and 4094 (inclusive).
Again, create a new port group for the other VLAN.
For this tutorial, we therefore have 3 groups of ports for managing VLANs on pfSense:
If you click on the name of the virtual standard switch (vSS) created, you will see that it has 3 port groups:
For VLAN management, we will add an additional network interface to our "pfSense-CE-2.6.0 x64" virtual machine.
Click: Add network adapter.
Connect this new network adapter to the "pfSense VLANs Trunk" port group and click: Save.
Next, start your pfSense machine.
When you want to create subnets using VLANs, it is necessary that they are not part of a subnet that is already used by pfSense.
In our case, we were already using the subnets "192.168.1.x" (CIDR: 24) and "10.x.x.x" (CIDR: 8) as you can see on the pfSense console visible above.
However, for this tutorial, we want to create the "10.10.0.x" and "10.20.0.x" subnets. Which would create a conflict with the "10.x.x.x" network used on our LAN interface.
So we'll first modify our LAN interface to change its subnet.
To do this, go to: Interfaces -> LAN.
The "Interfaces / LAN" page appears.
As you can see, in our case the IP address of this LAN interface is set statically (IPv4 Configuration Type: Static IPv4). Which should also be the case for you.
In the "Static IPv4 Configuration" section, you will see the pfSense IP address for this LAN interface, as well as the subnet mask used in CIDR format.
Currently, the subnet mask in CIDR format is "8". Which corresponds to the subnet mask "255.0.0.0".
The subnet currently used is therefore: 10.x.x.x.
To avoid conflicts with the VLANs we will create later, we changed this subnet mask to "24".
Which corresponds to the subnet mask "255.255.255.0". The subnet that will be used will therefore be: 10.0.0.x.
At the bottom of the page, click on: Save.
Then, at the top of the page, click: Apply Changes.
The changes have been applied.
Firewall 5/21/2025
Firewall 5/9/2025
Firewall 5/30/2025
Firewall 5/23/2025
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment