Not using VLAN 1 is great security advice, something I wish I had known before I was setting up my business network, fixing that mistake after the fact was a real pain.
Very competent, complete, and thorough information. Bravo! I also like that you take it slow and carefully explain each step for new users. I've been working in IT since 1993, and wish I would have had such a useful resource when I was getting started out. I came here looking for ideas on why my new vlan was nerfed, but it turns out I forgot to check one of the ports in my switch UI. Doh!
Thank you for the feedback, it is much appreciated And I'm glad to hear you found the video helpful But yes, even if you have lots of experience, it is still easy to overlook something
@@TechTutorialsDavidMcKone I hope you don't mind helping me out a bit. I'm attempting to repeat your actions through Virtual Box instead of Exsi. I'm not sure if it would still give the same result? I was unable to successfully provide DHCP ips. to each VLans.
@@silentbyte33 What is the Network Adapter in the VM attached to because if it's set to NAT for instance, the default setting, that could be the problem?
@@silentbyte33 It doesn't look like Virtual Box supports VLANs so I would do something similar to what I did in the "How To Install And Configure pfSense Firewall" videos In that situation I created multiple virtual switches in ESXi and gave the pfSense VM multiple network cards, each connected to a different network From the firewall's perspective these are the same as physical interfaces so you don't create any VLANs For Virtual Box these would be different Internal Networks By default there will be an Internal Network called intnet but you change that and when you place the interface into a different network So, pfSense could have Adapter 1 connected to one called WAN, Adapter 2 connected to LAN, Adapter 3 connected to IOT, etc I guess the only problem is you're limited to having only 4 network adapters But it's then a matter of assigning other VMs to the relevant Internal Network by selecting the name from the drop down menu
Rather than deleting the LAN interface when moving from an existing WAN/LAN setup to WAN/VLANs, I found it easier to setup the VLANs and then to move one of the VLANs over to the LAN interface just by reassigning the LAN interface. No changes had to be made to the DHCP server on the LAN side including my many DHCP static mappings. Same goes for all of the firewall rules defined on my LAN.
Hi David, I am following your steps on Opnsense with the same target: move from flat config to vlans. What I noticed is something similar what you said: firewall became so unresponsive the moment I touched it with VLANs So maybe I will reinstall it/or rather: reset to factory defaults and then configure with VLANs from the beginning. However, I have more complicated config: my Opnsense is on Proxmox. So I have 3 NICs: WAN, LAN and 1 extra - the last one I could use as management interface. Question: the "VLAN thingis": should they be configured in Opnsense only or on Proxmox as well? I am getting a bit lost here...
I find it easier to keep the VLAN work within Proxmox You'll have to configure them there anyway to talk to the physical switch So add NICs to the VM and give these the relevant VLAN ID there OPNSense then just sees multiple NICs, same as it would in a physical computer
@@TechTutorialsDavidMcKone Thank you brother. I am going to try this. You can imagine: my only time when I can play with this is... before the family wakes up so I am recently waking up at 4am to play till 7am. ;-)
You can re-enable the rule by going to System/Advanced/Admin Access Clear the option labelled Anti-Lockout and save the changes But it will only be applied to your LAN interface i.e. the internal interface created when pfSense was built For me it's too open and I prefer to have more control over access I so create my own management rule so that I can pick the management interface and restrict access to specific devices
Hi David, Am preparing to setup my very first pfsense box, it’s an old pic box conversation with an intel Quad nic. This is the planned setup, on the interface side. Igb0 - Firewall Admin & Management (Only) Igb1 - WAN Port Igb2 - LAN Port Igb3 - currently unassigned. What I want to know is it possible to configure all initial setup and firewall configuration ( doing all admin management) of the pfsense box through through my assigned management ( admin ) port, as opposed to doing it through the LAN port as pfsense mandates. I know ur video above showcases how this can be done by using vlans. But am new to all this, and vlans look very complicated. Is it possible to do on actual physical ports? Cheers
If you watch my two part video "How To Install And Configure pfSense Firewall" it covers setting it up with multiple interfaces instead of using VLANs I did use a virtual machine but the process is the same as for a physical machine The only challenge is the initial set up because pfSense only allows access from what you pick as the LAN interface at the start The default rules won't allow access through any other interface So you could set Igb0 as the LAN interface and change the name afterwards, like I showed, but it is extra work Or you could set Igb2 as the LAN interface, finish the set up through that interface, then allow access from Igb0 and take it away from Igb2 (LAN) Personally I remove the anti-lockout rule as it's too open, so I always end up creating a specific management rule anyway, so I would go for that last option
@@TechTutorialsDavidMcKone I did watch both of them, and am using them as a configuration guide. I will rewatch them again before I start my setup. Will share how it goes
Unfortunately not as I've been involved in networking for so long time that I avoid bridging. I'll look to post a video on VLANs on switches though in case it helps
can you do one for multiple WANS ? i tried doing one wan per vpn and adding a specific vlan to use one of them. but ive got no idea where i went wrong.
Can you be more specific, as I'm not quite sure what you mean? The firewall supports trunk links meaning a single interface can be configured to handle multiple VLANs, each represented by a VLAN interface Each VLAN interface can then be connected to a different WAN e.g. via a router But the firewall will need to be configured with routing to tell it what networks are available at the end of each WAN
i wish they were on these things. I think I missed the access rules, but what was odd is the sporadic communication on one vlan. Can't seem to figure out how to get it to communicate with a cisco switch, and no one has posted anything on it so, I guess I'm on my own.
Check out my two part video on setting up VLANs as that might help If you configure pfSense for instance with multiple VLANs on an interface, the switch port needs to be configured as a trunk It varies depending on the vendor and even Cisco switches do it differently depending on which department brand you use In part 1 (ua-cam.com/video/WIC7qExLYS0/v-deo.html) I go over the details and in part 2 (ua-cam.com/video/DAidgB9Vu1s/v-deo.html) I cover some different vendor configurations, beginning with a Cisco business switch which is managed via the GUI
hi sir I have using Pf Sense Firewall before Using Version 2.4.5 after update 2.5.2 this version Create Multiple VLAN and apply the firewall rule then not access internet but old VLAN is working fine pls solution ?
Thanks for the feedback Could you point out any particular areas you think could be improved or where mistakes were made? Because I really appreciate constructive criticism so that I can address these in future videos My goal is to provide information that will help others but also to give me something to refer back to at a later date, so if something is wrong or could be done better, do please point that out As for the donation links, let me try to clarify I assume you'll realise that the videos are freely available via the UA-cam platform? For this channel, I don't make part of a video available and then force a viewer to pay to see the rest of it. Doing so would defeat my main objective of providing free IT information and guidance Now I do make videos in parts because A) This channel is not a source of income e.g. at the moment there isn't even any funding from UA-cam and so it is not an occupation for me B) My main source of income i.e. my day job takes up most of my time, so I have very limited amounts of time to make even a single video for this channel C) My assumption is people are particularly interested in certain parts of a technology e.g. they might get stuck when trying to do something. So by breaking things down into parts, I hope to make it easier for them to find what they are looking for D) Similarly, I want to help those just getting started, but a very long video is time consuming and harder to digest, which makes it harder to then understand how things work and can be configured To be clear, every video I make for this channel will be available on the UA-cam platform for free viewing, but it depends on the time it takes for me to produce them as well my own direction of production as to when they'll be available for viewing Now whilst I do spend my own money on my own IT training, because it's my career, the goal of this channel is to make what I've been learning freely available to others So unlike an IT training company for instance, there is no obligation to pay for any of the content or the work that goes into it making these videos Hopefully you'll understand when I say that somebody has to pay for the hardware, software, licensing, etc. which goes into the research, testing, recording and editing of these videos If the only funding is coming from the content creator themselves, then not surprisingly the options for content coverage on a channel like this and the amount of videos produced are limited, hence the reason why donation links exist And whilst funding would be beneficial to improve the channel, as long as I have a source of income from a job for instance to fund the channel myself, it should continue at this current rate of production
VLANs are fairly easy to set up in pfSense. But you need to configure the switch to support VLANs as well
I was having that issue with physical networks and switching to vlans. This helped me a lot!
Good to hear this was helpful. Thanks for the feedback
Not using VLAN 1 is great security advice, something I wish I had known before I was setting up my business network, fixing that mistake after the fact was a real pain.
It's from a Best Practice policy I picked up from Cisco
And no network is too small to follow Best Practices
Very competent, complete, and thorough information. Bravo! I also like that you take it slow and carefully explain each step for new users. I've been working in IT since 1993, and wish I would have had such a useful resource when I was getting started out.
I came here looking for ideas on why my new vlan was nerfed, but it turns out I forgot to check one of the ports in my switch UI. Doh!
Thank you for the feedback, it is much appreciated
And I'm glad to hear you found the video helpful
But yes, even if you have lots of experience, it is still easy to overlook something
@@TechTutorialsDavidMcKone Did you ever play marbles with the thin-coax resistor caps during downtime in the office? We sure did!
Perfect for VMs. Thank you for sharing this video.
I'm really glad to hear you found it useful
@@TechTutorialsDavidMcKone I hope you don't mind helping me out a bit. I'm attempting to repeat your actions through Virtual Box instead of Exsi. I'm not sure if it would still give the same result? I was unable to successfully provide DHCP ips. to each VLans.
@@silentbyte33 What is the Network Adapter in the VM attached to because if it's set to NAT for instance, the default setting, that could be the problem?
@@TechTutorialsDavidMcKone I have it set to Internal Network Only.
@@silentbyte33 It doesn't look like Virtual Box supports VLANs so I would do something similar to what I did in the "How To Install And Configure pfSense Firewall" videos
In that situation I created multiple virtual switches in ESXi and gave the pfSense VM multiple network cards, each connected to a different network
From the firewall's perspective these are the same as physical interfaces so you don't create any VLANs
For Virtual Box these would be different Internal Networks
By default there will be an Internal Network called intnet but you change that and when you place the interface into a different network
So, pfSense could have Adapter 1 connected to one called WAN, Adapter 2 connected to LAN, Adapter 3 connected to IOT, etc
I guess the only problem is you're limited to having only 4 network adapters
But it's then a matter of assigning other VMs to the relevant Internal Network by selecting the name from the drop down menu
Rather than deleting the LAN interface when moving from an existing WAN/LAN setup to WAN/VLANs, I found it easier to setup the VLANs and then to move one of the VLANs over to the LAN interface just by reassigning the LAN interface. No changes had to be made to the DHCP server on the LAN side including my many DHCP static mappings. Same goes for all of the firewall rules defined on my LAN.
That's a good way to resolve that. Thanks
Hi David, I am following your steps on Opnsense with the same target: move from flat config to vlans.
What I noticed is something similar what you said: firewall became so unresponsive the moment I touched it with VLANs
So maybe I will reinstall it/or rather: reset to factory defaults and then configure with VLANs from the beginning.
However, I have more complicated config: my Opnsense is on Proxmox. So I have 3 NICs: WAN, LAN and 1 extra - the last one I could use as management interface.
Question: the "VLAN thingis": should they be configured in Opnsense only or on Proxmox as well? I am getting a bit lost here...
I find it easier to keep the VLAN work within Proxmox
You'll have to configure them there anyway to talk to the physical switch
So add NICs to the VM and give these the relevant VLAN ID there
OPNSense then just sees multiple NICs, same as it would in a physical computer
@@TechTutorialsDavidMcKone Thank you brother. I am going to try this. You can imagine: my only time when I can play with this is... before the family wakes up so I am recently waking up at 4am to play till 7am. ;-)
Can you/is it necessary to re-create the Anti-Lockout rule on VLAN10?
You can re-enable the rule by going to System/Advanced/Admin Access
Clear the option labelled Anti-Lockout and save the changes
But it will only be applied to your LAN interface i.e. the internal interface created when pfSense was built
For me it's too open and I prefer to have more control over access I so create my own management rule so that I can pick the management interface and restrict access to specific devices
David, Thank you for sharing this video!
Thanks for the feedback. Glad to hear you found this useful
Hi David,
Am preparing to setup my very first pfsense box, it’s an old pic box conversation with an intel Quad nic.
This is the planned setup, on the interface side.
Igb0 - Firewall Admin & Management (Only)
Igb1 - WAN Port
Igb2 - LAN Port
Igb3 - currently unassigned.
What I want to know is it possible to configure all initial setup and firewall configuration ( doing all admin management) of the pfsense box through through my assigned management ( admin ) port, as opposed to doing it through the LAN port as pfsense mandates.
I know ur video above showcases how this can be done by using vlans. But am new to all this, and vlans look very complicated.
Is it possible to do on actual physical ports?
Cheers
If you watch my two part video "How To Install And Configure pfSense Firewall" it covers setting it up with multiple interfaces instead of using VLANs
I did use a virtual machine but the process is the same as for a physical machine
The only challenge is the initial set up because pfSense only allows access from what you pick as the LAN interface at the start
The default rules won't allow access through any other interface
So you could set Igb0 as the LAN interface and change the name afterwards, like I showed, but it is extra work
Or you could set Igb2 as the LAN interface, finish the set up through that interface, then allow access from Igb0 and take it away from Igb2 (LAN)
Personally I remove the anti-lockout rule as it's too open, so I always end up creating a specific management rule anyway, so I would go for that last option
@@TechTutorialsDavidMcKone
I did watch both of them, and am using them as a configuration guide.
I will rewatch them again before I start my setup.
Will share how it goes
VMs networking are way above my head
Have you played with bridges on pfsense?
Cheers
Unfortunately not as I've been involved in networking for so long time that I avoid bridging. I'll look to post a video on VLANs on switches though in case it helps
can you do one for multiple WANS ?
i tried doing one wan per vpn and adding a specific vlan to use one of them. but ive got no idea where i went wrong.
Can you be more specific, as I'm not quite sure what you mean?
The firewall supports trunk links meaning a single interface can be configured to handle multiple VLANs, each represented by a VLAN interface
Each VLAN interface can then be connected to a different WAN e.g. via a router
But the firewall will need to be configured with routing to tell it what networks are available at the end of each WAN
@@TechTutorialsDavidMcKone
I want to add a VPN to each vlan
I've got 2 vlan working but can't figure out how to add VPN to each of them.
i wish they were on these things. I think I missed the access rules, but what was odd is the sporadic communication on one vlan. Can't seem to figure out how to get it to communicate with a cisco switch, and no one has posted anything on it so, I guess I'm on my own.
Check out my two part video on setting up VLANs as that might help
If you configure pfSense for instance with multiple VLANs on an interface, the switch port needs to be configured as a trunk
It varies depending on the vendor and even Cisco switches do it differently depending on which department brand you use
In part 1 (ua-cam.com/video/WIC7qExLYS0/v-deo.html) I go over the details and in part 2 (ua-cam.com/video/DAidgB9Vu1s/v-deo.html) I cover some different vendor configurations, beginning with a Cisco business switch which is managed via the GUI
hi sir I have using Pf Sense Firewall before Using Version 2.4.5 after update 2.5.2 this version Create Multiple VLAN and apply the firewall rule then not access internet but old VLAN is working fine pls solution ?
Of course this guy has a donation link. Mark made better tutorials about pfsense on
UA-cam and has no donate link because he isn't a dirt bag.
Thanks for the feedback
Could you point out any particular areas you think could be improved or where mistakes were made?
Because I really appreciate constructive criticism so that I can address these in future videos
My goal is to provide information that will help others but also to give me something to refer back to at a later date, so if something is wrong or could be done better, do please point that out
As for the donation links, let me try to clarify
I assume you'll realise that the videos are freely available via the UA-cam platform?
For this channel, I don't make part of a video available and then force a viewer to pay to see the rest of it. Doing so would defeat my main objective of providing free IT information and guidance
Now I do make videos in parts because
A) This channel is not a source of income e.g. at the moment there isn't even any funding from UA-cam and so it is not an occupation for me
B) My main source of income i.e. my day job takes up most of my time, so I have very limited amounts of time to make even a single video for this channel
C) My assumption is people are particularly interested in certain parts of a technology e.g. they might get stuck when trying to do something. So by breaking things down into parts, I hope to make it easier for them to find what they are looking for
D) Similarly, I want to help those just getting started, but a very long video is time consuming and harder to digest, which makes it harder to then understand how things work and can be configured
To be clear, every video I make for this channel will be available on the UA-cam platform for free viewing, but it depends on the time it takes for me to produce them as well my own direction of production as to when they'll be available for viewing
Now whilst I do spend my own money on my own IT training, because it's my career, the goal of this channel is to make what I've been learning freely available to others
So unlike an IT training company for instance, there is no obligation to pay for any of the content or the work that goes into it making these videos
Hopefully you'll understand when I say that somebody has to pay for the hardware, software, licensing, etc. which goes into the research, testing, recording and editing of these videos
If the only funding is coming from the content creator themselves, then not surprisingly the options for content coverage on a channel like this and the amount of videos produced are limited, hence the reason why donation links exist
And whilst funding would be beneficial to improve the channel, as long as I have a source of income from a job for instance to fund the channel myself, it should continue at this current rate of production