One point about the VLAN subnet. You said to use private addresses. While that's likely true for IPv4, with IPv6 you may very well have public addresses you can use. For example, I get a /56 prefix from my ISP. This gives me up to 256 /64 prefixes, any of which can be used for any LAN or VLAN interface. In addition, it's possible to use private address too. On IPv6, they're called Unique Local Addresses (ULA), which can be used in the same manner as RFC1918 addresses on IPv4. Also, there are some situations where you want to be able to access one subnet from another. For example, my main LAN can access anything on my guest WiFi VLAN, but not the other way around.
Perfect explanation to VLANs! I use aliases on my servers & IoT VLAN so that I have to provide an IP in the alias to allow it to have access to anything. That way, if anything happens and some one gets access to my proxmox server or anything on it, just any DHCP address cannot get out to the internet. I also use Pihole for all of my VLANs except the server VLAN so that a lot of traffic is blocked on the other networks and especially the IoT VLAN.
Thanks for the videos! You’re one of the few UA-camrs in this space that has a personality and you’re very entertaining to watch. Even if I’ve seen some LSU stuff in some of your videos, you’re not that bad ;)
Thanks for the walkthrough, wonderfully explained! Am I correct in assuming that without a managed switch, this setup is not feasible? My current setup involves a pfsense, & a primitive, ISP provided wireless AP among other things. This AP probably cannot differentiate between one or more VLANs...
How do we take this setup and assign guests on a specific Wi-Fi SSID to the Vlan you setup that does not have access to all private networks. Assume the Wi-Fi is on ap’s plugged into a managed layer 2 switch port that also has the pfsense device on one of the switch ports. Thanks! @RaidOwl
Just curious if your still using pfsense or did you switch to open sense or are you using unifi firewall. I can’t figure it out. I set up the vlans and subnets on my network with proxmox, but some of the cluster nodes and VMS can’t reach the Internet.
Thank you - I have VLANs implemented and they are correct as proved in your video. They do what the firewall is letting them. The problem I have with active VLANs, and could not find any solution, is on adding Zenarmor pfsense. As soon as I activate in Zenarmor the Interface where I have VLANs on, I can't reach any device on the VLANs. The other interfaces provide no problems. The same problem I had before when I was trying to have dual wan with failover in pfSense implemented. Any hint?
Great into to pfsense VLANs. I want to setup an isolated VLAN (IoT) that I can access from my LAN network. I've got it setup where I can ping the IoT from LAN, but can't connect to an HTTP service on the IoT. What I am missing?
Thanks for the tutorial and it helps alot to understand vlans a little better in pfsense. I do have a question. I have two interfaces LAN and WAN and I setup my Asus wireless router as an Access Point with its own VLAN on the LAN interface for my wireless devices. Enabled DHCP on the VLAN and added the DNS rule. But now for some reason my wireless devices are being handed out DHCP addresses from the DHCP server on the LAN interface instead of the VLAN I created. What am i doing wrong? Thanks.
Man, you help me A LOOOOOOOOOOOOOOOOOOOOOOT Iwas blocked around like 30 days on a problem, I'm using pfsense too and my VLAN cannot reach my LAN and with ur video I understand why now! Thanks a lot bro!
Thank you for such a great walk through... Some of the fields are now named differently because of the updates to PF Sense.. Can you throw up some text updates on top of the video to account for the mismatch of selection settings..?
Thanks for the video. I want to use an old PC with a dual port network card one WAN and one LAN, pfsense installed on SSD drive. I do have the house wired with cat 6 with at least one ethernet outlet per room. The LAN port configured on the pfsense box goes directly to an 24 port managed switch to connect all the wired network. I do not know how to setup VLAN, as in do I configure VLAN on pfsenese or do I use VLAN setup on the 24 port managed switch? Any help?
Can you explain how to set up Nginx Proxy Manager in a DMZ with Pfsense? I'm running a virtualized Pfsense in Proxmox with two dedicated NICs. I want to use Nginx Proxy Manager in a LXC on the same host to make some services available to the public but with proper security.
I couldn't get DNS to work on the VLAN until I added an Access List under the DNS Resolver for the new VLAN network. Under Services / DNS Resolver / Access Lists, add a new one for the VLAN.
Wouldn’t you only want to set an Alias like that on a Guest network? Because not only is that going to block being able to ping devices on another VLAN, but also on the same VLAN as well as access to the Firewall itself. It’s basically a complete black hole.
Nice presentation of the procedure. I have the problem that the machine connected to the newly created vlan is being assigned with an ip address of the vlan's segment but it has no internet access, cant ping it's gateway and of course can t ping the LAN. At the last part where you create a rule for the dns I suppose it would also work if would have destination any and not udp 53. Still doesn t work though. It might have something to do with outbound NAT which you didn t show on the video. There are 4 options for the outbound NAT. It would be more complete if you would have shown that as well (what rules you created or had been created by default). Of course I still can t figure out why it doesn t work (My outbound NAT is set as Manual Outbound - third of the four options) Any thoughts? PS I used a specific port from pfsense device (it is qotom one with 4 ports). What I mean by that is the igb0 is the wan coming from the modem, the igb1 is for the lan connected to a microtik switch and igb2 transfers vlan20 (only since i didnt used the igb1 which has also the lan).Via a physicala cable it ends up in the last port of the switch where it transfers it untagged to port 23. So I connect port 23 with a laptop for instance it takes an ip of that segment (so eerything is good up until now) but no internet access. Properties of the network card of the laptop shows for all services (DHCP/DNS/GATEWAY) 192.168.20.1
If we add all private network subnets on the alias, won't it also block the vlan interface's own private IP addresses as well? What if I need to place a few web servers on the vlan and want them to connect internally via private IPs?
Traffic between a LAN (or a VLAN) never go to the firewall. It goes through only the switch thus it doesn't matter if you are allowing or not allowing any traffic within the subnet network itself. If you want to reach to the other VLAN's, you simply add the allow rule above the invert rule he mentioned.
i would like to set up 3 VLANs... 1 for wifi/devices, 2 for my unraid server, and 3 for my cameras... however i need a docker on unraid to recieve rtsp from the cameras, but i dont want the cameras hitting the WAN, and I want any PC I want to access the Unraid Server (for back up purposes), but keep my server or pc safe if one got attacked the other would be safe.... does that make sense? like could i maake a rule where vlan3 (cameras) only talks to VLAN:8991 to give rtsp data?
Do you have a video explaining how you run certain devices on your network through a VPN? Not sure if you have a video on this already, if you do please send me the link. This video was super helpful by the way as someone whose a totally new to pfsense.
@@1ryanlcthat‘s what „vlan only“ stands for when creating a new network within unifi. If your setup is all unifi then you create a network, give it a vlan tag and you‘re good to go. If you‘re mixing up your environment with pfsense/unifi and pfsense is charge of your network creation, unifi still needs to „know“ that there‘s a vlan passing through its switches. You need to create the same network as in pfsense but give it the „vlan only“ and it should work as planned.
I have created a vlan that I cannot access the internet with. I think after I get through my coffee this morning I can use this video to help me solve this issue. Thanks!
Many thanks for the outstanding explanation. This video helped me a lot. Just cant figure out how you are able to ping from 192.168.1.100 to 192.168.50.10 This is giving me: "Network is unreachable" Can you trowh some light here please? Many thanks in advance.
I created my whole network set of rules thanks to this video, something that I'm still blasting my head off is when I want to isolate my iot network to prevent the devices seeing each other :/
I blocked traffic from LAN -> VLAN25, from VLAN25 -> LAN, and allowed VLAN25 -> Internet. But from LAN, I can ssh a host in VLAN25 (should not happen).
Great start but you totally lost me at 4:35 when you jump into another machine with no explanation of what you are doing: using the tag 50, already attached to the Vlan you have just created: how can that be? What did you do to connect that other machine using tag 50? What does that even mean? You assume that your audience already knows what you are teaching them. If I knew that, I wouldn't need your tutorial. When pros talk to pros they skip steps, use a shorthand language and assume the other pro knows what they are talking about. You are not teaching, you are just talking to hear yourself speak, bragging about your knowledge, fine, but what does that do for the audience? Also the screens are so blurry they are practically useless. Sh!tty job, thumbs down.
@@RaidOwl The title should be, "If you already know Vlans, here are the screens on pfSense." And at the beginning, get rid off the intro, "Add these things called Vlans," and say if you don't already know Vlans, please see x,y, z. You make a joke out of it, but if you intend to teach, rather than just show off your knowledge, you should put yourself in the place of the audience, not make them jump through your illogical hoops. Thumbs down, not up.
@@RaidOwl I didn't enjoy it. Don't worry, I found a better one. You obviously know networking, which is expected from a pro, but your teaching needs improvement. You need to think through what you say before you say it.
One point about the VLAN subnet. You said to use private addresses. While that's likely true for IPv4, with IPv6 you may very well have public addresses you can use. For example, I get a /56 prefix from my ISP. This gives me up to 256 /64 prefixes, any of which can be used for any LAN or VLAN interface. In addition, it's possible to use private address too. On IPv6, they're called Unique Local Addresses (ULA), which can be used in the same manner as RFC1918 addresses on IPv4. Also, there are some situations where you want to be able to access one subnet from another. For example, my main LAN can access anything on my guest WiFi VLAN, but not the other way around.
How do I put my linux machine in a vlan, please I need to know how have to present a work in college Monday
Perfect explanation to VLANs! I use aliases on my servers & IoT VLAN so that I have to provide an IP in the alias to allow it to have access to anything. That way, if anything happens and some one gets access to my proxmox server or anything on it, just any DHCP address cannot get out to the internet. I also use Pihole for all of my VLANs except the server VLAN so that a lot of traffic is blocked on the other networks and especially the IoT VLAN.
I just bought a managed switch for my setup. Thanks for the well timed tutorial!
Thanks for the videos! You’re one of the few UA-camrs in this space that has a personality and you’re very entertaining to watch. Even if I’ve seen some LSU stuff in some of your videos, you’re not that bad ;)
Haha thanks! Geaux tigers 😜
This VLAN walk-through is awesome. I appreciate all the insight and your teaching method.
Very good tutorial. Concise, no fluff, straight to the point. Well done.
Thanks for the walkthrough, wonderfully explained!
Am I correct in assuming that without a managed switch, this setup is not feasible?
My current setup involves a pfsense, & a primitive, ISP provided wireless AP among other things. This AP probably cannot differentiate between one or more VLANs...
took me a while to figure out vlans but this one video does tick all boxes for me. thank you!
Many thanks. Exactly what I needed to create separate network for noisy IOT devices
How do we take this setup and assign guests on a specific Wi-Fi SSID to the Vlan you setup that does not have access to all private networks. Assume the Wi-Fi is on ap’s plugged into a managed layer 2 switch port that also has the pfsense device on one of the switch ports. Thanks! @RaidOwl
I have the same question! Were you able to figure it out?
I'm still working on it using ppsk. @@MegaNatebreezy
Clear, concise, and very helpful. Thank you so much!
Just curious if your still using pfsense or did you switch to open sense or are you using unifi firewall. I can’t figure it out. I set up the vlans and subnets on my network with proxmox, but some of the cluster nodes and VMS can’t reach the Internet.
I’m using Unifi now
Thank you for the tutorial, very well done and laid out, Great job as always.
How do you determine what device is on the VLAN? I didn't understand that part.
Thank you - I have VLANs implemented and they are correct as proved in your video. They do what the firewall is letting them. The problem I have with active VLANs, and could not find any solution, is on adding Zenarmor pfsense. As soon as I activate in Zenarmor the Interface where I have VLANs on, I can't reach any device on the VLANs. The other interfaces provide no problems. The same problem I had before when I was trying to have dual wan with failover in pfSense implemented. Any hint?
Great into to pfsense VLANs. I want to setup an isolated VLAN (IoT) that I can access from my LAN network. I've got it setup where I can ping the IoT from LAN, but can't connect to an HTTP service on the IoT. What I am missing?
Thanks for the tutorial and it helps alot to understand vlans a little better in pfsense. I do have a question. I have two interfaces LAN and WAN and I setup my Asus wireless router as an Access Point with its own VLAN on the LAN interface for my wireless devices. Enabled DHCP on the VLAN and added the DNS rule. But now for some reason my wireless devices are being handed out DHCP addresses from the DHCP server on the LAN interface instead of the VLAN I created. What am i doing wrong? Thanks.
Man, you help me A LOOOOOOOOOOOOOOOOOOOOOOT
Iwas blocked around like 30 days on a problem, I'm using pfsense too and my VLAN cannot reach my LAN and with ur video I understand why now!
Thanks a lot bro!
Thank you for such a great walk through... Some of the fields are now named differently because of the updates to PF Sense.. Can you throw up some text updates on top of the video to account for the mismatch of selection settings..?
12:50 what is testVLAN address mean? You didnt have to specify the IP address?
I've come back to this video a couple times. Great resource. thanks!
Thanks for the video. I want to use an old PC with a dual port network card one WAN and one LAN, pfsense installed on SSD drive. I do have the house wired with cat 6 with at least one ethernet outlet per room. The LAN port configured on the pfsense box goes directly to an 24 port managed switch to connect all the wired network. I do not know how to setup VLAN, as in do I configure VLAN on pfsenese or do I use VLAN setup on the 24 port managed switch? Any help?
Oh man this is super well explained. Thanks so much.
Can you explain how to set up Nginx Proxy Manager in a DMZ with Pfsense? I'm running a virtualized Pfsense in Proxmox with two dedicated NICs. I want to use Nginx Proxy Manager in a LXC on the same host to make some services available to the public but with proper security.
I couldn't get DNS to work on the VLAN until I added an Access List under the DNS Resolver for the new VLAN network. Under Services / DNS Resolver / Access Lists, add a new one for the VLAN.
What is the difference between configuring VLANS on pfsense vs VLANS on switch and do we need both?
Nicely done video & Very Informative. Thank You!
Wouldn’t you only want to set an Alias like that on a Guest network? Because not only is that going to block being able to ping devices on another VLAN, but also on the same VLAN as well as access to the Firewall itself.
It’s basically a complete black hole.
Video helped me a lot to achieve setup what I wanted. Keep it going!
Nice presentation of the procedure. I have the problem that the machine connected to the newly created vlan is being assigned with an ip address of the vlan's segment but it has no internet access, cant ping it's gateway and of course can t ping the LAN. At the last part where you create a rule for the dns I suppose it would also work if would have destination any and not udp 53. Still doesn t work though. It might have something to do with outbound NAT which you didn t show on the video. There are 4 options for the outbound NAT. It would be more complete if you would have shown that as well (what rules you created or had been created by default). Of course I still can t figure out why it doesn t work (My outbound NAT is set as Manual Outbound - third of the four options)
Any thoughts?
PS I used a specific port from pfsense device (it is qotom one with 4 ports). What I mean by that is the igb0 is the wan coming from the modem, the igb1 is for the lan connected to a microtik switch and igb2 transfers vlan20 (only since i didnt used the igb1 which has also the lan).Via a physicala cable it ends up in the last port of the switch where it transfers it untagged to port 23. So I connect port 23 with a laptop for instance it takes an ip of that segment (so eerything is good up until now) but no internet access. Properties of the network card of the laptop shows for all services (DHCP/DNS/GATEWAY) 192.168.20.1
New edit: Found the issue and it was on the switch side (Mikrotik one).
If we add all private network subnets on the alias, won't it also block the vlan interface's own private IP addresses as well? What if I need to place a few web servers on the vlan and want them to connect internally via private IPs?
Traffic between a LAN (or a VLAN) never go to the firewall. It goes through only the switch thus it doesn't matter if you are allowing or not allowing any traffic within the subnet network itself.
If you want to reach to the other VLAN's, you simply add the allow rule above the invert rule he mentioned.
i would like to set up 3 VLANs... 1 for wifi/devices, 2 for my unraid server, and 3 for my cameras... however i need a docker on unraid to recieve rtsp from the cameras, but i dont want the cameras hitting the WAN, and I want any PC I want to access the Unraid Server (for back up purposes), but keep my server or pc safe if one got attacked the other would be safe.... does that make sense? like could i maake a rule where vlan3 (cameras) only talks to VLAN:8991 to give rtsp data?
Is it posible to send in syslog the vlan name? I see the vlan ID, but no the vlan name.
Great video! Thank you for the explanation
Do you have a video explaining how you run certain devices on your network through a VPN? Not sure if you have a video on this already, if you do please send me the link. This video was super helpful by the way as someone whose a totally new to pfsense.
I don’t currently have one but Tom Lawrence has a solid video on exactly that. ua-cam.com/video/TglViu6ctWE/v-deo.html
@@RaidOwl I appreciate the referral.
I'm late to this party, but MAN!! I thank you. This was the slow breakdown I needed.
Why pfsense cant create a vlan tagging on USB interfaces ?
Not sure. I assume the usb device in question supports tagging?
I tried this once before, but I couldn't get my unifi access point to use the new vlan. Is there a trick to adding WiFi devices?
Did you go into the Unifi UI and set up the VLAN on that side too?
@@RaidOwl I tried, but very possible I missed something. Do I need a managed switch? Right now I'm using a basic TP-Link switch
@@1ryanlc Yes, most 'dumb' switches will kill any tagged packets that come in.
@@1ryanlcthat‘s what „vlan only“ stands for when creating a new network within unifi. If your setup is all unifi then you create a network, give it a vlan tag and you‘re good to go. If you‘re mixing up your environment with pfsense/unifi and pfsense is charge of your network creation, unifi still needs to „know“ that there‘s a vlan passing through its switches. You need to create the same network as in pfsense but give it the „vlan only“ and it should work as planned.
@@cirniman Thanks so much!! I'll be giving that a try!
I have created a vlan that I cannot access the internet with. I think after I get through my coffee this morning I can use this video to help me solve this issue. Thanks!
Many thanks for the outstanding explanation. This video helped me a lot.
Just cant figure out how you are able to ping from 192.168.1.100 to 192.168.50.10
This is giving me: "Network is unreachable"
Can you trowh some light here please? Many thanks in advance.
Good video, explained a lot. Thanks
I created my whole network set of rules thanks to this video, something that I'm still blasting my head off is when I want to isolate my iot network to prevent the devices seeing each other :/
I blocked traffic from LAN -> VLAN25, from VLAN25 -> LAN, and allowed VLAN25 -> Internet. But from LAN, I can ssh a host in VLAN25 (should not happen).
this guide doesn't show how to determine which IPs are your private IPs, so I won't be able to make any use of it until I figure that out
Private IPs are up to you, you can pick just about anything as long as it falls between one of the private IP ranges like shown in this video at 2:30
Please make a tutorial to make pfSense to intercept all traffic behind it with my own SSL cert
You mean HAProxy with a wildcart cert of your own domain?
Awesome tutorial 😊
ottimo video, Grazie!
Thank you for this video.
great video, cheers
Thank you.
great vid!
very good video thank you :)
Thank you
perfect
❤❤❤
Poor adio volume
Great start but you totally lost me at 4:35 when you jump into another machine with no explanation of what you are doing: using the tag 50, already attached to the Vlan you have just created: how can that be? What did you do to connect that other machine using tag 50? What does that even mean? You assume that your audience already knows what you are teaching them. If I knew that, I wouldn't need your tutorial. When pros talk to pros they skip steps, use a shorthand language and assume the other pro knows what they are talking about. You are not teaching, you are just talking to hear yourself speak, bragging about your knowledge, fine, but what does that do for the audience? Also the screens are so blurry they are practically useless. Sh!tty job, thumbs down.
Thanks for the thumbs up!
@@RaidOwl The title should be, "If you already know Vlans, here are the screens on pfSense." And at the beginning, get rid off the intro, "Add these things called Vlans," and say if you don't already know Vlans, please see x,y, z. You make a joke out of it, but if you intend to teach, rather than just show off your knowledge, you should put yourself in the place of the audience, not make them jump through your illogical hoops. Thumbs down, not up.
Glad you enjoyed the video!
@@RaidOwl I didn't enjoy it. Don't worry, I found a better one. You obviously know networking, which is expected from a pro, but your teaching needs improvement. You need to think through what you say before you say it.
thank you