pfSense VLANs - Virtual Local Area Networks

A VLAN (Virtual Local Area Network) is a technology that logically partitions a physical network into isolated broadcast domains at the data link layer of the OSI model. pfSense implements the IEEE 802.1Q standard, which inserts a 4-byte tag into the Ethernet frame header to identify traffic membership in a particular virtual network. Each VLAN operates as an independent network segment - devices in different VLANs cannot communicate directly at the data link layer, even when connected to the same physical switch.

In pfSense, each VLAN is created as a child interface of a parent physical network adapter. A single physical port can serve multiple VLANs simultaneously through the tagging mechanism. Once a VLAN interface is created, it must be assigned as a separate logical system interface (OPTn), after which it receives its own IP address, firewall ruleset, DHCP server, and other network services - functioning identically to a dedicated physical interface.

VLAN operation requires a managed switch with 802.1Q support. Unmanaged switches cannot process tagged frames and are not suitable for VLAN infrastructure. The switch port connecting to pfSense must be configured as a trunk port that passes all VLANs in use.

In This Section

• VLAN Setup - creating VLANs, assigning interfaces, switch trunk configuration, DHCP, firewall rules, and inter-VLAN routing