pfSense VLAN Setup - Creating and Managing 802.1Q

Network segmentation through VLANs enables logical partitioning of physical infrastructure into isolated zones without additional hardware. pfSense operates as an inter-VLAN router (router-on-a-stick), receiving tagged traffic from a switch through a single physical port and providing routed access between segments with firewall-level access control. Common deployment scenarios include separating a corporate network into staff workstations, guest Wi-Fi, server farms, IoT devices, and a dedicated management plane.

Terminology

Before proceeding with configuration, it is essential to establish the key terms used in VLAN operations.

VLAN ID (Tag)

A numeric identifier for the virtual network, ranging from 1 to 4094. VLAN 1 is typically reserved as the default native VLAN on most switches. VLAN 0 and 4095 are reserved by the standard and are not available for user traffic. In practice, it is advisable to assign IDs with logical grouping: for example, 10-19 for user segments, 20-29 for servers, 30-39 for management, and 100+ for guest and IoT networks.

Trunk Port

A switch port configured to carry tagged traffic from multiple VLANs simultaneously. Every Ethernet frame traversing a trunk contains an 802.1Q tag with the VLAN identifier. Trunk ports are used to connect switches to pfSense and for cascading connections between switches.

Access Port

A switch port assigned to a single specific VLAN. Traffic on an access port is transmitted without tags - the endpoint device is unaware of VLAN existence. The switch adds a tag when receiving a frame from the device and strips the tag when delivering a frame to the device.

Native VLAN

The VLAN whose traffic traverses a trunk port without tagging. By default, the native VLAN is ID 1 on most platforms. A native VLAN mismatch between two sides of a trunk link causes traffic leakage between VLANs and constitutes a serious vulnerability (VLAN hopping). It is recommended to change the native VLAN to an unused identifier or enable native VLAN tagging on the switch.

802.1Q Tag

A four-byte field inserted into the Ethernet frame header after the source MAC address. It contains the TPID (Tag Protocol Identifier, 0x8100 for standard C-Tag), 802.1p priority (3 bits, values 0-7), the DEI flag (Drop Eligible Indicator), and the VLAN ID itself (12 bits). Adding the tag increases the maximum frame size from 1518 to 1522 bytes, which must be considered when configuring MTU values.

Switch Preparation

Proper VLAN operation in pfSense requires prior switch configuration. The port connecting the switch to pfSense must be configured as a trunk that permits all required VLANs. Endpoint ports are configured as access ports with assignment to the appropriate VLAN.

VLAN Planning

Before configuration, prepare an addressing and VLAN distribution plan.

Cisco IOS

! Configure trunk port to pfSense
interface GigabitEthernet0/1
 description Trunk to pfSense
 switchport mode trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30,40,50
 switchport trunk native vlan 999
 spanning-tree portfast trunk
 no shutdown

! Access port for workstation in VLAN 10
interface GigabitEthernet0/2
 description Workstation - Staff VLAN
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 no shutdown

! Access port for server in VLAN 20
interface GigabitEthernet0/10
 description Server - Server VLAN
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast
 no shutdown

The switchport trunk encapsulation dot1q command is required on platforms supporting multiple encapsulation protocols (ISL and 802.1Q). On modern Catalyst switches with 802.1Q-only support, this command may not be available.

HP/Aruba ProCurve

# Create VLANs
vlan 10
 name "Staff"
 untagged 2-9
 tagged 1
 exit

vlan 20
 name "Servers"
 untagged 10-16
 tagged 1
 exit

vlan 30
 name "Management"
 tagged 1
 exit

vlan 40
 name "Guest"
 tagged 1
 exit

vlan 50
 name "IoT"
 tagged 1
 exit

# Port 1 - trunk to pfSense (tagged for all VLANs)
# Ports 2-9 - access for staff (untagged VLAN 10)
# Ports 10-16 - access for servers (untagged VLAN 20)

In HP/Aruba terminology, tagged corresponds to trunk (tagged frames), while untagged corresponds to access (untagged frames). A port can simultaneously be tagged in multiple VLANs and untagged in one.

MikroTik RouterOS

# Create bridge
/interface bridge add name=bridge1

# Add physical ports to bridge
/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridge1 interface=ether4

# Enable VLAN filtering on bridge
/interface bridge set bridge1 vlan-filtering=yes

# Configure trunk port to pfSense (ether1)
/interface bridge port add bridge=bridge1 interface=ether1

# Define VLANs on bridge
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=10
add bridge=bridge1 tagged=ether1 untagged=ether4 vlan-ids=20
add bridge=bridge1 tagged=ether1 vlan-ids=30
add bridge=bridge1 tagged=ether1 vlan-ids=40
add bridge=bridge1 tagged=ether1 vlan-ids=50

# Set PVID on access ports
/interface bridge port
set [find interface=ether2] pvid=10
set [find interface=ether3] pvid=10
set [find interface=ether4] pvid=20

Warning:

Enabling vlan-filtering=yes on a bridge in MikroTik RouterOS may result in loss of remote access to the device if the management interface is not configured correctly. It is recommended to perform this operation with physical console access available or through Safe Mode.

Creating VLANs in pfSense

After switch preparation, VLAN interfaces must be created in pfSense.

Step 1. Navigate to VLAN Configuration

Open the pfSense web interface and navigate to Interfaces > Assignments. Select the VLANs tab.

Step 2. Create a VLAN

Click the Add button to create a new VLAN. Complete the following fields:

• Parent Interface - the physical interface connected to the switch trunk port. This is typically a dedicated LAN interface or an additional network adapter (e.g., igb1, em1, ix0). Using the WAN interface as a VLAN parent is not recommended.
• VLAN Tag - the numeric VLAN identifier (1-4094), matching the switch configuration.
• VLAN Priority - the 802.1p priority (0-7, optional field). The default value of 0 represents best effort. Higher values are used for voice traffic prioritization (typically 5-6) or network management (7).
• Description - a VLAN description for easy identification (e.g., “Staff Network”, “Guest WiFi”, “Server Farm”).

Click Save to confirm.

Step 3. Repeat for Each VLAN

Repeat the creation process for all planned VLANs. After completion, the VLANs tab should display the full list of virtual networks with their parent interface and tag number.

Warning:

All VLANs using the same physical port must reference the same parent interface. Creating VLANs with identical tags on different parent interfaces is permitted but results in two independent segments.

Interface Assignment

After creation, VLAN interfaces must be assigned as pfSense logical interfaces and configured with IP addressing.

Step 1. Add the Interface

Navigate to Interfaces > Assignments on the Interface Assignments tab. In the Available network ports dropdown, select the created VLAN (displayed as VLAN 10 on igb1 - Staff Network) and click Add.

The new interface appears in the list as OPTn (e.g., OPT1, OPT2). Repeat for each VLAN.

Step 2. Configure the Interface

Click on the assigned interface name (e.g., OPT1) to access its settings. Apply the following configuration:

• Enable - check the box to activate the interface.
• Description - set an informative name (e.g., STAFF, SERVERS, GUEST). This name will appear in firewall rules and interface navigation.
• IPv4 Configuration Type - select Static IPv4.
• IPv4 Address - enter the gateway address for this VLAN (e.g., 192.168.10.1) with the subnet mask (/24).
• IPv6 Configuration Type - configure as needed or leave as None.

Click Save, then Apply Changes.

Step 3. Rename Interfaces

It is advisable to assign meaningful names instead of the default OPTn labels. Interface names in pfSense are limited to letters, numbers, and underscores, with no spaces. Acceptable examples: STAFF, SERVERS, GUEST_WIFI, IOT, MGMT.

DHCP for VLANs

Each VLAN interface can operate its own DHCP server with individual address pools and parameters.

DHCP Server Configuration

Navigate to Services > DHCP Server and select the tab for the VLAN interface (e.g., STAFF).

Key configuration parameters:

• Enable - activate the DHCP server on this interface.
• Range - the address pool for dynamic leases. It is recommended to reserve the beginning of the subnet range for static assignments. For example, for subnet 192.168.10.0/24, set the range to 192.168.10.100 - 192.168.10.250.
• DNS Servers - DNS servers for clients. Specify the pfSense address (192.168.10.1 when using the built-in DNS Resolver) or external servers.
• Gateway - the default gateway. Automatically set to the pfSense interface address.
• Domain Name - the domain name for clients (e.g., staff.local).
• Lease Time - the address lease duration in seconds. The default is 7200 (2 hours). For guest networks, consider reducing to 3600 (1 hour); for server segments, increase to 86400 (24 hours).

DHCP Configuration Example for Multiple VLANs

For the server segment, static addressing is often preferred. In this case, the DHCP server on VLAN 20 can be left disabled or configured only for reservations (static mappings).

Firewall Rules

By default, pfSense blocks all inbound traffic on newly created interfaces (OPT). To provide network access, firewall rules must be created on each VLAN interface.

Basic Ruleset

Navigate to Firewall > Rules and select the tab for the VLAN interface.

Internet Access Rule

To provide a VLAN with internet access while preventing access to other local segments, create the following rule sequence:

1. Block RFC1918 access - blocks traffic to private subnets (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), preventing inter-segment communication.
2. Allow internet access - permits all remaining traffic.

RFC1918 block rule configuration:

• Action: Block
• Interface: GUEST (or the VLAN interface name)
• Address Family: IPv4
• Protocol: Any
• Source: GUEST net
• Destination: select Network and create an alias named RFC1918 with values 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
• Description: Block access to private networks

Internet access rule configuration:

• Action: Pass
• Interface: GUEST
• Protocol: Any
• Source: GUEST net
• Destination: Any
• Description: Allow internet access

Warning:

Rule ordering is critical. The RFC1918 block rule must be placed above the internet access rule. pfSense processes rules top-to-bottom using first match wins - the first matching rule determines the packet’s fate.

DNS Rules

When blocking inter-segment traffic, DNS queries to pfSense must be explicitly permitted if it serves as the DNS server for the VLAN:

• Action: Pass
• Interface: GUEST
• Protocol: TCP/UDP
• Source: GUEST net
• Destination: GUEST address (pfSense address on this interface)
• Destination Port: 53
• Description: Allow DNS to pfSense

This rule must be placed above the RFC1918 block rule.

Recommended Rule Order for an Isolated VLAN

Inter-VLAN Routing

By default, when firewall rules permit inter-segment traffic, pfSense routes packets between VLANs through its interfaces. Access control between VLANs is managed exclusively through firewall rules - no separate routing configuration is required, as pfSense is the directly connected gateway for each VLAN.

Allowing Specific Traffic Between VLANs

To grant access from the staff VLAN (VLAN 10) to servers (VLAN 20), create a rule on the STAFF interface:

• Action: Pass
• Interface: STAFF
• Protocol: TCP
• Source: STAFF net
• Destination: SERVERS net
• Destination Port: select the required ports (e.g., 80, 443, 3389, 22)
• Description: Allow staff access to servers

This rule must be placed above the RFC1918 block rule on the STAFF interface.

Common Inter-Segment Access Patterns

Management VLAN

For the management VLAN (MGMT, VLAN 30), full access to all segments is typically permitted. This allows administrators to reach devices in any VLAN. Rules on the MGMT interface:

1. Pass - MGMT net -> Any -> Any (full access)

Access from other VLANs into MGMT must be blocked. On each other interface, add a rule:

• Block - VLAN net -> MGMT net -> Any (deny access to management segment)

Common Scenarios

Office Segmentation

The most common scenario involves dividing a corporate network into functional zones.

                    ┌─────────────┐
                    │  Internet   │
                    └──────┬──────┘
                           │ WAN
                    ┌──────┴──────┐
                    │   pfSense   │
                    └──────┬──────┘
                           │ Trunk (802.1Q)
                    ┌──────┴──────┐
                    │   Switch    │
                    └──┬──┬──┬──┬─┘
                       │  │  │  │
              VLAN 10  │  │  │  │ VLAN 50
               Staff   │  │  │  │ IoT
                    VLAN 20│  │ VLAN 40
                   Servers │  │ Guest
                        VLAN 30
                       Manage.

Access policy:

• Staff members receive access to servers and the internet
• Servers have internet access for updates
• Guest network - internet only, complete isolation from corporate resources
• IoT devices - restricted internet access (HTTPS/MQTT only)
• Management - full access to all segments

Multi-Tenant Environment

In multi-tenant scenarios (e.g., coworking spaces, office buildings), each tenant receives a dedicated VLAN with complete isolation:

Each tenant VLAN maintains complete isolation from others. Access to shared resources (printers, conference equipment) is controlled through firewall rules that permit only the required protocols.

Migration from Other Platforms

Migration from Cisco L3 Switch

When transferring inter-VLAN routing from a Cisco L3 switch to pfSense, architectural differences must be considered. On an L3 switch, routing is performed in hardware between SVIs (Switch Virtual Interfaces) at line rate. Migrating to pfSense shifts routing to software via router-on-a-stick, which may reduce throughput under heavy inter-segment traffic loads.

Migration procedure:

1. Document the current SVI configuration, ACLs, and routes on the L3 switch.
2. Create corresponding VLANs in pfSense with identical tags.
3. Assign interfaces and configure gateway IP addresses (these must match the former SVI addresses).
4. Replicate ACLs as pfSense firewall rules.
5. Configure DHCP servers for each VLAN with matching parameters.
6. Switch the L3 switch to L2 mode (no ip routing) and configure a trunk to pfSense.
7. Update the default gateway for clients to pfSense (via DHCP or statically).

Warning:

When using the same gateway IP addresses on pfSense as on the former L3 switch, clients require no configuration changes. However, ensure that client ARP caches have refreshed - reboot client devices if necessary or execute arp -d on critical systems.

Migration from MikroTik

MikroTik RouterOS uses a bridge with VLAN filtering for L2 segmentation and IP addresses on VLAN interfaces for routing. When migrating to pfSense:

1. Export the MikroTik configuration: /export file=backup.
2. Transfer VLAN IDs - they must match across both platforms.
3. Configure the MikroTik bridge exclusively in L2 mode with a trunk to pfSense.
4. Transfer gateway IP addresses and firewall filter rules.
5. Note that MikroTik firewall chains (input/forward/output) have no direct equivalent in pfSense. Rules must be restructured for pfSense’s per-interface model.

Migration from FortiGate

FortiGate uses VLAN interfaces (subinterfaces) bound to physical ports. Architecturally, this is the closest model to pfSense. During migration:

1. Export the FortiGate configuration via execute backup config.
2. FortiGate VLAN interfaces correspond directly to pfSense VLANs.
3. Transfer security policies to pfSense firewall rules, noting that FortiGate uses a zone-based model while pfSense uses an interface-based model.
4. FortiGate address objects correspond to pfSense aliases .
5. If SD-WAN is configured on FortiGate, refer to the Multi-WAN section for equivalent functionality.

Troubleshooting

VLAN Not Passing Traffic

Symptom: Clients in the VLAN do not receive a DHCP address or have no network access.

Diagnostics:

1. Check the interface status in Status > Interfaces - the VLAN interface must be in UP state with an assigned IP address.
2. Verify that the interface is enabled (Enable checkbox) in the interface settings.
3. Confirm the trunk port configuration on the switch - the VLAN ID must be in the allowed list.
4. Perform a packet capture in Diagnostics > Packet Capture on the VLAN interface to verify that tagged traffic is arriving.
5. Check for firewall rules on the VLAN interface - by default, all traffic is blocked.

Double Tagging

Symptom: VLAN traffic does not reach pfSense or is directed to the wrong segment.

Cause: A native VLAN mismatch between the switch trunk port and the pfSense parent interface. If the switch’s native VLAN matches one of the working VLANs, frames for that VLAN are transmitted without a tag. pfSense receives the untagged frame and processes it on the parent interface instead of the VLAN interface.

Resolution:

1. Set the native VLAN on the switch trunk port to an unused VLAN (e.g., 999).
2. Ensure the pfSense parent interface is not used for user traffic.
3. On Cisco: switchport trunk native vlan 999.
4. On HP/Aruba: remove the trunk port from untagged members of VLAN 1.

MTU Issues

Symptom: Connections establish, but large packets are lost. Web pages load partially or TCP connections stall during data transfer.

Cause: The 802.1Q tag adds 4 bytes to the Ethernet frame size (from 1518 to 1522 bytes). Some network adapters (particularly Realtek rl(4)-based cards) do not support jumbo/long frames and drop frames exceeding 1518 bytes.

Resolution:

1. Reduce the MTU on the pfSense VLAN interface to 1496 bytes (1500 - 4 bytes for the tag). This setting is found in Interfaces > [VLAN interface] > MTU.
2. Alternatively, replace the network adapter with a model supporting hardware VLAN tagging (Intel igb, ixgbe).
3. Verify MTU on intermediate devices - all links in the chain must support the increased frame size.

DHCP Not Issuing Addresses in VLAN

Symptom: Clients in the VLAN receive addresses in the 169.254.x.x range (APIPA).

Diagnostics:

1. Confirm that the DHCP server is enabled on the VLAN interface in Services > DHCP Server.
2. Verify that the address pool falls within the same subnet as the pfSense interface.
3. Ensure that firewall rules are not blocking DHCP traffic (UDP 67/68). If the anti-lockout rule is active, it automatically passes DHCP - but only on the interface where anti-lockout is enabled.
4. Check the DHCP log in Status > System Logs > DHCP for errors.

Asymmetric Routing

Symptom: Traffic between VLANs works in one direction but not the other. Or connections establish, but data is not transmitted.

Cause: An alternative route exists in the network (e.g., a legacy L3 switch), and return traffic takes a different path that bypasses pfSense. The pfSense stateful firewall drops packets that do not match a known connection state.

Resolution:

1. Ensure pfSense is the sole gateway for all VLANs.
2. Disable routing on L3 switches if they no longer perform this function.
3. As a temporary measure, enable the option at System > Advanced > Firewall & NAT > Bypass firewall rules for traffic on the same interface, but this reduces security.

Related Sections

• Firewall Rules - creating and managing filtering rules for controlling traffic between VLANs
• Aliases - grouping subnets and ports for simplified inter-segment access rules
• Routing - configuring routes when additional subnets exist behind VLAN interfaces