 PFsense and VLANs. So they seem something maybe daunting at first or a little bit confusing, but VLANs are really simple once you start looking at them from this perspective. The physical layers of the network is your LAN that you're probably used to if you start with basic networking in a home. Once you get to more commercial-class networking, you're going to see VLANs and what they are is a logical grouping of networks regardless of their physical setup. This connection right here represents all traffic, VLANs and LAN traffic coming out of the PFsense. It's one physical network cable that would plug into what they may refer to as the trunk port on the switch. So you let all the VLAN traffic in there encapsulated within that traffic though. We have other VLANs and I'm going to use the example of VLAN 69 here and we're going to walk you through creating another VLAN. This one happens already exists on my network, and I'm actually going to walk through step-by-step how you create them and how you separate them from the rest of your network on PFsense. So when the traffic comes in here in yellow and we have all set, it will push all the VLANs out of the ports. So the import here, and we're going to use this port as the example of coming out all, and then the encapsulation part is when you switch to a specific VLAN on a port, it filters that port and only that network comes through on that port. So for example, all ports come in here. So all VLAN traffic and then we segregate out VLAN 69 to this port here. That means this computer becomes on this 172 network. Now there's a default LAN and then everything else is sub under that is a VLAN. And we're going to get to exactly how this works inside of PFsense, but it's going to give you an overview and we'll come back to this because hopefully it'll make a little more sense because we're also going to set up a SSID for the Internet of Insecure Things. So that's a common reason people want to do this under network is have it set up. So their wireless devices go on a separate network than their other devices because these IoT devices and they can be a little scary and not get updated. So you actually tag each port and decide what you want to have on those ports. Now you can have lots of different VLANs. We just have two in this example, but we'll show you how to create one more. And like I said, we'll come back and readdress this. So let's get into the actual creation of these. So when you see the interface list here, we have the WAN, LAN, LAN2, OPT and VLAN69. This is the VLAN and here's the VLAN69. So we're going to show you how I create that. So we're going to go ahead and add another one. We're going to have a VLAN ID of 50. Now just so you know, the VLAN tags you can do up to 4094 from here. So you just have to keep them consistent. So you choose a number, a numerical description for them. We're not going to worry about and talk about VLAN priority right now. But we will name this and this is our IoT VLAN. Or as we call it actually, Internet of Insecure Things because we want it to be a separate network. So there's a description. There's the VLAN, VLAN tag 50. Hit save. Now we have the VLAN tag, but we haven't assigned it to an interface yet. So step two, assign an interface to it. So we're going to go interface assignments. Then we pull down here and we're choosing the new one we created, VLAN 50 on LAN. And we're going to go ahead and click add. Device has been added. Now we're going to click save. Now you please note this says VLAN 69 on LAN and VLAN 50 on LAN. LAN is one physical port, but now we have three networks. The LAN network is our first. Then we have VLAN 69. Then we have VLAN Internet of Insecure Things. We go over here to VLAN just so you notice when I was doing this. You can choose which port it was on. So I have multiple network cards on there. You can create VLANs on any particular one, but we want them on LAN because that's physically the port that's plugged into. And then from inside of LAN, this is where we're creating the logical networks or the VLANs. So now we can go over here and it was actually called opt for. So if we go here to interfaces assignments, you can see that it's called opt for. We can just click on this and we'll just call it IOT to make it simple. And we're going to enable the interface. And I'm going to go down here and choose the IPv4 configuration as static. One, two, one, six, eight, 50.1. And you can pick this. This is going to be a slash 24 network, but there's other options in here. I'm just making it pretty straightforward and simple with one, nine, two, one, six, eight, 50.1 slash 24. So this will become the default gateway for this network. Then we're going to go ahead and hit save. And we'll go ahead and apply it. All right. So now we have our LAN and we've created this IOT network. And it's going to be in the one, nine, two, one, six, eight, 50.1 range. Pretty straightforward. All this so far is all done right inside of PF Sense. We're also going to go ahead and do this. We're going to go ahead and do the services, DHCP server. And you notice we have multiple DHCP servers. For each network interface you add, you get another listing over here. So the NSC stand was there. Now we have this one added. PF Sense does this automatically when you create these networks. So we're going to go ahead and just enable DHCP. And we'll set a pool range. So there's 100 IP addresses that can be hit. And you can override certain things in here if you want and create specific rules. If you want your IOT devices to work differently. But we're just going to leave everything at default, assuming they just want to get out to the internet. And now that VLAN has its own DHCP server. Now things plugged in LAN do not get this assigned to them because the default one is LAN. So by default, if you plug something in, it's just going to pull whatever comes out of the LAN side over here versus this IOT one we created in VLAN 69. VLANs block broadcast. So they block the broadcast from the LAN to the VLAN 69 to the IOT. So each one, this is what keeps them as a logical network. It doesn't just broadcast all of them. It breaks it out and only broadcasts in each individual VLAN and LAN to keep all this separate. Now let's talk about how this system works. This is the easy part really because PF Sense is pretty straightforward. It only takes a few clicks. We've now created it. The only other thing we need is a firewall rule. And the way the firewall works in PF Sense is each new thing you add gets more rules. Now we have to first have a rule to allow traffic. So right here's an all traffic rule and we'll go ahead and create one over here because right now things get on it but they can't route because there's nothing in here. So we're going to go ahead and add protocol any source any IOT net and can go anywhere. Allow all, save, apply. We've got a wide open rule that allows anything on this network to get out. So pretty straightforward but you don't want it to do everything you want some things blocked. So what we do here, we add another rule. Destination, LAN net protocol. Make sure you change it to all as you want all the protocols blocked. Block, LAN. Now I have more than one network on here and I'll apply changes. So this blocks access to LAN but then allows everything under here. And this is the way the rule sets read. And it's easier to demo as I have a machine already tied to the IOT site on, not the IOT but the VLAN69. I have a system over here and I'll show you how that works real quick. So this machine down here is at 1, 7, 2, 16, 69, 12. It's on the VLAN69 network. And you can see we have a couple rules here. First, this is our allow all rule. This is our drop traffic to LAN rule. And this is our drop traffic to LAN 2 rule. So I'm going to turn these rules off first. And when you click them and I apply, you see how they're grayed out. That's turning the rules off that will allow me to ping different devices. So if I go to ping 1, 2, and 6, 8, 3.9, which is my computer. No problem. I can ping it. I can also ping 2.5. And I can also get out to the internet. So I can ping Google. I can ping anything on here that networks wide open. Now we're going to take these two rules and re-enable them. So I can still ping Google. But it fails to ping the .2 network. And I can't ping my computer on the .3 network anymore. So that's as simple as you need to go for blocking it. These two rules up here is block outside DNS. Now this is something you may want to do. And what I did here was you go here. You block protocol UDP, set it to block 53. And it's any. Do not allow it to go anywhere for DNS. So we have this as the block rule. Then up here, above first it blocks everything. Then we do have one rule that says destination vlan69 can go here. Now what that does is blocks outside DNS servers and forces the PFSense, because by default PFSense has DNS turned on. So unless you change it, that is the default. And the gateway will respond as a DNS server. And the gateway also is the default DNS server in DHCP. So unless you've overrode those options, that is the default. So this will lock them down from not using external DNS servers. So it's another testing method you can do to make sure things are where they belong. Now, this covers the basic getting the network set up. So we have this rule here. This will block the traffic. And we're going to duplicate the rule for LAN 2. So we have LAN net blocked, LAN 2 but IoT wide open. So as long as the destination isn't either one of these, it can get out to the internet. So pretty straightforward here for keeping things locked down. And I have IPv6 turned off on mine. So that's not really an issue, but you can create these same rules for IPv6. Now that that's taken care of, now we got to talk about how we configure the switches themselves. And that's why I happen to have a Unify switch. So that's what this demo is. But the concept works the same. You'll just have to learn it for each individual switch. So here we are inside of the network settings in Unify. And I like the way Unify handles this. This is their Unify product line in a Unify A port switch. They make it easy because when you create a new network, and we're going to go ahead and create a VLAN. So we choose VLAN. We'll call it IoT and secure as the name. But here's where we have to match the VLAN ID. So we're going to go over here to interfaces, assignments. VLAN 50, we look at the VLAN, we see that the VLAN tag is 50. So we put that here. Now Unify likes a friendly name, so you can use this name description. But the tag ID is the important part to make sure that's on there. So we'll leave everything else at default, just put VLAN tag at 50, hit save. And that's it. Now we've created this VLAN. Now we have VLAN 50. Now the way Unify works, all the switches on the network, which I only have one, get provisioned out with that VLAN. So now we're going to open up this switch, and I like to pop it out, make it a little easier to see. And now we'll talk about how these ports work. So here's the uplink port, which mirrors are here. So we have, that's an uplink port. PF sends one physical cable, but now three logical networks. And we have it set to all. And we have this one over here set to VLAN 69. So here's your all uplink to PF sends. And here's VLAN 69. It's actually going to the studio. Nothing's plugged into it at the very moment, this particular one. So here's the VLAN 69 traffic. Here's the other traffic marked to all. And the way you change what port that's on, there's our IoT and secure network we just created. I click apply. And now everything out of that port becomes part of the IoT and secure. So it comes in here. But this particular physical port, which is port number two on the port switch, now is locked down to only receive that traffic. Now you can also do things like this. You can say LAN. So LAN is like the default network. So you can say only see LAN and strip out the VLANs. Or you can say all. And we talked about this with all being needed. Jump back over here to this. Because if we wanted to jump her to another switch, I only have one switch, but this is the graph for the demo. If all comes in here, and we have all out of here, it can then carry on and do the same thing in each individual switch. Cisco has their virtual trunking protocol. So there's a slightly different, but the concept's the same. Once you tag VLAN ID, and we have VLAN tag 69, and then we have VLAN tag 50, we push them out. These ports become this only VLAN. So it all came in here, but it filtered down to only this port. Or when we switched it to VLAN 10, this actually, or sorry, VLAN 50, this changes to that. And then this becomes the 192.168.50 network, 50 slash 24. It's because if we moved this over to VLAN 50, and it filters it for that traffic. Now you can't escape the VLANs because the switch blocks them. So you can't just change the IP address over here to this computer and force different VLAN traffic because it strips out all the VLAN traffic down to that. And that's the important way. VLANs are set up for security, and ideally you can have one physical switch. Now the other advantage of VLANs is you may have an entire, we deal with a school district. They have a whole bunch of switch. They have a VLAN, so any port can be one of the camera ports because they have a VLAN just for cameras, for example. And so any switch in the building, we just group off a group of ports, and those become the camera, but they run encapsulated along with all the other traffic, but it keeps the cameras separate from the other networks. Now let's talk a little bit about how Wi-Fi gets pushed because this is usually where you're doing it, and I'm going to use Unify as an example because we have them in here and how you create an extra network on Unify for this. So same concepts, and this over here, and we're going to go over to the ports again. LTS hallway Wi-Fi, we have a Unify access point plugged into port 8. Yes, I know it's only a 100 gig, it's an older Wi-Fi, but it works for our purposes. It's not a gigabit one, that's why it's orange. But we have all the traffic trunks. So all the traffic on this one and all the traffic on this one. We also have all the traffic on a couple other things because I have VLANs inside of my Zen servers, and you can get into detail on my lab video, which I'll leave a link. So how do you push a IoT network just to this? Well, it's really easy with Unifies as well and PF Sense. So we have the VLAN tag 50 here. We go over here, settings, wireless networks. Now you can just edit this one as I already created it. You just go in here in the advanced, so here's your wireless network set for Unify. And this is going to vary for each manufacturer using, but Unify, it's really easy. I just check this box to use a VLAN. I choose 50 and hit save. That's it. So this is tied to LAN because there's nothing in it by default. If you don't put an IP address in there, it doesn't go anywhere. So this one's tied to 50, which means all the data comes through. I'm going to jump over to my graph here real quick. All the VLANs come through here, and then all of them are allowed to come out of here, and they land into here. And we can separate that out. And now this, the SSID can be separate. Now, not every wireless device supports that. If you're running a wireless device that does not support that, but you still want to do this, well, then you're going to need two of them because you'll have to have one for one network and one for the other network. But as long as you have a smart switch that's capable of filtering out VLAN traffic, you would actually bring it down. So if you had a really basic router slash Wi-Fi unit or access point that doesn't have VLAN support, but you have a switch that does, you can filter out and say, okay, filter this port to be VLAN69. And the dumb device is behind it because it's already filtered only that network. It creates that lockdown network. So hopefully this was helpful for figuring out VLANs on PF Sense. They're pretty straightforward to create. Not too difficult once you have the concept that it's just a breakup of a physical network down into logical networks underneath it, which is why you choose which interface that that encapsulation occurs on. So hopefully this was helpful. If I didn't explain it well enough or if there's something I missed, message me on our message board or leave some comments below and I'll try my best to answer all your questions. And hopefully this is helpful and get you started with VLANs on PF Sense. Thanks for watching. Like and subscribe.