2 Separate Networks on pfsense

Networking & Firewalls
1

This is probably simple, but I have not successfully configured a Netgate SG3100 with two separate networks.

Requirements. A Company is subletting a room in their office and they want to share their internet connection and completely separate the networks.

Current Situation

Netgate SG3100 Connected to tp-link switch and 2 Unifi Access Points
Network: 10.21.53.0 for computer (default VLAN)
Network: 172.20.10.0 for mobile phones (VLAN 101)

This is all working fine.

The new tenant provided a Switch HP 1820.

Merc Network.drawio
Merc Network.drawio1060Ă—674 85.2 KB

tplink switch port 24 is connected to SG3100 LAN1
HPE Switch port 24 is connected to SG3100 LAN2

My idea was to enable 802.1q on the netgate and assign VLAN 10 tagged to port 4. Tag VLAN 10 on the HPE and all the other ports on the HPE untagged, but until now, there has been no success.

Is this the wrong approach or what other configuration should I apply?

Also I want to add the VLAN 10 to the Unifi AP’s for their Wifi

2

Yes, you can setup VLAN10 for the tenant and have it both on the HP switch and your switches and access points. I would make sure you have rules for their network set so they can not access your networks.

Configure each port on the HP (except the uplink port) to use VLAN 10, you’re essentially creating a “VLAN-tagged” network where all traffic on those ports is tagged with VLAN 10. This means that any device connected to those ports will only see VLAN 10 and won’t be able to access other VLANs.

The uplink port, which connects to your firewall would typically remain an untagged (or “native”) VLAN 10 port.

1 Like
3

Thank you, if you don’t mind, I want to make sure that I configure the pfsense correctly

Enable 802.1Q and set the VLANs (not tagged)

image
image3088Ă—1200 244 KB

Create VLAN in the assignments

image
image3082Ă—1242 258 KB

Set interface for VLAN 10

image
image2670Ă—1364 426 KB

Enable DHCP and set firewall rules.

Then follow procedure as you mentioned

Blockquote Configure each port on the HP (except the uplink port) to use VLAN 10, you’re essentially creating a “VLAN-tagged” network where all traffic on those ports is tagged with VLAN 10. This means that any device connected to those ports will only see VLAN 10 and won’t be able to access other VLANs.

4

You are close. You also need to tag VLAN 5 on your switch port in pfsense.

So it should read:
4,t5

1 Like
5

Thank you, but confused. I don’t have VLAN 5

Or do you mean I need to tag member 5 on VLAN tag 10

image
image1920Ă—746 56.3 KB

6

Correct. You need to tag member 5. I used the wrong terminology, my fault.

7

all good thank you :grinning:

8

I followed the suggestions to configure each port on the HP (except the uplink port) to use VLAN 10 and also realised that I needed to set VLAN 10 on the pfsense Port VID 1 beside LAN4

But I was unsuccessful; I misconfigured the HP 1820-24G Switch J9980A Switch, or something was still missing on the pfsene.

Any trouble shooting suggestions?

9

To follow up on this configuration, I finally got to work, and used a Cisco Switch as an access switch. That was easier to test the client connectivity and I got this to work by leaving the switch default.

When I removed VLAN 10 from the ports, I could ping the gateway and DHCP Started working.

image
image1032Ă—696 121 KB