Confused about configuring a Management VLAN in pfSense?

I understand why it’s a good idea to have a management VLAN and I want to set one up. My plan was to give it a tag of 10 and use the subnet 10.1.1.x.
But when I add this VLAN in pfSense and go to configure the interface, if I choose Static IP for the IPv4 Configuration type, then under Static IPv4 Configuration, I need to use an IPv4 address of 10.1.1.1 (don’t I? or can I use something like 10.1.1.42?) I’m new to setting up VLANs and I’m stumbling through all this with the help of online tutorials and YouTube videos - so choosing Static IP is the only way I know to do this…
But my LAN interface is set to 10.1.1.x because my router’s IP is is set to 10.1.1.1.
Am I mistaken that whatever IPv4 address I choose for my LAN interface - that’s going to be my router’s IP address? Or am I misunderstanding that any VLAN needs to use a subnet that’s different from my LAN interface? And if both of those are true, how the heck are you supposed to get your router onto a management VLAN?

In moving on to setting up other VLANs, it occurred to me that if every non-management device on my network is assigned to one VLAN or another, then 10.1.1.x kind of becomes a management VLAN by default. I mean, it’s not actually a VLAN but rather my LAN - but if everything else is on some VLAN, then 10.1.1.x becomes isolated anyway. Right?

Which brings up the question… if everything else is on one VLAN or another, how does any device connect to the router, switch, or APs to configure them? VPN? Bastion+SSH?

A VLAN is the same as any other network on pfsense except that it shares the physical interface with another network. So yet you still assign the IP in pfsense the same and you setup DHCP for that interface the same.

I have a tutorial here on how to do it with UnIFi as the switch, but the concept the same as any other switch.

2 Likes

Thank you, Tom! I’ll go watch that now.

My understanding is as follows; I tend to add my switches, AP’s etc onto the Management vlan (because I can), however, in theory, if you were to access a switch you wouldn’t be able to connect to the management vlan. That’s because none of the ports are on the vlan but the switch is.

When you setup up vlans in pfsense, you can access the pfsense GUI via that interface. That is:
vlan_mangt - 192.168.10.1 the pfsense GUI will be 192.168.10.1
vlan_guest - 192.168.20.1 the pfsense GUI will be 192.168.20.1

However, you do not want guests to access your router but want to give them internet access, there is a handy rule to prevent just this:

You then use rules to isolate or allow access between vlans. Personally I pass all vlans to my my switches, I suppose you can also just pass the vlans you want the switch to access along with the management vlan.

There is a gotcha, if you don’t have a port on the same vlan / subnet as the switch, if for some reason the switch needs to be accessed directly but you don’t have network access you won’t be able to access the switch !

I apologize for being so dense but I’m still very confused about several things (even after watching Tom’s video)…

  1. Am I correct that whatever IP address I use for LAN automatically sets my router to that IP address?
  2. If the ONLY nodes on my LAN interface are my network infrastructure devices - all other hosts are assigned to one VLAN or another and have no access to the LAN segment - doesn’t that kinda/sorta already (effectively) give me (the equivalent of) a Mgmt VLAN by virtue of having all my network infrastructure devices on an isolated segment?
  3. Do I actually NEED a “LAN” interface? Or is it acceptable to just have 6 VLANs - one of which is a management VLAN - and no LAN interface? (Again, the only devices connected to the LAN interface are my network infrastructure devices; all other devices are assigned to one of my 5 existing VLANs.)

When you setup up vlans in pfsense, you can access the pfsense GUI via that interface. That is:
vlan_mangt - 192.168.10.1 the pfsense GUI will be 192.168.10.1

If I setup VLAN_MGMT as 10.1.1.1, I’d obviously have to change the static IP assignment for LAN (or simply delete it if it’s not mandatory to have it)… say I change it to 10.1.10.1 - how does my pfSense router know which IP address to use for the web GUI? Does it just take the first non-WAN interface in the list? Or is there a particular naming convention I’m supposed to use for my Mgmt VLAN that tells pfSense, “use this one”?
5.

There is a gotcha, if you don’t have a port on the same vlan / subnet as the switch, if for some reason the switch needs to be accessed directly but you don’t have network access you won’t be able to access the switch !

By “access the switch”, do you mean it’s mgmt interface/web GUI? And if I “don’t have a port on the same vlan / subnet as the switch”… a port where? On the router? Are we talking about a physical port (as opposed to an interface)? I have 2 additional/unused ports on my router that I could configure to meet this requirement, but I already have an interface (LAN - which I may delete/replace with with a Mgmt VLAN) set to 10.1.1.1 — and the switch is set to 10.1.1.2 so…. I’m covered? (If so, I don’t understand how.) Doesn’t plugging (Ethernet) my laptop in to an unmanaged port on the switch - and assigning it (my laptop) an IP address in the same segment as the switch — doesn’t that pretty much guarantee I’ll always be able to access the switch?

I really don’t want to be unable to access my switch but I do have a backup of the configuration so I’m sure I could do a full reset then restore that but I’d rather it didn’t come to that.

Currently, all my management devices consist of: pfSense router at 10.1.1.1 connected to port 24 on my switch, the switch at 10.1.1.2, access points at 10.1.1.3 & 4 connected to ports 7 and 8 on the switch, and I think I want to move (the Proxmox VM host for) my TP-Link Cloud Controller to 10.1.1.5 - but my Proxmox server (connected to port 2 on my switch) is on my Business VLAN (IP address 10.1.2.2) so I’m not sure how I’m going to (or if I even can) accomplish that.

  1. Would be prudent (when I create my Management VLAN) to pick a port on my switch and configure it as tagged for the Mgmt VLAN such that, if I ever need to, I could just connect my laptop to that port and assign it a static IP in the 10.1.1.x/29 range?

  2. Currently I’m accessing the pfSense web GUI exactly as described above - I gave my laptop a static IP of 10.1.1.6 and boom! I can access the webConfigurator. That doesn’t seem very secure. Couldn’t anyone just connect to the Guest WiFi then set their IP to 10.1.1.x then wreak havoc with my router settings?

  3. Even though there’s already a rule preventing lockout (to the router/pfSense - but looking at that rule, I don’t really understand how it does that so) I setup a rule to always allow access to the router from 10.1.1.6. Should I put a rule above (below?) that to disallow access from any other IP address? Can/should I create a rule that only allows access from a wired connection? Or a rule that only allows access from one specific port on the switch? Or maybe just one of the 2 unused ports on my router? If I do setup rules that require a physical connection, I’ll never be able to access the router remotely - and I might need to someday, so I probably need to use some other way to secure the web GUI - although the instant I setup any way to connect remotely, I’m creating the possibility of a hacker connecting and wreaking havoc. What’s the right way to do this?

Sorry for the novella post I’ve watched numerous YouTube videos and scoured the Netgate docs but all the above is still unclear to me.

I think during install you provide this, or it defaults to 192.168.1.1.

Yes

I suppose it depends. It’s the physical network of the first port, if you only had one and wanted more networks you can create virtual networks or use more hardware to create the additional network. Personally, I just use the LAN to access the router if I mess something up, I have vlans for everything else.

You add it in the Interfaces >> Static IPv4 Configuration.

Yes. If for some reason your switch loses connection to the router and say it’s IP address is on the management vlan and all your ports on the switch are on the ISP vlan, when you plug into the switch you won’t be able to access the switch GUI. Therefore it’s handy to keep a port on the management vlan.

I would.

Correct, you can use rules that prevent access to the pfSense GUI but allows WAN access for say the Guest vlan.

I use rules to prevent access to pfSense on those vlans that don’t need it. If you need to access pfSense remotely, I’d suggest to VPN in and access that way.

1 Like