pfSense | 2 NICs and want te create subnet OR VLAN

The hardware
I have an mITX mobo which runs pFsense for 6 months now. The mobo has only 2 NICs, one is used for WAN and the other for LAN. It has a free 2x pcie in 8x slot.

I have an intel 4 NICs card that lies on the shelf. As I understand, it would require 4 pcie lanes to run the 4 ports (1 Mb per lane in pcie V2). I dont know what would happen If I connected the card : 1 port working at 1 Gb or 4 ports sharing the 1 Gb or just not working. Anyways, to connect this and have 4 OPT, I would have to make some compromises for the chassis which is the last resort (apart from buying a new Netgate or Protectli appliance).

I have a smart switch (TP-Link SG-1016DE) that is VLAN capable (MTU, port based, 802.1Q) that is actually set as “dumb” or unmanaged.

The problem
Because I have a teenager at home, I would like subdivide my network. I was thinking on VLANs but someone suggested I go the virtual IP instead.

I read and watch some YT videos, including LTS, but the VIP is always uses for ISP IP pools.

Any thoughs on VLAN vs VIP and if VIP, any help on how to accomplish that ?


I’ve never heard of virtual IP in the context of network segmentation. Don’t know how it would do any good here. If you’re after different subnets (e.g. home, office, cameras, kids, …), you should use VLANs.

Concerning the network card. 2 lanes of PCIe 2 should have a combined throughput performance of around 1 GB/s or 8 GBit/s. That should be enough throughput for four GBE NICs. So if you want to have a dedicated physical NIC for each subnet you could. The alternative would be to aggregate ports using LACP and use VLAN trunking on that logical interface. That way, you can get away with fewer ports and you also get some redundancy. Your switch probably supports this.

Btw: even if the PCIe card is connected with a slower link than it was designed for, it would most likely still work (meaning all four ports would work and they would share the bandwidth to the CPU).

1 Like

That was fast!


I’ll try the VLAN way then using this guide.

What I want to protect the most is my TrueNAS server. In this scenario, it would go to subnet 1.

It is running some jails and VM that all have their own IP but we’ll come back to that later as those single VM fall in various categories I guess.

My Desktop vs Kid’s dektop
If I understand treats correctly, my desktop and the kid’s desktop could be on the same subnet since there is no absolute guaranty I will never open a fraudulent email or click on a phishing address ?

Is the fact that he is gaming and installing stuff I don’t have control over, a reason to put it on a specific subnet?

Should a Kobo eReader be in an IoT subnet ?
What about my IP phone AT box?

Pretty much what @paolo says.

I’d say going with vlans is what you need. As you are using pfSense you can just stick your child on their own vlan. This will give you the most control over their activities. Setup up rules so that your vlan can access theirs but not vice versa. Use a different DNS provider on that vlan, some are good at blocking porn etc. Obviously you can also use pfBlocker on that vlan too.

I would stick the IP Phone on its own vlan, then you are able to use the traffic shaper to prioritise that traffic above all others. You might be able to do it via protocol too.

No harm in setting up an IoT vlan, no idea if the ereader is a problem.


I’ll start another thread for subnet granularity.