pfSense and VLANS

First, I want to thank you for your videos on YouTube concerning networking. I have been using pfSense for several years but have only been using the tip of the iceberg on its capabilities. I will be moving to a new house (so a residential user, not a commercial user) and wish to beef up my system for the move. In my move, I am intentionally leaving much of my physical infrastructure in place in the house I’m leaving and buying new-to-me hardware for the new house. Primarily, this is because my little sister and family will be moving into my old house and I will still be managing the network for them.

Hardware-wise, I have a small Jetway Celeron N2930 with four gigabit NICs, 8GB RAM and a 16 GB mSATA SSD with pfSense 2.4.5 installed (I just upgraded). In my new house, I plan on using three Aruba S3500-24P network switches and 10GBase-SR interlinking all three of the switches. Each of these switches will be in different phyiscal locations; one accessible from the front attic space of the house, one accessible from the rear attic space of the house and one in my detached garage/computer center. In my computer center, I will have a 42U four-post rack. I have a 2U Dell R710 running XCP-ng and a 4U home-built server running FreeNAS (soon to be renamed TrueNAS I hear). My FreeNAS currently has four volumes with four drives per volume in a RAIDZ1 configuration (I’d do it differently if I were to start over from scratch, but I’ve upgraded it several times). The FreeNAS has Plex Media Server, Sonarr, SABNZBd+ and a few other jails installed. My Dell R710 has several VMs operating with the largest VM running ZoneMinder. I also have some smaller VMs running UniFi Controller, IceCast, Home Assistant, and a couple other machines for just testing stuff.

Despite my three Aruba switches, there are things that mus. t work on WiFi, such as cellphones, tablets and many IoT devices. For this reason, I got a deal on three UAP-AC-Pro access points. Using the UniFi Controller interface, I have virtually placed these devices to provide great coverage of my new house; each will be plugged into one of the ports on each of the Aruba switches.

Now for just a couple other little things in my network, I have also built a Pi-Hole system for my DNS needs and I built a Stratum 1 Network Time Server. My primary subnetwork is and I have given my PiHole an IP address of and my NTP server an IP address of
In pfSense, under my DHCP server, I have told it to make the default DNS server and the default NTP server to be

NOW, I have been watching some of your older videos where you are talking about creating several VLANs to isolate traffic. I have created several VLANs, one for Guests, one for IoT devices and one for IP cameras. I followed the instructions to give each of these VLANs Internet access but not access to my primary LAN, the network. I just want to be able to pass through my PiHole and NTP server, so they can be accessed by devices on these VLANs. Is this done by creating rules on each of these Interfaces, such as Cameras, allowing any device on Cameras Net to access with either TCP or UDP traffic on port 53?

I have been planning this for months but it has all be theoretical work as I don’t move until April 15. At that time, I will be spending several days physically installing the rack, servers, switches, cameras and everything else.

1 Like

Nice setup! As far as your rules, yes for each VLAN/network that needs access to DNS and NTP, you will need to create a rule on that interface to allow that flow. Also, make sure your ports that the APs plug into are setup as trunks.

1 Like

I used pi-hole before I set up PfSense, seemed like a good idea to continue to use after. However, if the raspberry Pi fails, then you will have issues surfing.
Instead of Pi-Hole, take a look at pfBlockerNG, you can use the same block list as Pi-Hole along with any others you like.

I went to pfBlockerNG. I get similar results, although blocked sites sometimes react differently. It still primarily blocks ads and hopefully bad traffic.