Setting up MAC Based VLAN for pfsense router and netgear switch


I am having troubles setting up simple MAC Based VLAN (or any VLAN at all) and I’m looking for some help/ This is my first attempt to do such thing, so I’m still pretty fresh with VLANs.

Router/FW - visualized pfsense within ESXI 7 - two adapters are passed through from the hypervisor to the VM. The NIC is Intel i350 based - so it should support tagged packets.
Switch - S350 Series 8-Port Gigabit Ethernet Smart Managed Pro Switch / GS308T - L2 managed switch that understands VLANs

I have watched the following videos to better understand the topic and plan my network: (See comments)

I set a test VLAN on my pfsense labeled Work and the ID of it is 96. I have a DHCP server leasing IPs as well. The pfsense setup I’ve followed step by step from the mentioned videos.

On the switch, I’ve created a VLAN with the same ID and description. I then included the Ethernet MAC address of the device which I want to put in that VLAN. The device is Windows based laptop and upon releasing the IP, the machine is not getting a new IP. Upon removing the MAC based rule from the Switch, things work again but of course the laptop is now in the LAN network, not in VLAN. I then went and put the “untagged” tag on the port which is connected to the laptop and “tagged” on the port which is connected to pfsense. Nothing happens.

I am looking for help on where I should start to troubleshoot this, since this is the first time I’m facing this technology. Is it possible that ESXI might not be forwarding the VLAN tags to the pfsense VM?


Videos (forum rules do not allow me to paste so much links upon my first post):

Second part:

I use pfSense with Netgear switches myself but I haven’t used MAC based vlans.

However, it looks pretty straight forward if you have your vlans correctly configured.

I would suggest just setting up you vlans on pfsense and then the switch first. If that works ok, then you only need to add the MAC to the Mac Based VLAN Group Configuration table with the vlan ID.

You also have to remember to take the port off vlan 1 membership.

If it doesn’t work after that then the problem is likely at the virtualisation level.

Which port I should take out of vlan 1 membership and why? I haven’t done this before. Currently, I have port 8 (this is the port to pfsense) as tagged. I tried applying “tagged”, “untagged” and “empty” tags on the port which is connected to the laptop but nothing happens.

Assuming your setup basically goes pfSense → switch → laptop I would do the following:

  • Create vlan 99 on pfsense (and the rest of it)
  • On the switch create vlan 99
  • Under vlan99 enter “U” for the port, in fact it ought to work for all the other ports too if you untag them.
  • in Port PVID Configuration enter 99 for the concerned port
  • now go back to vlan 1 and remove the U from the port.
  • connect your laptop to the port and you should now be on vlan 99

That’s all you need to do to setup the vlans on the switch.

However, you need to setup a Trunk port between pfsense and the switch also. I use a LAGG between pfsense and my switches.

For mac based vlans you just need to enter the mac address and vlan 99 into Mac Based VLAN Group Configuration.

At least on physical kit it’s pretty straight forward.

This is what I am trying to do, since it looks like the most straightforward variant. However I fail on this very first step. I am currently looking whether ESXI might not forward the VLAN traffic to the VM adapter. I don’t think there’s much configuration in pfsense or the switch which I might have misconfiguration.

Then most likely vmware, probably specific steps you need to follow, i’m sure those are documented on the internet.