When I built my home lab my main reason for selecting the PfSense router was to be able to create separate networks for my home network and public facing servers that couldn’t talk to each other. This is important for protecting the devices on my home network from possible bad actors that might try to attack my public facing web servers. The downside to this is that I use my desktop as my development machine. Since it is on my home network it, by default, doesn’t have access to the server network. To be able to test services from the home network I forward only the specific ports I need to get access to said services. (This is apart from setting up a VPN from one network to the other to get full access which is a different topic.)
What Are VLANs and Why Are They Important?
VLAN stands for “virtual local area network”. In short a VLAN is a subset of the devices attached to a router that are grouped by a set of firewall rules. There are more technical explanations than this but, for sake of this post, this will do. The main importance of VLANs for me is to have all of my infrastructure here at the house but keep things separate that should be separate. The three separate networks I’ve created are:
- Home network containing all of our personal devices.
- Web network containing the servers that serve websites
- Minecraft network containing the game servers
How Do I Create VLANs With PfSense?
VLAN creation with PfSense is relatively easy and their documentation on the process if good. Since you’re already here I’ll walk you through it here as well. The first step to creating a VLAN is to select “Assignments” from the Interface menu. That will bring you to the Interface Assignment page (which isn’t your first stop but you’ll come back to in a minute):
One thing to notice on this page before moving forward; This is the page where we will assign pfSense “interfaces” to physical network ports. Or, as in the case of the VLANs I have setup, you’ll see that they specify that they are “on ix2” which is one of the physical network ports on my router. From here we’ll click on the VLANs “tab” to get a new VLAN setup and assigned to a physical port.
From here, we click on Add to add a new VLAN.
For parent interface select the item that represents the network port that will handle the traffic for this VLAN. The VLAN “tag” is the identifying mark that separates this VLAN from all other VLANs. Make sure that you’ve selected a number for this tag that is different from other VLANs. Lastly, always make sure you give the VLAN a good name under the description field. After adding your new VLAN return to the interface assignment screen and line up the interface and port correctly.
How Do I Allow Certain Services Across VLAN Boundaries With PfSense?
Now we come to the crux of this post. Firewall rules are the primary way to control access to any network in PfSense and this applies to VLANs as well. To set these select Firewall -> Rules. On the resulting page you’ll find that your new VLAN will show up as a “tab” to choose and create rules for.
Clicking on my Minecraft VLAN you can see the selected rule at the bottom blocks traffic from any source within the VLAN to any 192.168.0.0 address. I’ve kept my home network using that IP range for ease of use. I could also have used the “HOMENETWORK net” alias in this case as well (and probably should for sake of consistency across the rules).
You’ll also notice that there are other rules here that allow traffic to go through from sources on the Minecraft network to the HOMENETWORK. This is the solution to the problem I mentioned at the beginning of the post; i.e. that I want to use my desktop on the home network as my development machine for things I’m doing on the server network. Among these items that I have covered are rules for:
- A VPN connection between home network and minecraft network
- Several minecraft ports for servers so I don’t have to be connected to VPN to play
Now we’ll look at the firewall rules for the home network:
Here, you’ll notice the reciprocal rules for what was in the Minecraft VLAN rules. There are a couple extra going to my Web VLAN to handle a couple extra specific items related to hosting the Pterodactyl panel. These handle the development tasks that I was speaking to earlier. Their corollary rules are on the WEB VLAN.
VLANs are a great way to separate devices into their own sandboxes. Firewall rules help determine who can come play in said sandbox and what the devices inside the sandbox are allowed to access from outside. I’ve had to learn a ton about networking as I’ve setup my home lab and am glad I learned about VLANs. If there are items that I’ve gotten wrong here please let me know!