Learn pfSense 2.4
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Remaining considerations

Once you have configured VLANs within pfSense, there are two more steps you must complete before VLANs are fully functional:

  • If you do not have floating rules allowing outbound traffic from all interfaces, then you must add rules for each VLAN interface to allow outbound traffic from them; otherwise, all outbound traffic will be blocked by default. pfSense creates two Allow LAN to any rules for the LAN interface when it is created (one for IPv4 and one for IPv6). To see these rules, navigate to Firewall | Rules within the web GUI, and click on the LAN tab. You can copy these rules by clicking on the Copy icon in the column for the rules (it looks like two sheets of paper on top of each other) and changing the Interface (in the drop-down box) from LAN to the VLAN interface name. You might also want to change the Description accordingly. There will be a more detailed treatment of firewall rules in Chapter 6, Firewall and NAT.
  • You must configure one or more managed switches for use with your VLAN. It is not the objective of this book to explain how to accomplish this. There are many manufacturers and models of managed switches (Cisco is currently considered the industry standard-bearer, but there are many others), and all of them have their own specific directions on how they must be configured. To get you started, however, here are some factors to consider:
    • The switch must be a managed switch. Unmanaged switches are essentially dumb devices that simply allow traffic to pass between ports. Managed switches support advanced features such as VLANs.
    • You will have to designate at least one port as a trunk port (these are ports that provide a connection between the managed switch and other switches and routers), and one or more ports as switch ports (these ports are assigned to the VLANs).
    • The trunk ports will be designated as tagged ports (traffic leaving them will have 802.1q tags attached to them), while the switch ports will be designated as untagged ports (traffic leaving them will be stripped of their 802.1q tags).
上一章目录下一章