Old topic I know… It took a bit to wait for some new cables (red for the vlan), and waiting for a good time to potentially break things. But I did eventually do it and so far so good!
It actually went pretty smooth. The hardest part was configuring the switch. I assumed that a trunk would just pass vlans around no problem, which Mike, my Cisco dude confirmed, but my switch wasn’t playing nice until I joined the required ports to the specific VLAN.
The only issue that remains is that when I tried to implement the firewall rules to keep traffic from going over the WAN when the VPN is down, it all just died. I’m not so worried about this, since the VPN rarely goes down and is more of a bounce than anything. I will go back and take a look at some point though, at least just for the education of how pfsense (and I guess pftables) handles things. Sometimes you just need to step back and come back later to get a fresh look, especially when following a guide to implement something. I’m sure it will all make a bit more sense when I go over it later.
Right now I have to vpn on the specific client that I want to protect. I don’t always browse on a vpn but sometimes it really comes in handy. So I had a crazy idea that maybe I could have my router connect to the vpn and then when a device is on a certain vlan, all their traffic will go through the vpn.
So here is the plan, I have a server running pfsense as my router and it has a 4 gig trunk to my switch and one of its remaining 2 ports is the WAN connection to my cable modem. I figure I can just use the remaining port to vlan into the switch. pfsense doesn’t appear to have a way of separating a physical interface into virtual ones so I can’t simply use the 4 gig trunk. I think I can then just have all my switch ports basically trunk all vlans, since the default vlan will just remain like I’m not using vlans at all and then anything tagged will do its thing.
This is mostly a way to learn a bit more about vlans and routing in general. I have a basic understanding of these things and as far as I know what I am planning is totally doable. I am not completely sure how to setup pfsense to route a vlan to another interface. Like I don’t know if it’s done with a routing rule, or with firewall rules. Another thing I’m not sure about is how to config pfsense to server separate dhcp and dns on the vlan. I also don’t know if just setting all the ports on the switch as trunks will work.
A after project would be trying to setup the docker host so I can put a container on the vpn network, for example, I run a pihole container right now, but with this new vlan I wouldn’t want to use that same one, but it might be nice to put another one on there just for that vlan.