Overview

Using a VPN while browsing the internet is a great way to protect your identity and prevent your ISP from using your personal data and habits for their own benefits. However, setting up VPN clients all of your devices can be very tedious and even impossible with devices such as a Chromecast / Firestick. Also, some traffic might not be necessary to route over the VPN (gaming and other latency critical programs).

A way to create a flexible VPNed network environment is to use VLANs to segment different network traffic. Properly configured VLANs will allow for outbound traffic of different segments to be routed to different VPN endpoints while allowing (or disallowing) normal internal routing between network segments.

Hardware

This guide is based on the following equipment:

Qotom's performance with VPNs was reviewed in a previous post: PFSense Dedicated Micro Router

*To use VLANs, a managed switch is required.

Requirements

LAN shall provide a naked connection to the internet through the ISP gateway.

VLAN 10 (LAB / MAN) will provide a management / LAB network WAN-bound traffic will be routed through a VPN endpoint hosted on a Digital Ocean Droplet. Traffic will be tagged with NO_WAN_EGRESS and be prevented from from leaving the default gateway. VLAN 10 traffic will be able to traverse all other network segments.

VLAN 20 (VPN) will provide VPN network WAN-bound traffic will be routed through a VPN endpoint by a 3rd Par. This network segment will be for general devices and Wifi users. Can only access VLAN 20 and LAN devices. Internet gateway will be a VPN high availability gateway group.



Setup

Create VPN client connections

Create VLANs

Configure DHCP servers for VLANS

Create Interfaces

Add outbound mapping rules

Setup VPN High Availability Gateway

Add routing rules

Create VPN client connections

Navigate to VPN -> OpenVPN -> Clients

Click the green '+' button to open the client configuration page.

Follow the instructions provided by your VPN provider to add a node.

(Optional) Repeat the last step with as many nodes as you like if you plan on using a Gateway group for high availability.

Create VLANs

pfsense Setup

Navigate to Interfaces -> VLANs

Click the green '+' button to open the VLAN configuration page.

Set a unique VLAN tag

The Parent Interface should be the LAN port.

In this set up there will be 2 different VLANs:

VLAN 10 (Lab/Management): Can access all other network segments. Internet gateway will be a privately hosted VPN on Digital Ocean.

VLAN 20 (VPN): This network segment will be for general devices and Wifi users. Can only access VLAN 20 and LAN devices. Internet gateway will be a VPN high availability gateway group.



Managed Switch Setup

Refer to your switches configuration instructions for VLAN configuration.

This configuration uses a TP-Link (TL-SG108E). They can be found for $30 and are fully manageable from a web interface.

Choose a port on the switch to be the trunk. It will connect all of the VLAN traffic back to the router.

Select 'Tagged' for that port on each VLAN you will be using.

Select 'Untagged' for each port that will be connected to a device with traffic on the selected VLAN.

Create Interfaces

Navigate to Interfaces -> Interface Assignments

Create new interfaces using the VLANs that were created earlier by selecting them from the drop down and clicking the green '+' button.

Click on the name of the newly create interface or select it from the interface drop down on the top ribbon.

Enable the Interface.

Add a unique description.

Leave the IPv4 Configuration Type set to DHCP. The IPv4 address will be set by the VPN server.

Create new interfaces using the VPN clients that were setup earlier by selecting them from the drop down and clicking the green '+' button.

Click on the name of the newly create interface or select it from the interface drop down on the top ribbon.

Enable the Interface.

Add a unique description.

Set the IPv4 Configuration Type to Static.

Set an IPv4 Address segment. This segment will be used by all the devices on the VLAN.

Configure DHCP servers for VLANs

Navigate to Services -> DHCP Server

Select a tab matching one of the VLAN interfaces.

Enable DHCP server.

Set the DHCP Lease Range for the devices on the network segment.

If desired, Unique DNS servers can be set to under the server section.

If left blank, It will use the default DNS servers pfSense is assigned.

Repeat these steps for all of the VLANs created.

Setup VPN High Availability Gateway

If multiple VPN clients have been created, they can be assigned to a gateway group. By doing this, if one VPN client stops working, traffic assigned to the gateway group will fail over to a different client.

Navigate to System -> Routing -> Gateway Groups

Click the green '+' button to open the Gateway Group configuration page.

- Give the Group a name.

Set the Tiers of the VPN gateways to be used in the group to Tier 1 (this will create a round robin usage). If one is set to Tier 1 and another is set to Tier 2, The Tier 2 gateway will only be used when The Tier 1 Gateway fails.

Add Outbound Mapping Rules

Navigate to Firewall -> NAT -> Outbound

Set the Outbound NAT Mode to Manual

Add a set of outbound mapping for each VPN Interface created with the source being the network segment of the associated VLAN.

Add Routing Rules

Navigate to Firewall -> Rules

Along the top are tabs for each interface that has been created.

For each interface assigned to a VPN client, create a rule that passes all traffic.

For each interface assigned to a VLAN, groups of rules will need to be created to direct the flow of traffic.

If there is a VLAN or other network segment that should not be accessible from another, add a blocking rule with the prohibited segment as the destination

To allow traffic to be able to access other segments, a passing rule must be created to direct the traffic to use the routers default gateway or else it will try and use the VPN for local address.

Create a rule that passes traffic from the VLAN to the Gateway Group. (The Gate way option is found under advanced Options)

For any traffic matching a rule that you do not want accessing the internet unless it is through a VPN, add a NO_WAN_EGRESS tag to the rule. (Tag can be found under advanced settings)

This will tag the packet that matches the rule and can be filtered out with a floating rule.

To add a floating rule:

Select the "Floating" Tab at the top of the Rules page.

Select action -> Blocking

For interfaces, select any interface you do not want the tagged traffic going over (useful if it is a multiple WAN configuration)

Add the NO_WAN_EGRESS tag under Tagged. (Can be found under advanced settings)

Conclusion

With this configuration in place, there are now 3 effective network segments:

LAN

LAB / Management (VLAN 10)

VPN

Any device attached to a port assigned to VPN will use the VPN Gateway Group to access the internet.

Attaching a Wifi Access Point to a port assigned to the VPN VLAN will serve all of the connected devices from the VPN Gateway.

Using VLANs to segment networks and traffic is a great way to implement different routing rules and traffic needs, especially when using a router that has limited physical ports.