pfSense VLAN Configuration: Segment IoT, Guest, and Trusted Networks
How to create and enforce VLANs on pfSense to isolate IoT devices, guest Wi-Fi, and your trusted LAN — with firewall rules that block inter-VLAN traffic by default.
Proper network segmentation prevents your smart TV from talking to your NAS. This guide covers creating VLANs in pfSense and the firewall rules that make segmentation actually work.
Design: Three-VLAN baseline
| VLAN ID | Name | Subnet | Purpose |
|---|---|---|---|
| 10 | TRUSTED | 192.168.10.0/24 | Workstations, servers, phones you control |
| 20 | IOT | 192.168.20.0/24 | Smart home devices, printers, cameras |
| 30 | GUEST | 192.168.30.0/24 | Guest Wi-Fi — internet only |
Step 1: Create VLANs
Interfaces → Assignments → VLANs tab → Add:
- Parent interface: your LAN NIC (e.g.,
igb1) - VLAN tag: 10
- Description: TRUSTED
Repeat for VLAN 20 (IOT) and VLAN 30 (GUEST).
Step 2: Assign interfaces
Interfaces → Assignments → select each new VLAN from the drop-down → Add. Then:
- Click each new interface (OPT1, OPT2, OPT3)
- Enable interface ✓
- Set IPv4 Configuration Type: Static IPv4
- Assign IPv4 address: e.g.,
192.168.10.1 /24for TRUSTED - Save & Apply Changes
Enable DHCP server for each: Services → DHCP Server → select interface → Enable → set range.
Step 3: Firewall rules
IoT VLAN — block all inter-VLAN, allow internet
On the IOT interface (Firewall → Rules → IOT):
Rule 1 — Block IoT → RFC1918:
Action: Block
Protocol: Any
Source: IOT subnets
Destination: 192.168.0.0/8
Description: Block IoT to private rangesRule 2 — Allow IoT → internet:
Action: Pass
Protocol: Any
Source: IOT subnets
Destination: Any
Description: Allow IoT internet accessRules are evaluated top-down; the block rule must come first.
Guest VLAN — internet only, block RFC1918
Same pattern as IoT, applied to the GUEST interface.
Trusted VLAN — full access
Allow all by default (or lock down as needed for your threat model).
Step 4: Test segmentation
From an IoT device, confirm:
ping 192.168.10.1 # Should fail (blocked by firewall rule)
curl https://example.com # Should succeedManaged switch tagging
If your switch is VLAN-aware (e.g., a UniFi switch), configure trunk ports carrying all VLANs to pfSense and access ports assigning devices to the correct VLAN. The pfSense VLAN sub-interfaces receive tagged traffic and route accordingly.
Running UniFi APs? See UniFiGuide ↗ for SSID-to-VLAN mapping in the Network Application.
Related
pfSense Initial Setup: Complete Installation Guide (2026)
Step-by-step walkthrough for installing pfSense CE or pfSense Plus on a Protectli vault or mini-PC, covering interface assignment, WAN/LAN configuration, and first-boot hardening.
pfBlockerNG Setup Guide: DNS Ad-Blocking and Threat Intel on pfSense
Install and configure pfBlockerNG on pfSense to block ads, trackers, and malicious domains network-wide using DNS. Covers DNSBL feeds, IP reputation blocking, and tuning false positives.
Best Hardware for pfSense in 2026: Netgate, Protectli, and Mini-PC Options
Tested hardware recommendations for running pfSense CE and pfSense Plus: official Netgate appliances, fanless Protectli vaults, and refurbished mini-PCs — with throughput data and price tiers.