I have come to really appreciate pfSense firewall as you can tell by these posts:
However, this past weekend I have grown to appreciate it even more. At The New School we implemented segmented switching using 6 VLANs. A VLAN, or Virtual Local Area Network, allows the same switch to carry multiple broadcast domains. Without getting into too much detail a broadcast domain allows devices plugged into the same switch to have different IP addresses. For instance 10.0.0.1 and 192.168.1.1 could both be plugged into the same switch and traffic would pass without ever running into each other. This technology has been around for a long time, but it is particularly useful at The New School where there are many devices on the network, but not all of them need to have the same access to resources.
Using the Ubiquiti UniFi wireless access points we are able to distribute these VLANs wirelessly over different SSID (wireless network name). This means Guests, Students, and Staff all have their own wireless network with specific resources on the same physical hardware. Big cost savings.
There are occasions where a device on one VLAN may need access to a device on another VLAN (file shares, printing to name a couple). In this situation a router is needed. A router can ‘route’ traffic from one domain to another. This is what your home router does since your Local Area Network is a different domain than that of your Internet Service Provider.
Since pfSense supports VLANs we applied the same VLAN structure to it as we did the switches. A single port can carry multiple VLANs (through VLAN tagging at the switch and within pfSense), thus we are able to connect all New School VLANs to the pfSense firewall with one Cat5e cable. pfSense then treats each VLAN as a separate interface. As such, it can provide DCHP, DNS, Firewall Rules, gateway routing, etc… to each VLAN. At a primitive level, this allows each VLAN to access the internet. In the case of inter-vlan resource sharing (VLAN routing) it allows us to control the routing using each interfaces’ firewall. This is nice because the pfSense web based configuration is easy to understand and yet very powerful.
We have the ability to allow entire domains or specific IP addresses to talk across VLANs. We can also get very granular and allow only specific ports and protocols if we prefer (say TCP port 80 for to internal web server accessible from one IP address on the Student network).