🚀 Configure VLANs on pfSense for UniFi Network (Beginner Guide)

Segmenting your network using VLANs is a fundamental practice in modern IT systems. It improves security, performance, and manageability—especially when deploying wireless networks like UniFi.

In this guide, you will learn how to configure VLANs on pfSense and integrate them with UniFi to create a dedicated guest network. This is a practical, beginner-friendly setup that reflects real-world deployments.

🧪 Lab Overview

In this lab:

• No Layer 3 switch is used

• A separate VLAN is created specifically for UniFi guests

• Both pfSense and UniFi are connected to a Layer 2 switch

• UniFi initially broadcasts Wi-Fi using subnet: 192.168.16.0/24

• A new Guest VLAN is created: 10.10.10.0/24

💡 If you have:

• Layer 3 switch, or

• Multiple network interfaces

➡️ You can extend this design to multiple VLANs for departments (HR, IT, Guest, etc.)

📡 1. Configure on UniFi Controller

🔹 Step 1: Create VLAN Network

On UniFi Controller:

• Create a new network

• VLAN ID: Choose any value (example: 10)

• Name: Set a meaningful virtual network name

This VLAN ID must match the configuration on pfSense.

🔹 Step 2: Create Wi-Fi for VLAN

• Create a new SSID (Wi-Fi name)

• Assign it to the VLAN created above

➡️ This allows client devices to connect to the correct VLAN via Wi-Fi.

🔥 2. Configure VLANs on pfSense

🔹 Step 1: Create VLAN

On pfSense:

• Create a VLAN

• VLAN Tag: Must match VLAN ID on UniFi Controller (10)

This ensures proper tagging between UniFi and pfSense.

🔹 Step 2: Assign VLAN to Interface

• Assign the newly created VLAN to an interface

➡️ This creates a logical interface for VLAN traffic.

🔹 Step 3: Configure DHCP Server

• Enable DHCP on the VLAN interface

• Configure IP range for clients

Example:

• Network: 10.10.10.0/24

➡️ Devices connected to Guest Wi-Fi will receive IP from this subnet.

🔹 Step 4: Configure Firewall Rules for Internet Access

• Create firewall rules to allow VLAN clients to access the internet

👉 Verify:

• Connect a device to Guest Wi-Fi

• Check if it receives an IP from 10.10.10.0/24

🔹 Step 5: Block Local Network Access (Optional)

If this VLAN is used for guests, it is recommended to restrict access to internal networks.

• Block access to LAN or local subnets

• Allow only internet access

💡 You can also combine this with bandwidth limiting for better control.

⚠️ Rule Design Note

• Rule 1: Block local network

• Rule 2: Allow internet (any)

➡️ Rule order is very important to ensure correct behavior.

🎯 Best Practices for VLAN Deployment

When configuring VLANs on pfSense, consider the following:

• Always match VLAN ID between UniFi and pfSense

• Use separate subnets for each VLAN

• Apply strict firewall rules for guest networks

• Avoid mixing guest and internal traffic

• Test connectivity after each step

🔍 Verification Checklist

After completing the setup:

✔ Client connects to correct Wi-Fi SSID
✔ Receives IP in 10.10.10.0/24 range
✔ Can access the internet
✔ Cannot access internal LAN (if blocked)

🎯 Final Thoughts

Configuring VLANs on pfSense with UniFi is a powerful way to segment your network and enhance security. Even with a simple Layer 2 switch, you can build a professional network design suitable for both home labs and business environments.

By following this guide, you can:

• Isolate guest traffic

• Improve network security

• Build scalable VLAN architecture

This setup is a solid foundation for expanding into more advanced networking scenarios such as multi-VLAN routing, inter-VLAN firewall policies, and enterprise Wi-Fi deployments.