There are some additional steps needed before your VLANs are fully functional. At this point, your VLANs have been created and configured, but they will not be able to access the internet or other subnets, because the default in pfSense is to block all network traffic. The next chapter will have a detailed treatment of firewall rule creation, and you can reference it if you need more detailed information about firewall rules.

If you just want to create rules to allow your VLANs to access all other networks, however, there is an easy way to do this:

1. Navigate to Firewall | Rules and click on the LAN tab. There should be two rules that were created automatically when the LAN interface was created: the Default allow LAN to any rule and the Default allow LAN IPv6 to any rule.
2. Click on the copy icon for whichever rule you want  to copy (the copy icon should be under the Actions column and is represented by two sheets with one on top of the other). This will take you to the Edit page for that rule.
3. Under the Edit Firewall Rule section, change the interface in the Interface drop-down box to one of the VLANs you created earlier.
4. In the Source section, change the source in the drop-down box to match the VLAN in the Interface drop-down box (be sure to select a net and not just a single address – for example, if you want to create a rule for VLAN2, you need to select VLAN2 net here, and not VLAN2 address).
5. Then, click on the Save button at the bottom of the page, which will take you to the Rules page for the VLAN that has just been configured.
6. On this page, click on the Apply Changes button, at the top right. Repeat this process for as many VLANs as you want to grant access to.

If you have a standard pfSense configuration, creating these rules should be enough to give the VLANs access to the internet. If you have enabled Manual Outbound NAT rule generation, however, you will have to add NAT rules in order for your VLANs to be able to reach the internet.

You may have enabled this mode in order to add rules needed to connect to an external VPN server or for other reasons. If so, follow these steps:

1. You should navigate to Firewall | NAT and click on the Outbound tab.
2. You need to create two NAT rules for each VLAN: a rule to enable NAT between the VLAN and the WAN on port 500 with a static port configuration (this is for Internet Security Association and Key Management Protocol (ISAKMP)), and a rule to enable NAT between the VLAN and WAN on all ports with a non-static port configuration.

Fortunately, your outbound NAT rule set probably has similar rules for at least one interface (for example, the LAN interface), so you can easily copy these rules by clicking on the copy icon under the Actions column for the entry you want to copy, and then just changing the IP address listed in Source to correspond to the VLAN for which you want to create a NAT rule. You probably want to modify the Description as well. Click on the Save button when you are done.

There is an even easier way, however, to generate these rules:

1. From the Outbound tab, click on the Automatic outbound NAT rule generation radio button. Then click on the Save button, and when the page reloads, click on the Apply Changes button at the top right.
2. If you scroll down to the Automatic Rules: section of the page, you should see the VLAN subnets listed under the Source column for each rule. Now, click back on the Manual Outbound NAT rule generation radio button at the top and click on the Save button and then click on the Apply Changes button again when the page reloads.

The NAT rule listing on the page will now include rules for the VLANs. Furthermore, any rules that were manually created earlier will also be there. If you want your VLANs to be able to access the internet through your VPN server, you will still have to add NAT rules for the VPN, but you can do that easily by following the rule-copying procedure described previously.

Finally, you will have to configure any services you want to run on the VLANs. If you are using DHCP on your other interfaces, you will probably want to enable the DHCP server on the VLAN interfaces. Since we provided a detailed description of how to configure the DHCP server in the previous chapter, we will not repeat it here, but at a minimum, you will want to do the following:

1. Enable the DHCP server on the interface
2. Specify the IP address range for this interface
3. Add any static DHCP mappings that are needed

If you need to enable any other services on the VLAN interfaces, such as Captive Portal or DHCP Relay, you will want to do that as well.