If your firewall only two network ports, but have to use more than two or more subnets, you may wish to use L2 Managed Switch, with OPNsense of VLAN management goals more subnets.
First, create a new VLAN interface
Navigate to "Interfaces> Other Types> VLAN". Click "add" to add a new VLAN. First, you must choose a parent interface, which is the physical port VLAN applications. If you want to use multiple WAN line, you can choose WAN interfaces where, if you want to create multiple internal subnet, choose the interface where the LAN. Prior to this, you should divide the correct VLAN on the network switches, and converged to a different VLAN on a port. VLAN identification input corresponding to the switch network, can not pay attention to is the number 1, the VLAN priority is selected, and then enter a brief description of the VLAN. Click "Save" to create a new VLAN.
Second, assign a new logical interface as VLAN.
When selecting parent interface, the physical interface has been selected VLAN. Select "New interface:", and then select VLAN we just created, and then click the button "+." Click "Save" to save your changes.
The interface displays the list of interfaces assigned. Shown below "OPT8". Shown as OPTX, depending on the number of already defined interfaces.
It will also appear in the "Interface" section of the navigation panel:
Third, the Enable VLAN interface
Click "OPT8" After the interface, you can enable it, specify a name for the correct interface. It recommended that the interfaces named VLAN with the same name, in order to facilitate memory. If it is used for internal subnet, VLAN under normal circumstances should select the "static IPv4" address, enter the IP address of the interface.
Fourth, DHCP is enabled on the VLAN interface
Enabling VLAN interface, we can enable the DHCP service on the interface so that devices on VLAN automatically obtain an IP address. Go to Services> DHCPv4> DMZ, click "Enable DHCP server on the DMZ interface" checkbox. Then enter the IP address range used by clients in VLAN hope. As shown below, if you wish to use other DNS servers or gateways, may enter the IP address in the appropriate field.
Fifth, add firewall rules
We have created and launched a new VLAN, you need to set firewall rules to allow data flow from the VLAN. By default, the newly created interface to all network traffic will be blocked. For ease of operation, we can clone basic rules created on the LAN interface. As follows: Anti-lock rule (which will avoid locking yourself out of the Web administration page) allows all the rules and allows all IPv4 IPv6 rules. Just the right LAN interface list of rules, click the icon cloning operation:
The LAN interface from the VLAN interface, in this case DMZ interface. In addition, the source also need to change the DMZ net, to allow access to all parts of the Internet and other network devices on the network, of course, you can also set rules based on their own set VLAN purposes.
