VLAN configuration can be done at the console; in fact, it can even be done on the initial setup, although many of the more esoteric features of VLANs (such as QinQ tagging) are not available from the console menu. Another disadvantage is that there does not seem to be a way of renaming the optional interfaces, although you could do so from the web GUI later.

To begin VLAN configuration from the console, use the Assign Interfaces option in the console (it should be option 1). A list of available interfaces will be provided by pfSense, including the interface device name, the MAC address, link status (up or down), and a description of the interface. Execute the following steps for configuring VLAN at the console:

1. When you select the Assign Interfaces option, the first prompt will be, Do you want to set up VLANs now [y|n]?
2. At this prompt, type y and press Enter to begin VLAN configuration.
3. A confirmation prompt is presented next: WARNING: All existing VLANs will be cleared if you proceed! Do you want to proceed [y|n]?
4. Type y and press Enter to proceed.
5. Next, pfSense will provide a list of VLAN-capable interfaces and another prompt: Enter the parent interface name for the new VLAN (or nothing if finished).

6. Enter the parent interface name (the device name in the table) and press Enter. The next prompt is for the VLAN tag: Enter the VLAN tag (1-4094).
7. Enter a VLAN tag other than 1 and press Enter.
8. After you enter the VLAN tag, you will be returned to the Enter the parent interface prompt, where you can repeat the process for as many VLANs you wish to set up, and then enter nothing when finished. When you are finished creating VLANs, you will be prompted to assign interfaces, starting with the WAN interface. If you have at least one interface that has not been partitioned into VLANs, you should probably assign one of these interfaces to the WAN. If you do assign a VLAN to the WAN, you will want to make sure the WAN is on a separate switch, for the reasons outlined in the previous section.
9. The next prompt will be for the LAN interface, and you can assign a VLAN to the LAN, although you should be aware of any security issues this creates. Enter the LAN interface and press Enter.
10. Once you have assigned the WAN and LAN interfaces, you can assign optional interfaces (OPT1, OPT2, and so on) to the newly-created VLANs. The convention for VLAN interface names is parent_interface.vlan_number. For example, if the VLAN20 parent interface is m3, the interface name for VLAN20 would be em3.20.
11. When you are done assigning interfaces, press Enter at the prompt and you will be presented with a list of interfaces and their assignments.
12. After the list, you will see a confirmation prompt: Do you want to proceed [y|n]?
13. Type y and press Enter. pfSense will write and reload the configuration. Interface assignment is now complete.
14. You still need to assign an IP address to the VLANs, which you can do by selecting the second option from the console menu, selecting the number corresponding to the desired VLAN interface, and typing in the IPv4 and/or IPv6 addresses, following the procedure outlined in Chapter 2, Installing pfSense. You can also configure the DHCP server to work with VLANs using this menu option. Repeat this step for every VLAN you wish to configure.

If you have followed all of these steps, the pfSense portion of VLAN setup will be almost complete. You must still add firewall rules to give the VLANs access to other networks and configure one or more managed switches for the VLANs to work.