VLAN over a Bridged Wifi Router?
-
Does that Linksys even support VLANs? Most of those routers don't. You need proper access points that support VLANs and multiple SSIDs.
-
I guess I'll go with option C and reset the wifi router to the default mode (doubled nat'd) and use its built-in 'Guest' mode for this. Hopefully I can restrict that traffic to only Internet and block it from all other internal networks and devices.
Thanks -
@leishen said in VLAN over a Bridged Wifi Router?:
that traffic to only Internet and block it from all other internal networks and devices.
Can kind of work, but you wouldn't stop devices on the wifi router guest network from accessing stuff on that routers wan..
example..
So while guest mode normally would block access to the normal wifi network (192.168.4/24) in my drawing.
It wouldn't block access to the wifi routers wan network, 192.168.2/24. And while you could stop guest or normal lan/wifi on your wifi router from talking to other pfsense networks 192.168.1 in the example.
You wouldn't be able to say allow 192.168.4 to talk to 192.168.1.x but block 192.168.3 devices because to pfsense they would all be from the 192.168.2 network (wifi routers wan IP that wifi router is natting too).
If you want a isolated network you can control via pfsense, your best option is to get an AP that understands vlans (and switch(es)) or use a specific wifi router that only provides your guest network attached to pfsense. And other AP (wifi routers in bridge mode) for other networks.
If your wifi router your wanting to use say supports ddwrt or openwrt - then it should be possible to setup actual vlans on it.
-
@johnpoz : Thank you sir! Explained very well. I will look for a VLAN switch and into OpenWRT/ddwrt to see which works best for me.
Thanks again! -
@leishen openwrt or ddwrt should also be able to function as vlan capable switch. But there are some limitation on vlans based on your hardware running on. If I recall correctly there are some routers that can run open or dd but do not actually support vlans even though open and dd do.
so depending on your switch port needs you might be able to actually get away with just using your wifi routers switch ports, all depends on how many you need, and you could always run downstream dumb switch - if all the devices on that dumb switch will be in the same network/vlan
Another option, with dd or open - is I do believe you can do some firewalling it as well. So you might be able to limit say your "guest" vlan from talking to 192.168.1/24 network, etc. But allow your 192.168.4 network..
open or dd do allow for way more features than native firmware. That can actually make the soho hardware actually do what the hardware can do - but the native firmware is normally so limited in features and functions.. With 3rd party firmware is quite possible to get some use out of such hardware - just that the makers of the hardware don't want to allow their users to do such things, or don't think their users have need, or most likely just don't want to support the 1000s of questions such functions and features would bring from their user base ;) if they would enable such features.
-
That's why I prefer proper access points, instead of trying to use a router as one. Most APs support VLANs and multiple SSIDs.
BTW, are VLANs created in hardware or software? Given the only significant difference with VLANs is the tag with a different Ethertype value, I'd say software.
-
@jknott agreed vlans are created in software, but there are some hardware used in soho that hardware doesn't support doing tags, even when dd or open allow for creation of them.
What I know from past is that some hardware that will run dd or open doesn't always support doing vlans (atleast with dd or openwrt). More than likely whatever device he is using does - but not a bad idea to actually check, etc. Just in case the off chance his is one of those few devices that doesn't - before he goes chasing his tail about something might not be working
https://wiki.dd-wrt.com/wiki/index.php/VLAN_Support
snip
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
I have a ThinkPad E520. In Linux I can configure VLANs. In Windows I can't. This indicates software, at least the drivers for the interface are the issue. In that Linksys device, is there firmware that can't be modified that blocks VLANs?
Regardless, VLANs is one reason I prefer using proper APs. Another is PoE.
-
@jknott said in VLAN over a Bridged Wifi Router?:
Regardless, VLANs is one reason I prefer using proper APs. Another is PoE.
Agree - just trying to point out, that is might not be a 100% sure thing that if he runs open or dd that vlans will work - the actual reason behind this not 100% sure.. But I have seen threads where users complaining they couldn't get vlans to work, and turned out to be the hardware they were running the 3rd party firmware on..
I haven't run either in quite some time, but all the hardware I ever ran it on they worked as you would expect. I don't see where the OP actually stated what soho router he was using.. Other than linksys.. There are for sure some linksys wifi router models where vlan may not actually work.
-
BTW, I see that BCM53115 chip is used both in devices that support VLANs and "?". Does that question mark mean VLANs are not supported? Or just unknown.
-
@jknott ? to me would mean not known ;)
In all likely hood they will just work - but since he has not stated what exact hardware he is using, and I can not validate that they do work.
Just pointing out the possibility that they might not.. Cuz I don't want coming back, saying you said they would work, and they don't ;)
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
As I've mentioned before, I'm probably the only guy here who has actually hand wired an Ethernet controller and worked with an engineer when I did that. So I have a better understanding of network interfaces than most.
If a device doesn't support VLANs, then it's because someone has decided it won't. My ThinkPad experience demonstrates that.
I also have a couple of "travel routers" that have multiple modes, including plain AP. They don't support VLANs, but given intended use I wouldn't expect them to. However, if someone were to hack into them, I wouldn't be surprised if they could get VLANs going.
-
@johnpoz : Linksys EA7300 - You said it would work, but it doesn't!!!
Not listed as supported on the DD-WRT web site.
But it is supported on OpenWRT with vLan! Yay!
So, cool beans! I can (probably) take it from here.
Thanks for your, and everyone's, help!!!
