Pre-installation pre-planning
-
Hello pfSense gurus! First time poster here. I pulled the trigger on a netgate 2100 last month which should arrive in 30-45 days and I'm getting excited about learning and setting it up. I have a little networking experience but consider myself a novice. I have a fairly simple home setup with an Arris cable modem feeding an Airport Extreme for wired, wifi and guest wifi, with two Airport Expresses extending the wireless networks. I'd like to keep the Airports since they have been so reliable.
I have a local freeswitch server for a local VOIP phone and an X10 (power line) home automation server. I like to login to check in on things when traveling so am port forwarding but the goal after getting things working with pfSense is to setup a VPN.
I've sketched out my plan while waiting for the 2100. Does this look reasonable? I've gone through The pfSense Book and threads here so hopefully the transition will be as painless as possible.
Everything on the wired LAN has a static IP. The switch is an unmanaged Netgear.
Things that I think could be complicated:
- Allow GuestWifi devices to AirPlay to AppleTV/Speakers
- Allow GuestWifi devices to access printer
- Airport in bridge mode and its guest VLAN 1003
- Freeswitch VOIP server
All tips, pointers and links welcomed!
-
Non of that seems unreasonable.
You will need to configure the switch in the 2100 to pass the guest wifi VLAN so you filter traffic to/from it.
You're right, using services like airplay and printer between subnets will likely give some issues. You'll probably need to use the Avahi package to make that work.
Steve
-
@stephenw10
Thanks Steve! I'll start reading up on the Avahi package. For configuring the 2100 switch for the guest wifi VLAN, this is a good reference, right? https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html -
Yup, exactly that. You need three internal subnets/interfaces so you need to configure two VLANs in pfSense. One for guest wifi that will be passed out tagged to the AP and one for private wifi that will be untagged at the port to separate it from LAN.
Steve
-
@stephenw10
I finally had a window where I could take down the network to get the 2100 installed and configured. I have the wired LAN access working but I can't get the Airport working AT ALL and I feel like a dummy. I'm sure I've overlooked something simple but I've spent several hours without success. I've rebooted pfSense and the Airport several times.pfSense WAN --> Modem ARRIS Surfboard
pfSense Port1 --> unmanaged Netgear switch
pfSense Port2 --> Airport WANAirport is set to Bridge mode and configured to Create a wireless network and Guest Network is enabled. I've tried setting the Airport to connect via DHCP and also Static but when in DHCP, it doesn't get an IP and clients don't get IPs. When in static, clients don't get IPs.
Hopefully screenshots are the quickest and easiest way to help everyone spot my mistake(s). Thanks for any help!
-
In Interfaces > Switch > VLANs VLAN 10 must be tagged on port 5 so it arrives as a VLAN on mvneta1.
Port 2 should be removed from the VLAN1 list so it is never included in LAN.
In Interfaces > Switch > PORTs port 2 PVID must be set to 10 so that untagged traffic arriving from the airport (private WIFI) will be tagged onto VLAN 10.
Steve
-
@stephenw10
Thank you Steve! Late last night I realized that VLAN10 needed to be tagged on port 5 but completely missed removing port 2 from VLAN1. This got Wifi sort of working. The Airport would get an IP and DHCP clients would get IPs but this would hold for about 20 seconds and then it would lose its IP for 20 seconds, then get another for 20 seconds, endlessly cycling. I kept thinking I must have the DHCP service misconfigured somehow. Once port 2 was removed from the VLAN1 list everything started working properly.Thanks again Steve. As you can see I have the VLAN10 and VLAN1003 firewall rules set wide open while trying to figure this out, so the next step will be to lock them down more.
