Help with guest network on access point
-
Do you have a port available on pfSense?
If you do, connect the WAN port of the Huawei AX3 to that port on pfSense. pfSense will need to define the port with some other subnet. (ex, 10.10.10.0/24)
From your description, normal WiFi will continue to get addresses from pfSense and route that way. Guests will get addresses from the Huawei AX3 and route that traffic to its WAN port which will be pfSense, which in turn will route to the internet.That is the easiest and cheapest way I can see to move forward.
-
@fernando_om said in Help with guest network on access point:
I'm having a hard time trying to find the proper way to search for a solution to a problem I'm facing with my Huawei AX3 (7200) Access Point / Router.
Maybe you can consider a proper access point. I have one here, which supports VLANs and multiple SSIDs. Another advantage is it uses Power over Ethernet (PoE), so that I don't have to worry about having AC nearby.
-
@AndyRH
Thanks for your quick reply!
Unfortunately I have no more ports on pfSense, only WAN (re0) and LAN (re1). I could buy another NIC with two or more ports to address this, but I'm giving priority to use AX3 as my main access point because it have a good range and support lots of devices (I use Home Assistant with many ESPs and other devices scattered along the house).
I was looking for a way to configure firewall to allow 192.168.155.x devices to reach the internet, but I don't know if it is possible.
As I understand, this is happening: devices are connecting to guest network and receiving 192.168.1.155 IPs. As they are receiving this IP from Huawei AX3, they can't leave this router.
I think I have no way to solve that with firewall rules because they are not even reaching the pfSense. -
@JKnott
Thanks for you contribution!
I guess this is the way to go. Do you recommend any model? I saw a UniFi AC-Lite on your signature, is it the one you talked about? -
Unifi APs are good, I also use them. Just be aware you will need a managed switch to do VLANs on the on the AP.
Because you indicated you have not worked with VLANs, 1 trick I figured out after making an oops, is to use visually different subnets. For instance my VPN subnets start with 172.16. Everyone has their own tricks.
o||||o
7100-1u -
@fernando_om As another option, eero has a "guest" network option that works even when the eero is in "bridge" mode and not their default "router" mode. Wireless clients on the eero guest SSID can get to the Internet but not the LAN.
If the AX3 is a router and you plug its WAN port into your network, wireless clients can get out to the Internet but can also get to your LAN, because the AX3 will provide NAT for that. The guest network on the AX3 is most likely assuming it will connect out the AX3 WAN.
-
@SteveITS
Got it, make sense.
Even if I can configure it to let pfSense take care of DHCP for guest, there is no way for pfSense to know which clients are from one SSID or another.
I'm realizing that there will be no magic to solve this by using only the resources I have right now.
I have a mini PCI-e slot on the motherboard and many old wifi cards stored, I'll try to add one and configure an SSID directly on pfSense for Guests, they don't need the same network quality and resources I use daily.In a near future I plan to improve my landscape by adding a managed switch (for VLANs to enable upnp for two Xboxes) and a better manageable access point. My goal is to separate everything: game consoles in a subnet, guests and suspicious devices in another, iot devices in another and general appliances and computers in another one. That would be great.
-
Sounds similar to my journey. 1 suggestion, add 1 thing at a time. Such as change to a managed switch. Make sure it all works. Then add a VLAN and move things and so on. This method is slower, but you always have 1 step back to a working config.
I more than 1 time broke everything or locked myself out of pfSense.
Good backups in an place that is accessible when things go wrong it key to keeping your hair... -
@AndyRH
Sure thing!
Walk before run, they say... I'm still reading and learning about VLANs. When I feel confident I'll buy another switch and make lots of tests before implementing. For now, Xbox will keep saying: "Strict NAT" and guests will have no Wifi, they must use their 3G, 4G or 5G if they have, else they must talk to each other. -
@fernando_om Crazy idea, but I cannot think of why it would not work. Plug the WAN of the AX3 into your LAN switch. AX3WAN would get an address from pfSense. The Guests would get an address from AX3, route through the WAN port to a LAN port then out through pfSense.
Worst case it does not work and loops the network.
Security wise, the guest would need to know your LAN subnet to connect to your LAN. Not 100% secure, but at least above beginner level because without looking they would not see the transit of your LAN. (trace route will reveal all) -
@fernando_om said in Help with guest network on access point:
I saw a UniFi AC-Lite on your signature, is it the one you talked about?
Yes, but there are many other models that will work too.
-
@AndyRH said in Help with guest network on access point:
Just be aware you will need a managed switch to do VLANs on the on the AP.
Actually, you can get away without that, but they're recommended. I ran a VLAN to an AP for years, before I got around to getting a managed switch.
-
@JKnott said in Help with guest network on access point:
you can get away without that, but they're recommended. I ran a VLAN to an AP for years, before I got around to getting a managed switch
This is true, but note that it works much better with wireless clients. The wireless device connects to the AP which assigns the VLAN tag. They can't connect to a different VLAN without using a different SSID.
If wired clients are also in use, they can often set their own VLAN tag in the driver settings. A managed switch can/would block that. Typically the wired network would not need/want to connect to the guest wireless though.
-
@SteveITS said in Help with guest network on access point:
The wireless device connects to the AP which assigns the VLAN tag.
This part works the same either way. The difference is without a managed switch, the VLAN is available elsewhere. That may or may not be desirable.
-
Thanks for your replies!
I was searching for my mini PCI-express WLAN adapters I have laying around here but they are too old. The newer ones I found are all full height, the pfSense motherboard I'm using only accepts half height. I'm almost sure I have a half height Ralink, but it is missing...
While searching, I found a Raspberry Pi model 3B v1.2. I turned it into an RaspAP yesterday, now I'm checking what kind of settings it have on it to see if it can address my needs. Even if the GUI doesn't have an option to configure, in theory it can support VLANs on a OS basis by using the command line to create a link on ethernet (eth0) interface.
Lets see... if I get any progress, I'll be readily here to inform. -
So as promised, I'm back to report my progress...
I didn't buy any new devices yet, so no VLAN's at this point. But, the Rpi that was laying around was of such a great help. The RaspAP looks very good until now and, by command line on the underlying Raspbian, I could create a rule in iptables so all the packages (or frames) directed to internal networks will be dropped right there. Right after, I made it permanent with persistent iptables and it is working like a charm: guests do have internet but they don't see my local network.
I appreciate every single answer given here and I'll be implementing some of them as soon as I get the new gear. RaspAP is good but it is a temporary solution for me.
-
I'm also VLAN challenged due to dumb switches, but I don't really need anything more. But I have a spare port in my FW device and an ancient access point running DD-WRT and plan on following this cookbook when the time comes, just substituting my AP's RealLAN for the VLAN.
Guest Net Setup -
If you want a guest WiFi, you don't need a managed switch. I did that for years before I got a managed switch. The only issue is, with a dumb switch, the VLAN will be available everywhere on your network. However, for this to be a problem, the users would have to tamper with the network settings on their computers. Those computers are locked down, right?
On the other hand, I recommend getting a managed switch anyway.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@JKnott I wouldn't be using a VLAN at all, just another OPTn interface connecting the AP directly to the FW, like in a DMZ (only outbound), and deny that LAN access to the internal net.
On another tangent, I wonder if a wireless net bypassing pfB would help with my cell's Wi-Fi calling feature. -
I forgot to mention the links I used to make my temporary solution:
https://unix.stackexchange.com/questions/46104/how-to-provide-a-guest-lan-on-one-ethernet-device
https://github.com/RaspAP/raspap-webgui/issues/275
https://askubuntu.com/questions/270693/how-can-set-these-iptables-rules-to-run-at-startup
https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux
