Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with guest network on access point

    Scheduled Pinned Locked Moved Firewalling
    24 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fernando_om @AndyRH
      last edited by

      @AndyRH
      Sure thing!
      Walk before run, they say... I'm still reading and learning about VLANs. When I feel confident I'll buy another switch and make lots of tests before implementing. For now, Xbox will keep saying: "Strict NAT" and guests will have no Wifi, they must use their 3G, 4G or 5G if they have, else they must talk to each other.

      AndyRHA 1 Reply Last reply Reply Quote 0
      • AndyRHA
        AndyRH @fernando_om
        last edited by

        @fernando_om Crazy idea, but I cannot think of why it would not work. Plug the WAN of the AX3 into your LAN switch. AX3WAN would get an address from pfSense. The Guests would get an address from AX3, route through the WAN port to a LAN port then out through pfSense.
        Worst case it does not work and loops the network.
        Security wise, the guest would need to know your LAN subnet to connect to your LAN. Not 100% secure, but at least above beginner level because without looking they would not see the transit of your LAN. (trace route will reveal all)

        o||||o
        7100-1u

        1 Reply Last reply Reply Quote 1
        • JKnottJ
          JKnott @fernando_om
          last edited by

          @fernando_om said in Help with guest network on access point:

          I saw a UniFi AC-Lite on your signature, is it the one you talked about?

          Yes, but there are many other models that will work too.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 1
          • JKnottJ
            JKnott @AndyRH
            last edited by

            @AndyRH said in Help with guest network on access point:

            Just be aware you will need a managed switch to do VLANs on the on the AP.

            Actually, you can get away without that, but they're recommended. I ran a VLAN to an AP for years, before I got around to getting a managed switch.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            S 1 Reply Last reply Reply Quote 1
            • S
              SteveITS Galactic Empire @JKnott
              last edited by

              @JKnott said in Help with guest network on access point:

              you can get away without that, but they're recommended. I ran a VLAN to an AP for years, before I got around to getting a managed switch

              This is true, but note that it works much better with wireless clients. The wireless device connects to the AP which assigns the VLAN tag. They can't connect to a different VLAN without using a different SSID.

              If wired clients are also in use, they can often set their own VLAN tag in the driver settings. A managed switch can/would block that. Typically the wired network would not need/want to connect to the guest wireless though.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              JKnottJ 1 Reply Last reply Reply Quote 1
              • JKnottJ
                JKnott @SteveITS
                last edited by

                @SteveITS said in Help with guest network on access point:

                The wireless device connects to the AP which assigns the VLAN tag.

                This part works the same either way. The difference is without a managed switch, the VLAN is available elsewhere. That may or may not be desirable.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 1
                • F
                  fernando_om
                  last edited by

                  Thanks for your replies!
                  I was searching for my mini PCI-express WLAN adapters I have laying around here but they are too old. The newer ones I found are all full height, the pfSense motherboard I'm using only accepts half height. I'm almost sure I have a half height Ralink, but it is missing...
                  While searching, I found a Raspberry Pi model 3B v1.2. I turned it into an RaspAP yesterday, now I'm checking what kind of settings it have on it to see if it can address my needs. Even if the GUI doesn't have an option to configure, in theory it can support VLANs on a OS basis by using the command line to create a link on ethernet (eth0) interface.
                  Lets see... if I get any progress, I'll be readily here to inform.

                  1 Reply Last reply Reply Quote 0
                  • F
                    fernando_om
                    last edited by

                    So as promised, I'm back to report my progress...

                    I didn't buy any new devices yet, so no VLAN's at this point. But, the Rpi that was laying around was of such a great help. The RaspAP looks very good until now and, by command line on the underlying Raspbian, I could create a rule in iptables so all the packages (or frames) directed to internal networks will be dropped right there. Right after, I made it permanent with persistent iptables and it is working like a charm: guests do have internet but they don't see my local network.

                    I appreciate every single answer given here and I'll be implementing some of them as soon as I get the new gear. RaspAP is good but it is a temporary solution for me.

                    1 Reply Last reply Reply Quote 0
                    • provelsP
                      provels
                      last edited by provels

                      I'm also VLAN challenged due to dumb switches, but I don't really need anything more. But I have a spare port in my FW device and an ancient access point running DD-WRT and plan on following this cookbook when the time comes, just substituting my AP's RealLAN for the VLAN.
                      Guest Net Setup

                      Peder

                      MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                      BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                      JKnottJ 1 Reply Last reply Reply Quote 2
                      • JKnottJ
                        JKnott @provels
                        last edited by

                        @provels

                        If you want a guest WiFi, you don't need a managed switch. I did that for years before I got a managed switch. The only issue is, with a dumb switch, the VLAN will be available everywhere on your network. However, for this to be a problem, the users would have to tamper with the network settings on their computers. Those computers are locked down, right?

                        On the other hand, I recommend getting a managed switch anyway.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        provelsP F 2 Replies Last reply Reply Quote 1
                        • provelsP
                          provels @JKnott
                          last edited by provels

                          @JKnott I wouldn't be using a VLAN at all, just another OPTn interface connecting the AP directly to the FW, like in a DMZ (only outbound), and deny that LAN access to the internal net.
                          On another tangent, I wonder if a wireless net bypassing pfB would help with my cell's Wi-Fi calling feature.

                          Peder

                          MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                          BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                          1 Reply Last reply Reply Quote 0
                          • F
                            fernando_om
                            last edited by

                            I forgot to mention the links I used to make my temporary solution:

                            https://unix.stackexchange.com/questions/46104/how-to-provide-a-guest-lan-on-one-ethernet-device
                            https://github.com/RaspAP/raspap-webgui/issues/275
                            https://askubuntu.com/questions/270693/how-can-set-these-iptables-rules-to-run-at-startup
                            https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux

                            1 Reply Last reply Reply Quote 0
                            • F
                              fernando_om @JKnott
                              last edited by

                              @JKnott
                              I'm really interested in VLANs for a near future, I just need to wisely choose the gear as I'll need to replace some of that I already own. I built my setup over a J1800 processor in a fully integrated motherboard. It is a strange setup I bought second hand almost for free but it lacks expansion slots, it features one mini PCI-express slot (I filled with that old wireless card but the range is not useful for a guest WLAN) and one 1x (one lane) PCI-express which I installed the Gigabit ethernet port, also there is just one memory slot with a 4GB DDR3 (it supports a maximum of 8GB). It is a weird ECS-BAT-I (brand?) motherboard that even features an HDMI port and LVDS connector (for LCD screens), I think its a hybrid between a Desktop and a Laptop motherboard, with pieces of SBCs here and there. What I like is that it is a 10W TDP processor that runs pfSense quite well with a medium processor usage of 7%, so very efficient in power usage (This is consuming an average of only 19W/hour according to my Home Assistant measures, by using a PZEM-004T, I guess most of energy is lost in conversion by the old cheap ATX Power Supply, I have one TFX FSP300-60SGV which is 80Plus Gold labelled but I don't know if I can just swap an ATX for an TFX power supply, never tried).
                              Probably for my next shot, I'll replace this motherboard with a normal Desktop one with more PCI-e slots so I can put more interfaces and create several OPTn-s to work with the VLANs. If the consumption is not that much of a difference, of course.
                              Single PCI-e with more than one port is not cost-effective according to my searches (in my country, at least). For example: One adapter with 2 Gigabit ports cost much more than 2x single ports Gigabit boards.

                              For now, guest WLAN is working without exposing my network to unknown or infected devices right away (I guess).
                              And I really appreciate every one of you that shared you knowledge and time to help me out, you guys are the best!

                              JKnottJ provelsP 2 Replies Last reply Reply Quote 0
                              • JKnottJ
                                JKnott @fernando_om
                                last edited by JKnott

                                @fernando_om said in Help with guest network on access point:

                                Probably for my next shot, I'll replace this motherboard with a normal Desktop one with more PCI-e slots so I can put more interfaces and create several OPTn-s to work with the VLANs.

                                You might consider a mini PC, like the one in my sig. It has 4 Ethernet ports. In fact, one of my friends bought one last week and his has 2.5 Gb Ethernet ports but mine has only 1 Gb. 😢 <sniff>

                                You can put VLANs on the same interface as your LAN. For example, my guest WiFi VLAN is on my main LAN, so that the access point has both available.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 1
                                • provelsP
                                  provels @fernando_om
                                  last edited by

                                  @fernando_om Thanks for the links. If you do decide to pursue a mini-PCIE card, I recommend one based on the Atheros AR9280 chip. And you can get bigger antennas. I use both an AR9280 and 9380 based cards (not half-sized) but the 9280 seems to work particularly well and the 9380 should have 3 antennas and I'm one short there. Good luck.

                                  Peder

                                  MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                                  BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.