Multiple lan subnets (NO VLANS)

viragomann

@Khoomn
Yes, VLAN is the only option to separate multiple SSIDs.

The best would be to get a VLAN capable switch to separate the IoT network from your LAN cleanly, however it should also be doable with dumb switches.
Just configure the switches as AP with multiple SSIDs, where the IoT is bound to a VLAN. On pfSense add the same VLAN on the interface, where the APs are connected to (or even the switch in between). Assign an interface to this VLAN and configure it.
Then you have an IoT interface plus the other without VLAN, your home LAN.

stephenw10

Unmanaged switches like that should just pass all tagged traffic so I'd expect it to work fine using VLAN tagged traffic for guest, IoT etc. However some switches may not YMMV!

Obviously that doesn't provide full isolation so broadcast on any VLAN would be sent to all clients. Any wired client could set their own VLAN tag and join that subnet. But wireless clients would still be isolated.

Steve

johnpoz

@Khoomn as mentioned while its possible to pass tags across a unmanaged (dumb) switch. It is not true isolation.

Do you not have another nic in your pfsense box? Can you not add one - if you had another nic, you could connect your AP to that and run a completely isolated network without any tagging.

Or you could if you want run an untagged network and tagged and or all tagged networks on your AP. Which would be completely isolated from your "lan" network.

If you do not have another nic it would be best to get at least 1 small smart (vlan capable) switch - now you can add your dumb switches to ports and all devices on that dumb switch would be on the vlan you put them in on the upstream smart switch. And you can connect your vlan capable AP to a port on this switch and put wifi devices on any network you want.

You can pick up like a 8 port gig smart switch for $40.. Or even just a 5 port smart switch would work.. Adding a smart switch to your network would still allow you to leverage the ports on your dumb switches and even put your dumb switches on a specific network be it your normal lan or another vlan, and allow your AP to put clients on any network you want while providing complete isolation..

JKnott

@johnpoz said in Multiple lan subnets (NO VLANS):

get at least 1 small smart (vlan capable) switch

Be careful with TP-Link. Some models don't handle VLANs properly.

Khoomn

@JKnott

I was looking at TP-Link’s TL-SG105E managed switch. Is that a bad choice? I don’t need many ports so all I need is a 5 or 8 port managed switch

johnpoz

@Khoomn the tplinks in the past had issues with vlans - they wouldn't let you remove vlan 1 from ports you wanted in another vlan..

They did fix it, and I would think if your model is current, and not off the shelf from a couple years back you should be fine. But yeah I would look to something else other than tplink.. That whole fiasco kind of showed they don't really understand how vlans are suppose to work.

I would think you could find another brand in the same price point as the tplinks.. But if you can't - I would sure hope the current models do allow you to remove vlan 1 when you want a port in another vlan, etc.

Khoomn

@johnpoz

Yeah all the 5 port ones I’m seeing online either have vlans not working or, even though they are $50 for 5 ports, you can only do vlan 1-5 which is dumb

johnpoz

@Khoomn I see a Zyxel GS1200-5 on amazon for $20 right now.. I have no experience with that brand - but from a quick look it should work, and its cheaper than the tplink one by like 3 bucks ;)

Bob.Dig

@johnpoz said in Multiple lan subnets (NO VLANS):

I see a Zyxel GS1200-5 on amazon for $20 right now.. I have no experience with that brand -

Get the 8 port version (GS1200-8). I have them both and do like them (you can have max 32 VLANs).

viragomann

@Khoomn
I have also a Zyxel GS1200-8 with VLANs configured on it and a trunk to pfSense. Works pretty well and is easy to set up.

Khoomn

@Bob-Dig

I only plan to have 2 but can you select the vlan ids or is it only vlan ids 1-32? Also who is that company? Ive never heard of them.

I’m gonna just go with the 5 port as thats all i need.

Also is the web based panel local or online? Any subscriptions?

Bob.Dig

@Khoomn said in Multiple lan subnets (NO VLANS):

I only plan to have 2 but can you select the vlan ids

Sure you can, also it is the easiest understandable vlan interface I am aware of because they put everything in one page.

Khoomn

@Bob-Dig

I’m gonna just go with the 5 port as thats all i need.

Also is the web based panel local or online? Any subscriptions?

Bob.Dig

@Khoomn Good old local.

johnpoz

@Khoomn said in Multiple lan subnets (NO VLANS):

I’m gonna just go with the 5 port as thats all i need.

Currently - but what about tmrw, or next month ;)

if the extra 15 isn't going to break you budget - I would go with the extra ports.. Maybe you want to add an extra AP in the future, or 2 etc..

Khoomn

@johnpoz

I already have 3 APs that will cover my whole house. No security cameras (i really dont know why we dont), and the only hardwired PC is mine. Everything else is wifi

johnpoz

@Khoomn oh so you won't be using the dumb switches then?