pfSense How to Guide: Guest WiFi + Secure WiFi on a SG2100-MAX

JonathanLee

This was a great solution I wanted to share with others.

First off note: I am a happy pfSense user. I do not work for Netgate.

I have a SG2100-MAX firewall with filtering etc set up on an external AP. I also installed a Compex WLE200NX card.

Screenshot 2023-11-13 at 8.59.37 AM.png
(set up card as AP)

Screenshot 2023-11-13 at 9.03.37 AM.png
(assign to OPT)

Screenshot 2023-11-13 at 9.05.16 AM.png
(configure your new interface)

Create a new private address block. I use 10.0.0.1/24 for this example.

Screenshot 2023-11-13 at 9.07.10 AM.png
(opt config)

I use 802.11na with ht/40- enable wpa2

Screenshot 2023-11-13 at 9.08.41 AM.png
(now dhcp server will have a new tab)

Configure you dhcp server on opt
Screenshot 2023-11-13 at 9.12.03 AM.png
(dhcp)

Screenshot 2023-11-13 at 9.12.56 AM.png
(now make sure your dns knows about the new interface)

Screenshot 2023-11-13 at 9.14.54 AM.png
(now create your ACLs for guest wifi)

My example says let guests access anything but my WLAN (secure side)

Screenshot 2023-11-13 at 9.16.52 AM.png
(I also created a rule in WLAN that blocks communication to opt)

Screenshot 2023-11-13 at 9.18.51 AM.png
You can also make ethernet rules if you wanted

WARNING: Block out firewall GUI PORT!!
Screenshot 2023-11-13 at 10.46.24 AM.jpg

Screenshot 2023-11-13 at 10.42.46 AM.png
(Web GUI)
Make sure you also add a block for your firewalls GUI port on the guest wifi, because it will be accessible on the new private address block also. Or your guess wifi can access the firewall GUI port at the gateway address.

Now I have a guest wifi and a secure wifi on different private networks. No plan tagging used. Some external APs do not support VLAN tagging. So this is a quick solution.

My exteral AP is secure with my NAS and work stuff, and my Compex card is for unfiltered unrestricted guest use, or Nintendo Switch use.

Let me know what you think of this for a home network..

NollipfSense

@JonathanLee I use a Mikrotik RB450x2-ARM for similar implementation and to separate guest from our home network, with the guest doing it own DNS. However, I am think to disable the guest, since most guest have their phone to tether off, etc., in this era of unlimited data.

JonathanLee

@NollipfSense My son has a Nintendo Switch a few games don't work with proxy use 90 percent do. The Nintendo Switch keeps running CuRL all the time also under AppID. So it's now outside my secure LAN.

JonathanLee

@NollipfSense I bet in the future we will dock only our smartphones to a KDM at work and will no longer use WiFi. A VM for work boots like Windows 11 and undock and it shuts down. If you go to a different company they delete the VM.