Separate LAN from other LAN and Wireless

Starker3

Hi,

This is my first post on the forum so please forgive me if I don't format this post correctly or follow all the rules (I tried to find and read all the relevant ones)

I'd like to build a pfSense router with 2 Gigabit LAN NICS and a Wireless card

The way I'd like to set up the network is like this:

Wired:_____
Wireless:…......

WAN pfSense
                    |
                    |LAN Switch & Wireless AP 1
                    |                    |
                    |                    | PC 1
                    |                    |_____ Network Camera System
                    |                    |________ Upstairs Wireless AP
                    |                    |                        |.........Wireless clients
                    |                    |............Wireless clients
                    |                   
                    |Wireless Card......Wireless Clients
                    |                   
                    | Wireless AP 2
                                        |
                                        |..............Wireless Clients

What I would like to know is if I can separate all the clients connected to the wireless AP (Wireless AP 2) connected directly to the pfSense Router from the other LAN users and wireless users connected to both the Wireless card network and the wireless networks connected via the switch

Thanks in advance!

Edit: Spelling  :-X

johnpoz

I would stay away from the the wireless card.. just use APs

Do your AP support vlans?  Does your switch support vlans?

Starker3

@johnpoz:

I would stay away from the the wireless card.. just use APs

Do your AP support vlans?  Does your switch support vlans?

Thanks for the advice. I'll stay away from the Wireless cards :P

The one AP supports VLANs - it's currently functioning as the switch, AP and router at the moment. It's a consumer grade all in one without a modem basically. But it doesn't have gigabit ethernet and it does a pretty crappy job of routing the traffic. I honestly think it's being overwhelmed by the sheer number of devices connected. I did have a VLAN set up on this router (It's an edimax something - can't remember the name off hand) and after working for about a month something weird happened and it refused to let anything connected on that specific VLAN to access the internet, even after a hard reset and setup any device that got the IP that was originally set up fir the VLAN can't access the internet and the easiest solution was to shift the range of the DHCP so nothing ever got assigned that IP.

The other AP is a standard D-Link wireless AP without any fancy features so it doesn't support VLANs.

As for an actual dedicated switch - I'll be buying a gigabit switch brand new and using that once I've got the PFsense router set up.

What I basically have is a home network and a guest network. At the moment the Guest network is running through a DD-WRT router so its easier to give it a different subnet, which plugs into the main Router, which is plugged into the Modem. It works on a different subnet so most people can't access anything on the home network but there are some smart folks now and then that manage to snoop around and find my media server and NAS (Fortunately the NAS is write-protected except when connecting from specific MAC addresses)
Hence why I would like to have the PFsense box separate the two networks. So I am hoping that having two physically separate NICs in the PFsense box will make it easier to do this.

johnpoz

Just get the hardware you need to properly secure your network.. You have made the first step using pfsense ;)  Now you just need the other infrastructure to support what you want to do.. Smart switches that do vlans these days are CHEAP.. you can get a simple smart switch that does vlans, gig with 8 ports for like $30..  And AP that does vlans.. The unifi lite models are like $90.. Pro is 130$  very doable on a home budget..  These are AC AP with gig interface.. lite is 2x2, while pro is 3x3.. They support up to 4 vlans per radio.. So you could in theory do 8 with 4 on the 2.4 and 4 different ones on the 5ghz, etc.  This should be more than enough for any home network.

I run currently 4 ssids.. Mine, guest, psk (iot devices) and then just because I can another for my roku sticks, etc.

Starker3

Thanks for the advice John,

For the time being I don't have the budget to get all new hardware. So i'll just get the NICs for the pfSense router for now and see if I can set up the VLANs properly to separate the networks

johnpoz

If your going to use different physical switches and different AP/wifi router as AP that only does 1 network.. Then you there is nothing to do with vlans.. All of your traffic would be untagged..  And just different networks on each interface..

So if you have this.  Where your different networks are plugged into different interface on pfsense, say lan and opt1.. There is no vlans in the sense of tagged vlans..  You need to tag vlans, or actually have vlans when you run multiple layer 2 networks (a wire) over the same switch..  As long as your wire or wifi bridged to that wire is only 1 network then there is no vlan or tagging that has to be done..

Now in this example if you want an AP to provide more than 1 network, ie your lan and your guest then that AP needs to be able to support vlan tagging of these different networks.  So sure running say dd-wrt on an AP might be able to tag different ssid so you could run multiple networks over the same wire when via tags, etc.  Vlan support on dd-wrt is still a hardware it runs on requirement so while dd-wrt supports vlans.  Depending on its hardware it might not work.

And many wifi routers that state they support a "guest" network is only for when you use it at your nat router to the internet.. And doesn't support actual tagging - they just limit guest vlan to internet and don't bridge it to the lan network on its switch ports.  While the normal wifi is bridged to the lan ports, etc.  This is pretty useless without a double nat behind pfsense.. And then how do you allow your non guest to access stuff since you won't know what traffic is guest and what is non guest once it leaves the wifi routers wan port, etc.

Starker3

Yeah, the VLANs on the consumer stuff failed hardcore with what I wanted.

So basically what I'm trying to do is this: the different networks are physically separated. In other words, the AP for the home network runs just that network, and the AP for the guest network runs only that network.

So lets say the home network would be LAN1 - all the APs and switches connected to this are only for the home network, which means full access to everything on this network as well as to WAN
and OPT1 which is connected to the guest AP which runs only 1 SSID for the guest network and has no other physical connections, it also needs to connect to WAN

But I don't want LAN1 to be able to talk to OPT1 at all.