I need expert help with VLANs/DNS/routing A$AP
-
HELP! I need a pfSense/VLAN expert A$AP
I hope it’s OK to post this here - I’m not advertising or selling anything - I just need to hire someone to either walk me through it over the phone or remote in. I’ve worked on this literally for weeks; I’m giving up. I’ve done a lot of the work so it probably won’t take you long. If you have the expertise to get this done and you want to make some easy money, please message me with your hourly rate and any questions you have. I need this done ASAP; today if possible.
Hardware:
- pfSense running on an old Sophos XG 125
- TP-Link TL-SG1024DE 24 port managed switch
- Two TP-Link EAP225 wireless access points
- Proxmox server
Network Configuration:
I’ve setup VLANs in pfSense for:- BIZ - VLAN 10 - 10.1.10.0/27
Only 7 or 8 devices on this subnet and future growth is very unlikely. (Thus the /27 CIDR.) - POS (Point Of Sale) - VLAN 20 - 10.1.20.0/28
For future expansion; for now, the two credit card processing terminals
that would belong on this subnet will live on the BIZ subnet until we
have a few more ethernet runs. - SECURITY - VLAN 40 - 10.1.40.0/27
Also for future expansion; we have a modest video surveillance system
that’s working via a WiFi repeater which is configured for its own SSID so we’re probably
not going to mess with it for now. - GUEST_WIFI - VLAN 50 - 192.168.50.0/24
Needs to have ccess to the internet but nothing else - including other devices on the subnet.
The only devices that aren’t on a VLAN are the management devices. Those are all on the 10.1.1.0/28 subnet which was originally the LAN interface; I renamed it to MGMT because the only devices on it are the router, switch, APs, and the Omada controller (Docker container). They’re not on a VLAN (i.e. not one that’s setup in pfSense) but I’d like them to be. I tried this once, though and got locked out of my router and had to reset it. I learned a lesson about backing up the router settings but I’m still afraid to try it again.
I need to setup 3 SSIDs - one for business devices, one for the security cameras/system, and one for guest WiFi. Trying to configure the switch ports for tagged/untagged and the necessary firewall rules to make this happen has been the bane of my existence for the past week.
The APs and the Omada controller need to be on the MGMT subnet but the Proxmox server/LXC that hosts the docker container needs to be on the BIZ subnet. Until I can achieve that, the controller can’t adopt the APs. Due to that issue, I’m currently running the WAPs without a controller but that’s just an attempt at a crappy workaround. I need to be using a controller. In the current configuration (with no controller), I can connect to the SSIDs with my phone but when I do, I can’t even ping the AP, let alone the gateway or get to the internet.
I setup a BIZ_WIFI VLAN because I couldn’t figure out how to get WiFi devices connected to the Business SSID to be on the BIZ VLAN. I figured if they were on their own VLAN (without having to share a port with Guest WiFi) then I could use untagged ports which I’ve at least had some success with). I also figured it would be reasonably easy to setup firewall rules to allow the two VLANs to talk to each other… but nope. Rather than fix that though, I’d much rather just do it right and get the WiFi devices that connect to the Business SSID to be on the BIZ VLAN. It shouldn’t be that hard but I can’t figure it out.
I need the POS VLAN completely isolated - WAN access only
I’d like one port on the switch configured for admin access; whatever machine gets connected to this port can access any device on any VLAN.
I think that covers everything. I’d strongly prefer to have someone walk me through this over the phone (because I’d like to learn) but if no one is willing to do that, you’re going to have to at least walk me through whatever it takes to give you remote access (and revoke it after it’s done).
-
@ErniePantuso While I would be happy to help you.. Don't think you would want to pay my going rate - hehe
But there is old pfsense tac guy that is looking for stuff to do that I am sure could help you over the phone or remote in, etc.
-
@johnpoz Thanks, John. I’ll contact him.
-
@ErniePantuso I texted him here, and that tag should let him know to look here.
If he is unable to help - come back and try to walk you through just here on the forum. But sounds like your wanting a bit more hand holding than I would normally do ;)
-
@johnpoz He has already contacted me; hopefully things will work out. Thank you so much for your help, John - not just on this but on several things on this forum in the past. I really appreciate you!
-
@ErniePantuso let me know how it works out, I more than confident that Ryan can help you out.
-
Yup, pretty sure he could do that in his sleep!
