Hardware help need for pfSense
-
Good morning,
I am new to VLANs. I am trying to use pfSense to separate out a guest network and an IoT network from my main LAN. I have pfSense set up and running and it seems to be working fine I have created two VLANs - one for IoT and one for guests. I am using 10.xxx,30.xxx for the main LAN, 10.xxx.10.xxx for the Guest network and 10.xxx.20.xxx for the IoT network.
Since most of the IoT devices are wireless, I have retained my original router, which is a Netgear Orbi RBR750 (AX4200). Netgear recently updated the firmware for this device to add "VLAN" support, but they do not provide any specifications on what that really means. However, according to a Netgear forum user, the Orbi does not actually tag the VLAN traffic.
So what is happening is that I can log into any of the 3 networks wirelessly from my smartphone. But no matter which network I log into, pfSense is still assigning the IP address to be 10.xxx.30.xxx. I have tried setting the Orbi as an access point, and as a router with no DHCP. Neither way seems to solve the problem. When I set it up as a router with no DHCP, I did assign a static IP of 10.xxx.30.2 and a subnet of 255.255.255.0.
I have just purchased a tp-link TL-SG108E which supposedly supports VLAN tagging and 802.1Q. However I have not yet inserted it into the system. Before doing so I wanted to figure out if that will solve the issue. Or if there is nothing I can do as long as I have the Orbi.
I am a novice in networking and brand new to pfSense. I am retired and am just a hobbyist that enjoys playing with my smart home setup. So I appreciate any help that anyone can offer.
Thanks,
Mike -
Ok so you have 3 SSIDs on the Netgear device? And they are configured to use the 3 VLANs?
I would expect that traffic to be tagged leaving the device. If it's not it would need to use 3 different ports in order to separate it.
If all clients get a lease from the LAN subnet that implies it is untagged though.
There's nothing pfSense can do about that. It only sees traffic arriving on an interface. The coupling of SSIDs to VLANs or Ports must happen in the Netgear device.
Steve
-
@stephenw10 so IF it IS untagged, and I insert a managed switch between it and pfSense, will that switch be able to do the tagging? Or if it comes into the switch untagged, then there is nothing that can be done. I.E., do I need a different router?
-
@AE8U said in Hardware help need for pfSense:
a managed switch between it and pfSense, will that switch be able to do the tagging?
No because there would be no way for it to know which VLAN any particular packet should be on. It can only be done in the access point.
-
@stephenw10 according to the Netgear forum, this is what I have.
Port 1 is Untagged for PVID10.
Port 2 is Untagged for PVID20.
Port 3 is Untagged for PVID30.
WAN Port and NAT Router are also Untagged for PVID30.I am playing with connecting those parts to various ports on the managed switch to see if I can find a combination that will work.
If not then I guess have a high end mesh router and wifi unit that is off no use.
Is there a recommended list of equipment to accomplish what I am trying to do?
-
Hmm, well that sounds like the Netgear is internally untagging the VLANs from the SSIDs to it's own ports? Which implies it is somehow separating the traffic from the SSIDs at least.
Is it really not possible to have it just pass the tagged traffic?
You could use your switch to put them back on a single linked tagged but that seems like it should be unnecessary.
