-
Not sure exactly how a Vlan works if I am honest, but wonder if this could be done…
Ideally I would have installed two network cards into my machine (giving me three), using two NICS for two lans. One for one buildings WiFi and one for another buildings. I would then use one of the PHP Pfsense written functions (can't recall the name) to get the interfaces name and use this to display a different captive portal page (logo/CSS) for each of the two buildings.
I did not fit two network cards, just the one, and have both buildings access points on one network.
Is there anyway I could use a Vlan to achieve this? Or is there anyway to determine which access point a client uses?
Thanks.
-
Yes, you can do that with VLANs but you would need some other VLAN hardware. That could be a switch that separates the tagged traffic to different ports connected to each AP. Alternatively the wifi APs may support VLAN tagging directly such that traffic from each arrives already tagged.
Steve
-
In pfSense 2.1 snapshot builds you can enable captive portal on multiple interfaces. I suspect (haven't tried this) that each "zone" could have its own captive portal page.
-
Thanks.
The AP's in use in one building are 3COM 7760, and it appears they have vlan support.
Never used vlans, so will have to look into this.
If I set a vlan tag on the AP, and not in PFsense, would PFsense still allow the AP to access the usual NIC as normal, even with the vlan set on the AP? Thinking from a debugging perspective initially. I am not near to the AP to look at the moment.
I also cannot access the AP remotely, as for some reason I cannot access it via the PPTP VPN. I can ping the AP, and if I port scan it, port 23 is open, but port 80 is closed over the VPN, but open if I am local to the LAN. Not sure why this is? different issue I know! If I could gain access remotely to it, I could have a play remotely.
Can I add a vlan tag to just the AP's in one building, leaving the others untagged like normal? Do I need to then change IP's? Can the Vlan share the same DHCP range as the untagged?
Sorry, really new to Vlans….
-
If I set a vlan tag on the AP, and not in PFsense, would PFsense still allow the AP to access the usual NIC as normal, even with the vlan set on the AP?
No. You will have to have tagging set correctly on both ends. It's easy to get locked out. ;)
Can I add a vlan tag to just the AP's in one building, leaving the others untagged like normal? Do I need to then change IP's? Can the Vlan share the same DHCP range as the untagged?
Yes you can have one AP tagged connecting to a VLAN interface in pfSense and the other untagged connecting to the normal interface. You would probably want them on different subnets so one or other would change their IP. If you wanted the tagged and untagged networks on the same subnet you would need to bridge the normal and VLAN interfaces in pfSense.
However the above setup is not recommended because some NICs/drivers do not handle tagged and untagged traffic simultaneously very well. You probably won't have any problems it's a rare case. It is better to set both APs to tag traffic to two different VLANs and then have two VLAN interfaces in pfSense. That way you will have all traffic arriving at that NIC tagged.Steve
-
Thanks. Thinking about my pfsense box actually, I put two nics in it and disabled the onboard nic. I may re-enable the onboard and use that as the wan, using the two PCI nics as two lans. I guess these have to be on two seperate subnets? They can't share a dhcp pool?
Thanks alot.
-
Not directly. What you would do is create a bridge interface, add the two NICs to it and then run a single DHCP instance on the bridge interface. Depending on how you have the bridge setup you still apply firewall walls to each interface or just on the bridge interface or in both places.
Steve
-
In pfSense 2.1 snapshot builds you can enable captive portal on multiple interfaces. I suspect (haven't tried this) that each "zone" could have its own captive portal page.
Already pfSense 2.0.3 should be capable of enabling captive portal (CP) on multiple devices:
http://doc.pfsense.org/index.php/2.0_New_Features_and_Changes
Did you already try this feature? I've come across this point because I'm just thing about enabling CP for both one internal (cloned) WLAN interface and one SSID of my external access point (AP). My external OpenWRT AP is cloned with each of the two SSIDs serving one VLAN. However, I do not have any idea, if 2.0.3 can have its own portal page for each interface.Peter
-
I use 2.0.1, and there seems no way to have multiple portal pages. I don't really want to upgrade as I have made some changes to the captive portal script for my own needs, and don't want to have to tweak them to fit at this point!
It seems sensible to have different portal options available for different interfaces though.
There is an option for "bridges" on my interfaces page, so assume I can 'merge' two nics together then?
Thanks.
-
There are a few ways to arrange the bridge but the 'correct' way is to have the bridge interface assign as LAN and the two existing interfaces added as members of the bridge. They will then be OPT1 and OPT2. Set them up as type 'none' and do all the IP configuration on the bridge interface. It's very easy to get locked out of the box while doing this, I have done, repeatedly! ::) You should allow access form the WAN temporarily if you don't have it already so that you can still access the box. See my post here for a more detailed explanation of setting up a bridge: http://forum.pfsense.org/index.php/topic,48947.msg269592.html#msg269592
Steve
-
Great, thanks.
I have https access through the router to the GUI interface, so as long as the WAN interface is left well alone, I should be able to access and make any changes with ease. I will need to change the WAN interface first though (from PCI NIC to onboard), and make sure this comes back up, and remote GUI access is still possible before I change the other interfaces.
Not sure when I will be able to get around to this, but will report back with a smiley or a frown ;D
Thanks.
-
Actually, thinking about this.
The reason I wanted to seperate the two LANS was so I could determine which one was on use in the captive portal PHP script. If I bridge the two, I don't think I can determine which is being used? Using two seperate interfaces on the captive portal, I can see which is being used in the PHP script and do things accordingly. I can use the function portal_ip_from_client_ip($clientip) to determine which interface was being used, but would need different subnets on the interfaces.
I think when you add another interface and want to use it as another LAN, you need to setup some firewall rules to allow traffic, as the default LAN automatically adds rules?
Starting to confuse myself now!
-
I think when you add another interface and want to use it as another LAN, you need to setup some firewall rules to allow traffic, as the default LAN automatically adds rules?
Yes. When you add a new interface it will initially have no rules and hence will block everything. As you say only LAN has default rules to allow traffic.
Steve
-
Thanks.
Looking at the default LAN rule, I would set the new rule identical. I wonder if perhaps I should set the 'destination' to "WAN Subnet" instead of "all", so the AP clients only have access to the internet, and nothing else?
-
Thanks.
Looking at the default LAN rule, I would set the new rule identical. I wonder if perhaps I should set the 'destination' to "WAN Subnet" instead of "all", so the AP clients only have access to the internet, and nothing else?
That's probably not want you want. "All" is most likely want you want ;). With "WAN Subnet" you are restricted to the IP range that is dynamically attributed to your WAN interface. I remember that I once did the error as well during my numerous attempts with firewall rules :) So, hope, I didn't get you wrong.
Peter
-
Can I add a vlan tag to just the AP's in one building, leaving the others untagged like normal? Do I need to then change IP's? Can the Vlan share the same DHCP range as the untagged?
Yes you can have one AP tagged connecting to a VLAN interface in pfSense and the other untagged connecting to the normal interface. You would probably want them on different subnets so one or other would change their IP. If you wanted the tagged and untagged networks on the same subnet you would need to bridge the normal and VLAN interfaces in pfSense.
However the above setup is not recommended because some NICs/drivers do not handle tagged and untagged traffic simultaneously very well. You probably won't have any problems it's a rare case. It is better to set both APs to tag traffic to two different VLANs and then have two VLAN interfaces in pfSense. That way you will have all traffic arriving at that NIC tagged.Steve
How often do issues occur with putting tagged and untagged through a NIC? If there was issues, do they appear immediately and consistently, or is it one of those random and spasmodic type problems? I may opt for using a couple Vlans for the APs, and then use the LAN untagged still for a couple devices which sit directly on the network, and wont be able to put the tagging frame onto the packets sent.
Cheers for the support, it's greatly received!
-
Thanks.
Looking at the default LAN rule, I would set the new rule identical. I wonder if perhaps I should set the 'destination' to "WAN Subnet" instead of "all", so the AP clients only have access to the internet, and nothing else?
That's probably not want you want. "All" is most likely want you want ;). With "WAN Subnet" you are restricted to the IP range that is dynamically attributed to your WAN interface. I remember that I once did the error as well during my numerous attempts with firewall rules :) So, hope, I didn't get you wrong.
Peter
Ha!
No, that makes perfect sense when I think about it! Thanks for the pointer!
-
Thanks.
Looking at the default LAN rule, I would set the new rule identical. I wonder if perhaps I should set the 'destination' to "WAN Subnet" instead of "all", so the AP clients only have access to the internet, and nothing else?
That's probably not want you want.
I think that is almost certainly not what you want. For example, I suspect it is unlikely that www.google.com is on your WAN subnet.
A destination of "not LAN subnet" is probably closer to what you want but that is unlikely to be adequate if you add interfaces and subnets to your configuration. -
How often do issues occur with putting tagged and untagged through?
Not often. It's a glitch that shouldn't happen and I've never seen it. As I understand it some combinations of NIC and driver will use hardware VLAN tagging to off-load work from the CPU and incorrectly discard untagged packets. I would expect the consequence of this to be traffic from the non-VLAN network is blocked with no obvious cause. I only mention it because if you're unaware of it it could be very frustrating!
Steve
-
I've never seen a problem mixing untagged and tagged on a single port. Problems aren't why it's not a recommended practice. It can be possible to drop from a tagged VLAN into the untagged VLAN, which is why most switch vendors specifically recommend not using the untagged VLAN on trunk ports (amongst other possible reasons, none of which are related to functionality problems caused by doing so).