New to PFSense…couple of questions
-
You want both wireless networks on all three APs? You can do that using VLANs. The Unifi APs can host multiple SSIDs and tag them to different VLANs, then the pfSense box can de-tag them and assign each to different interfaces. You'll need a VLAN compatible switch to connect these or a standard switch that doesn't strip tags.
On the guest network you can use the captive portal to create a sign in system and then use Squid to proxy the traffic and log it.
On the main wifi network you can also run Squid and Squidguard to filter traffic. Add exceptions to what ever IPs you don't want filtered or configure it the other way around so only the iPads are filtered. You'll have to add static DHCP mappings for the iPads and obviously that's not great security but at 5 and 6 it should be good enough, for now. ;)
There are some good walk throughs for a load of stuff here: http://pfsensesetup.com/ (not connected to the project AFAIK) but the best source of information, by far, will be the new pfSense book when it's released imminently.
Steve
-
I use a Dell PowerConnect switch…I'm pretty sure it supports VLAN's.
-
So, I just double checked and it would appear my switch does support VLAN's, and it also has some options you can check that pertain to tagging.
I am unfamiliar with that.
Do you care to go into a little more detail on exactly what my first steps would be when the Unifi units arrive on Tuesday?
-
Ok, so how many NICs do you have in your pfSense box? Do you need a separate wired LAN?
Steve
-
Thanks Steve!
I have two NIC's in my PFSense box. It's a SuperMicro 1U rackmounted PC.
One NIC is WAN (Comcast modem) the other is LAN and connects to the Dell PowerConnect switch.
Currently I'm using a Linksys WRVS4400N as a WAP, and it's just connected to the Dell switch as well. I may only use one of the Unifi boxes here, depends on the range. I got a good deal on the 3 pack, so 2 may get resold or used in other places. My plan at this point, is to simply connect the Unifi to the Dell switch, but I can get a 3rd NIC if necessary.
I appreciate your help!
-
Ok so if you are going to be using VLANs, which you'll have to if you want multiple SSIDs on each access point, then there's no point getting extra NICs. You can just use extra VLAN interfaces and switch ports. However you might find that having each wireless network on a dedicated access point gives sufficient coverage. In that case you can avoid VLANs which will make setting up the network much easier. You would need an extra NIC is you want wired traffic separated though.
Setting up VLANs should be relatively straight forward and it is if you're already familiar with the terminology and user interface used by your switch. If not be prepared to read the manual, repeatedly!
Does this sound like something you're up for? What is the exact switch model you have?
Steve
-
I an somewhat familiar with VLAN's, I used them before. I was using the WRVS4400N as my router, and I had another Linksys router connected it on a VLAN to provide isolated guest Wi-Fi that could only see the internet.
I have a Dell 2724 Power Connect.
I'll need help setting up the captive portal portion of this as well.
Also, I'm going to try and just use one WAP. I got a good deal on a 3 pack, but hoping I only need one. The house is about a 5,000 square foot footprint, but is fairly square and the WAP is centrally located.
Thanks again.
-
Ah Ok, well that should make things a lot easier. The range on those Unifi APs is supposed to be quite good though I've never used one myself.
Some things to consider:
Never use VLAN_1 (packets tagged with VLAN number 1) because that is usually used for the switch gui internally and can be treated differently.
You should try to avoid have tagged and untagged traffic on the same pfSense interface this can cause problems. That means that your lan side NIC will probably have 3 VLANs on it but not be assigned itself. The 3 VLANs will be: main wireless, guest wireless and wired.The biggest issue here will be configuring the switch. It's easy to end up locking yourself out of the switch webgui during configuration. If you can do it via a serial console you can't get locked out but it's usually more difficult, requires special incantations!
I'm not familiar with that particular switch, let me read the manual.Steve
-
Hmm, just Googling this switch it appears there is potentially some complication before we even really get started. ::)
Do you have access to the switch management web interface? If not it seems it may present some difficulty but I'm sure it can be overcome.
http://blogmal.42.org/tidbits/no-dell-2724.story
It seems like you need to use an old browser or you'll not be able to login.Steve
-
I use Chrome browser primarily, and I can login in to the switches web based interface no problem.
-
Ah Ok, well that should make things a lot easier. The range on those Unifi APs is supposed to be quite good though I've never used one myself.
Some things to consider:
Never use VLAN_1 (packets tagged with VLAN number 1) because that is usually used for the switch gui internally and can be treated differently.
You should try to avoid have tagged and untagged traffic on the same pfSense interface this can cause problems. That means that your lan side NIC will probably have 3 VLANs on it but not be assigned itself. The 3 VLANs will be: main wireless, guest wireless and wired.The biggest issue here will be configuring the switch. It's easy to end up locking yourself out of the switch webgui during configuration. If you can do it via a serial console you can't get locked out but it's usually more difficult, requires special incantations!
I'm not familiar with that particular switch, let me read the manual.Steve
I just noticed this post. I'm fine to configure as many VLAN's as I need to, but I do want to make sure that MY wireless devices, the ones connected to the "main wireless" do have access to all the devices on the network. I'm sure you realized that, but just clarifying.
I've got very limited experience in working via serial console, but do follow instructions well assuming they are available somewhere and break it down to an elementary level for my simple mind =)
-
I should add…I really appreciate your help with all this!
I have an extensive Control4 installation in my home (Home automation system) and I know that a lot of C4 technicians that have advanced networking knowledge will put their Control4 installations on a separate VLAN because the devices are "quite chatty". I don't really understand what the benefit to that would be, but while we're talking VLAN's I figured I would through that out.
Thanks again.
-
"I will not broadcast this SSID"
I want to point out that is not best practice and will do nothing but make your network more complex with lots of complications that can come of it. There is not one valid reason not to broadcast your SSIDs - be it they are guest or provide access to your normal network or not. The broadcasting of the ssid has nothing to do with security.
Just properly secure it, and broadcast it. Call them something like ssid and then ssid-guest so that your clear which one is guest, etc.
-
I know that a lot of C4 technicians that have advanced networking knowledge will put their Control4 installations on a separate VLAN because the devices are "quite chatty".
Interesting, is that something you are in a position to do? Are your Control4 devices wired in such a way that they can be connected to separate ports?
If you have your wired and wireless devices on separate VLANs and separate subnets then you can still access one from the other as long as you have firewall rules in place to allow that. However there are some services which do not play nicely across subnets, mostly upnp type media servers/clients. If you need a single subnet then you can always bridge the two VLANs at the pfSense box but that will never be as fast as just one VLAN where traffic just goes through the switch. If you often transfer very large files between wired and wireless devices it might be worth not bothering with a separate VLAN for wired devices.
The 2724 does not have a serial console from what I can see so no worries there. ;)
Steve
-
… a lot of C4 technicians ... put their Control4 installations on a separate VLAN because the devices are "quite chatty". I don't really understand what the benefit to that ...
This means that they separate the C4 gear from the rest of your LAN. They don't use a separate switch for this but divide-off a portion from your existing one.
I'm a Crestron guy so I know this kind of installs.
Assuming you have wireless touchpanels with access to your C4 gear, where are they routed between your subnets?
(That's where I regularly use a pfSense in my Crestron installs! ;-) -
Is this done for security? reliability? manageability? all three? ;)
Steve
-
Is this done for security? reliability? manageability? all three?
This gear tends to generate quite some traffic, sometimes even broadcasts.
You don't want that in your LAN and you don't want your media devices to slow down action triggers from a touchpanel.
(Just read about a client complaining about 9s to flip to the AM/FM page. This delay had other reasons, though.) -
In talking to others, I don't think I'm needing to put the Control4 gear on separate VLAN.
Let's stick to the initial questions/needs for now I guess.
Again, those are setting up the two wifi networks on Unifi. One for me that accesses everything, and one for guests that ONLY accesses the internet.
I also want to leave the guest one unsecured, and use a captive portal to allow people on and monitor what they do while they're on. I want their authentication to be good for 6 hours, and then have to re-authenticate. In an ideal world, there would just be one password for every user and that password would change every 24 hours (and be emailed to my wife and I every day).
I really appreciate the help from everyone! The Unifi will be here tomorrow, and I'm excited to things back up and running.
-
In talking to others, I don't think I'm needing to put the Control4 gear on separate VLAN.
I thought you had your C4 gear on a VLAN already. Leave it like it is.
My intention was more: If there's a VLAN already then take care about the ID in use and the routing between subnets.
-
UniFi units just showed up. I'll have some time to play with this tonight. Any pointers I can get between now and then on getting this setup would be great.
I'm mostly needing help on getting the Guest Wifi and Captive portal setup as described in my previous post.
Thanks so much!
Dan