New to PFSense…couple of questions
-
Ah Ok, well that should make things a lot easier. The range on those Unifi APs is supposed to be quite good though I've never used one myself.
Some things to consider:
Never use VLAN_1 (packets tagged with VLAN number 1) because that is usually used for the switch gui internally and can be treated differently.
You should try to avoid have tagged and untagged traffic on the same pfSense interface this can cause problems. That means that your lan side NIC will probably have 3 VLANs on it but not be assigned itself. The 3 VLANs will be: main wireless, guest wireless and wired.The biggest issue here will be configuring the switch. It's easy to end up locking yourself out of the switch webgui during configuration. If you can do it via a serial console you can't get locked out but it's usually more difficult, requires special incantations!
I'm not familiar with that particular switch, let me read the manual.Steve
-
Hmm, just Googling this switch it appears there is potentially some complication before we even really get started. ::)
Do you have access to the switch management web interface? If not it seems it may present some difficulty but I'm sure it can be overcome.
http://blogmal.42.org/tidbits/no-dell-2724.story
It seems like you need to use an old browser or you'll not be able to login.Steve
-
I use Chrome browser primarily, and I can login in to the switches web based interface no problem.
-
Ah Ok, well that should make things a lot easier. The range on those Unifi APs is supposed to be quite good though I've never used one myself.
Some things to consider:
Never use VLAN_1 (packets tagged with VLAN number 1) because that is usually used for the switch gui internally and can be treated differently.
You should try to avoid have tagged and untagged traffic on the same pfSense interface this can cause problems. That means that your lan side NIC will probably have 3 VLANs on it but not be assigned itself. The 3 VLANs will be: main wireless, guest wireless and wired.The biggest issue here will be configuring the switch. It's easy to end up locking yourself out of the switch webgui during configuration. If you can do it via a serial console you can't get locked out but it's usually more difficult, requires special incantations!
I'm not familiar with that particular switch, let me read the manual.Steve
I just noticed this post. I'm fine to configure as many VLAN's as I need to, but I do want to make sure that MY wireless devices, the ones connected to the "main wireless" do have access to all the devices on the network. I'm sure you realized that, but just clarifying.
I've got very limited experience in working via serial console, but do follow instructions well assuming they are available somewhere and break it down to an elementary level for my simple mind =)
-
I should add…I really appreciate your help with all this!
I have an extensive Control4 installation in my home (Home automation system) and I know that a lot of C4 technicians that have advanced networking knowledge will put their Control4 installations on a separate VLAN because the devices are "quite chatty". I don't really understand what the benefit to that would be, but while we're talking VLAN's I figured I would through that out.
Thanks again.
-
"I will not broadcast this SSID"
I want to point out that is not best practice and will do nothing but make your network more complex with lots of complications that can come of it. There is not one valid reason not to broadcast your SSIDs - be it they are guest or provide access to your normal network or not. The broadcasting of the ssid has nothing to do with security.
Just properly secure it, and broadcast it. Call them something like ssid and then ssid-guest so that your clear which one is guest, etc.
-
I know that a lot of C4 technicians that have advanced networking knowledge will put their Control4 installations on a separate VLAN because the devices are "quite chatty".
Interesting, is that something you are in a position to do? Are your Control4 devices wired in such a way that they can be connected to separate ports?
If you have your wired and wireless devices on separate VLANs and separate subnets then you can still access one from the other as long as you have firewall rules in place to allow that. However there are some services which do not play nicely across subnets, mostly upnp type media servers/clients. If you need a single subnet then you can always bridge the two VLANs at the pfSense box but that will never be as fast as just one VLAN where traffic just goes through the switch. If you often transfer very large files between wired and wireless devices it might be worth not bothering with a separate VLAN for wired devices.
The 2724 does not have a serial console from what I can see so no worries there. ;)
Steve
-
… a lot of C4 technicians ... put their Control4 installations on a separate VLAN because the devices are "quite chatty". I don't really understand what the benefit to that ...
This means that they separate the C4 gear from the rest of your LAN. They don't use a separate switch for this but divide-off a portion from your existing one.
I'm a Crestron guy so I know this kind of installs.
Assuming you have wireless touchpanels with access to your C4 gear, where are they routed between your subnets?
(That's where I regularly use a pfSense in my Crestron installs! ;-) -
Is this done for security? reliability? manageability? all three? ;)
Steve
-
Is this done for security? reliability? manageability? all three?
This gear tends to generate quite some traffic, sometimes even broadcasts.
You don't want that in your LAN and you don't want your media devices to slow down action triggers from a touchpanel.
(Just read about a client complaining about 9s to flip to the AM/FM page. This delay had other reasons, though.) -
In talking to others, I don't think I'm needing to put the Control4 gear on separate VLAN.
Let's stick to the initial questions/needs for now I guess.
Again, those are setting up the two wifi networks on Unifi. One for me that accesses everything, and one for guests that ONLY accesses the internet.
I also want to leave the guest one unsecured, and use a captive portal to allow people on and monitor what they do while they're on. I want their authentication to be good for 6 hours, and then have to re-authenticate. In an ideal world, there would just be one password for every user and that password would change every 24 hours (and be emailed to my wife and I every day).
I really appreciate the help from everyone! The Unifi will be here tomorrow, and I'm excited to things back up and running.
-
In talking to others, I don't think I'm needing to put the Control4 gear on separate VLAN.
I thought you had your C4 gear on a VLAN already. Leave it like it is.
My intention was more: If there's a VLAN already then take care about the ID in use and the routing between subnets.
-
UniFi units just showed up. I'll have some time to play with this tonight. Any pointers I can get between now and then on getting this setup would be great.
I'm mostly needing help on getting the Guest Wifi and Captive portal setup as described in my previous post.
Thanks so much!
Dan
-
Ok, as I'm sure you'll be aware the secret to doing anything like this is to do it one step at a time and test at each stage.
The problem you are going to have here is that as you configure the VLAN ports on the switch and the interfaces on the pfSense box you could easily end up loosing connectivity to the webgui of both. Although I said earlier you should avoid having tagged and untagged traffic on the same NIC I'm now thinking it will be much easier to configure that way. If you do have problems you can always switch to a two VLAN setup.
So your network will remain the same but you will add a VLAN that connects your guest wireless network to a new interface in the pfSense box.
I will assume your pfSense box is connected to port 1 on your switch. Connect the Unifi AP to a spare port on the switch, say port 24. This should be all that is necessary to start setting up the AP. I'm not familiar with the Unifi setup so refer to the manual. If it is set to receive an IP via DHCP by default you can check the pfSense DHCP leases to find it and connect right away, other wise you will have have to manually configure a machine to connect to whatever IP it's using. Either way go ahead and set it up, set a password set an SSID etc, check that you can connect to it and that wireless clients can connect to it and receive a DHCP lease from pfSense. Check they have internet access and can see other machines on the lan. You may want to disable 'wireless client separation' in the AP. Once you have that all confirmed move on.
Now you can start at either end setting up the VLAN. In pfSense go to Interfaces: (assign): and go to the VLANs tab. Click the + to add a VLAN. Select your LAN interface as the parent. Choose a VLAN number other than 1, say 100. Enter a description.
Now go back to Interfaces: (assign): you will see a + has appeared, click it. You should now have a new interface, OPT1, that has 'VLAN 100 on ***' assigned to it. Go to Interfaces: OPT1: and enable the new interface, set its IP (maybe use 192.168.100.1) and remember to change the subnet to /24. Now go to Services: DHCP server: and eneble DHCP server on OPT1. At this point anything connecting the LAN NIC with VLAN 100 tagged packets should receive an IP. You still need to add firewall rules to OPT1 to allow any traffic.In the Unifi AP configure a secondary SSID and set it to use VLAN_100. I'm not sure of the specifics here so refer to the manual!
In the switch configuration add ports 1 and 24 to VLAN 100.
Done. :) Clients connecting to the guest SSID should now receive an IP from pfSense in the OPT1 DHCP server range.
That last step I can easily see giving headaches though.
Steve
-
In the Dell switch interface for VLAN 2 (the new one I just made) do I want to TAG or UNTAG egress packets?
Setup was easy, but it may not be correct as devices trying to connect to the guest network never get assigned an IP address…
Under interfaces I have enabled the new interface (VLAN2GuestWireless) and under IPv4 configuration type I put DHCP.
I left everything else blank, except under DHCP client configuration, in the Alias IPv4 address field I put 192.168.2.1/24
-
One thing that is interesting is when I go to Services, and select DHCP Server I only see a tab for LAN, I don't see a tab for VLAN2GuestWireless like I would expect…I wonder why?
EDIT: So I changed the IPv4 Configuration type to Static IPv4. Now, when I got Services: DHCP server there is a tab for VLAN2GUESTWIRELESS. I checked the box to "Enable DHCP server on VLANGUESTWIRELESS interface".
The subnet is listed as 192.168.2.0, the subnet mask is 255.255.255.0 and the available range is 192.168.2.1 - 192.168.2.254.
I set the range to 192.168.2.1 to 192.168.2.254.
However, when I try to connect the devices is never issued an IP address. I have the Dell switch setup to UNTAG the egress packets. I'll change that to TAG and see if it affects things.
-
Okay…so I changed the switch to TAG, and now devices are able to connect and are issued IP addresses in the 192.168.2.x range.
The only problem...they're not able to access the internet.
I did setup a rule in the firewall under VLAN2GUESTWIRELESS. In the rule I have Action set to Pass. The Interface is VLAN2GUESTWIRELESS. TCP/IP version is IPv4. Protocol is TCP (also tried ANY). I don't have any source, destination or port range selected.
I'm guessing my problem is here somewhere?
-
To just get internet access for guest clients you can copy the default LAN rule, just change the source from LAN net to VLAN2GUESTWIRELESS net. That should allow out all traffic, you can always tighten up the rules later. Are you seeing anything in the firewall logs to suggest traffic is being blocked?
The default dhcp range for LAN starts at 192.168.1.10 leaving some addresses at the low end free for adding static leases for servers, switches etc. You have started your DHCP range for VLAN2GUESTWIRELESS at 192.168.2.1. There are two potential problems with that. The interface address itself is 192.168.2.1. The default address of the switch webgui is 192.168.2.1.
I suggest you change the subnet of VLAN2GUESTWIRELESS to something other than 192.168.2.X. You could change the switch address but if you have to reset it ever you'll have problems again.Steve
-
Thanks Steve. I changes the DHCP range to start at .100.
I had to change it from VLAN address to VLAN subnet and now it works.
-
Okay…so I setup a guest user and got the captive portal figured out...IT WORKS! I modified/personalized the HMTL files for login and login error. I may tweak them more later, but they work good for now.
I just noticed though...I am now able to access all the stuff I don't want guests to be able to access. For example, I pinged one of my NAS drives that is at IP 192.168.1.210 and was prompted for the NAS credentials, and was able to pull it up.
I verified the device connected IP is 192.168.2.100.
So...I wonder why it's now able to see the 192.168.1.xxx network?
