Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dynamic VLANs in PFSense for DHCP Client Isolation

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 7 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tcarcur
      last edited by

      Hi,

      I've been searching online and on this forums on how to achieve this.

      We used to have a "GuestGate" (http://www.guestgate.com/) router at our business. It does, what it calls, Layer 3 VLAN Isolation, as well as separates our office LAN from the public LAN, and adds a Captive Portal to the public LAN (which is distributed over 6 APs and 4 24-port switches).

      Unfortunately, the device is not powerful enough to handle our 30 mbps connection with more than 20 clients logged in. We're averaging 30-40 users at any given time. This causes the device to slow down or crash.

      I'm looking to replicate the features of the Guestgate with pfSense, but I have no idea where to start.

      I've installed pfSense on an old computer and installed the FreeRadius2 package. I was able to make a "guest" user and login through the captive portal, but I can't seem to be able to find an option to have it assign a VLAN to each device to separate it from everyone, like the Guestgate router.

      I'm thinking that maybe the DHCP server can assign a VLAN to each device it gives an IP address.

      Since it's for public Internet access, we cannot have 1 password per user/device.

      What do you guys think?

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        I know high end managed switches support dynamic vlans with authentication via 802.1X

        1 Reply Last reply Reply Quote 0
        • T
          tcarcur
          last edited by

          The current equipment we have are 4 unmanaged 24-switches, 2 managed PoE 8-port switches (which do VLANs per port), and 8 APs.

          The GuestGate works with the current setup by itself with only 1 port being connected to one of the switches.

          I was looking for something that would work similarly.

          The other thing I can think of is to give each client a different subnet.

          The idea is to work with existing hardware since it seems that software might make it work.

          1 Reply Last reply Reply Quote 0
          • R
            razzfazz
            last edited by

            Are you sure the devices actually end up in different VLANs (vs. just different IP subnets) in your current setup? I don't see how you would be able to actually get isolation with dumb switches.

            1 Reply Last reply Reply Quote 0
            • T
              tcarcur
              last edited by

              Each device gets a different subnet and IP address. Even when you manually change the IP address to match another device on the network, they cannot "see' each other, even when connected to the same router.

              Even if I only get each device on a different subnet to "isolate" them from each other, that would work too.

              1 Reply Last reply Reply Quote 0
              • R
                razzfazz
                last edited by

                @tcarcur:

                Each device gets a different subnet and IP address. Even when you manually change the IP address to match another device on the network, they cannot "see' each other, even when connected to the same router.

                So are your dumb switches not really dumb? If they support per-port VLAN assignment, I don't think they'd qualify as dumb; if they don't, I don't see where you think the isolation would happen.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  What that "feature" of GuestGate does is assign clients different IP subnets, one client per IP subnet. "Layer 3 isolation" they call it. That's a complete joke. Just don't. You should be providing service that actually secures clients from each other, not one that pretends to do so while leaving customers open to many, many kinds of attacks and vulnerable to all of a wide range of layer 2 malware on other guests' computers.

                  Managed switches aren't expensive relatively-speaking. Any half-decent AP can provide client isolation on the wireless side. Why anyone would implement a feature like this "Layer 3 isolation" is beyond me, it's mind-blowingly stupid to even suggest that's a worthwhile thing to be doing.

                  One VLAN per room for Ethernet with traffic between not permitted by the firewall, and client isolation on wireless is the way to actually provide the kind of security most such establishments do.

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    Erm… So, this "client isolation" basically means they produce /30 per client? ROFL.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mikeisfly
                      last edited by

                      cmb took the words out of my mouth.

                      1. Create different VLANs for your Internal LAN and your Public LAN
                      2. Create firewall rule so Public VLAN can't access Private LAN
                      3. Turn on Client isolation on your Access Point for the SSID (Vlan) you want
                      4. Get managed switches that allow you to create tagged vlan ports

                      Hopefully your Access Point support VLAN tagging, which you will need too if you have mulitple wireless vlans. If it doesn't see if you can put dd-wrt on it and then you should be good to go.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tcarcur
                        last edited by

                        I've turned on Client Isolation on all but 3 APs (they do not support it, already ordered replacements that support it).

                        I'm using 2 8-port smart switches that to per port VLAN to isolate some wired clients/APs.

                        I'll look into replacing the 24-port unmanaged switches for managed ones.

                        Thank you for the suggestions/comments.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          The only way you might be able to get away with a slightly simpler configuration is if your new switches support "private VLANs", the actual name varies by brand/implementation. Basically you define one upstream port (the gateway, pfSense) and define the other ports as client ports, and then the client ports may only talk to the upstream port. It's similar to AP client isolation, but for wired clients.

                          Using Separate VLANs is a more secure practice, but also significantly more to manage.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.