Dynamic VLANs in PFSense for DHCP Client Isolation
-
I know high end managed switches support dynamic vlans with authentication via 802.1X
-
The current equipment we have are 4 unmanaged 24-switches, 2 managed PoE 8-port switches (which do VLANs per port), and 8 APs.
The GuestGate works with the current setup by itself with only 1 port being connected to one of the switches.
I was looking for something that would work similarly.
The other thing I can think of is to give each client a different subnet.
The idea is to work with existing hardware since it seems that software might make it work.
-
Are you sure the devices actually end up in different VLANs (vs. just different IP subnets) in your current setup? I don't see how you would be able to actually get isolation with dumb switches.
-
Each device gets a different subnet and IP address. Even when you manually change the IP address to match another device on the network, they cannot "see' each other, even when connected to the same router.
Even if I only get each device on a different subnet to "isolate" them from each other, that would work too.
-
Each device gets a different subnet and IP address. Even when you manually change the IP address to match another device on the network, they cannot "see' each other, even when connected to the same router.
So are your dumb switches not really dumb? If they support per-port VLAN assignment, I don't think they'd qualify as dumb; if they don't, I don't see where you think the isolation would happen.
-
What that "feature" of GuestGate does is assign clients different IP subnets, one client per IP subnet. "Layer 3 isolation" they call it. That's a complete joke. Just don't. You should be providing service that actually secures clients from each other, not one that pretends to do so while leaving customers open to many, many kinds of attacks and vulnerable to all of a wide range of layer 2 malware on other guests' computers.
Managed switches aren't expensive relatively-speaking. Any half-decent AP can provide client isolation on the wireless side. Why anyone would implement a feature like this "Layer 3 isolation" is beyond me, it's mind-blowingly stupid to even suggest that's a worthwhile thing to be doing.
One VLAN per room for Ethernet with traffic between not permitted by the firewall, and client isolation on wireless is the way to actually provide the kind of security most such establishments do.
-
Erm… So, this "client isolation" basically means they produce /30 per client? ROFL.
-
cmb took the words out of my mouth.
1. Create different VLANs for your Internal LAN and your Public LAN
2. Create firewall rule so Public VLAN can't access Private LAN
3. Turn on Client isolation on your Access Point for the SSID (Vlan) you want
4. Get managed switches that allow you to create tagged vlan portsHopefully your Access Point support VLAN tagging, which you will need too if you have mulitple wireless vlans. If it doesn't see if you can put dd-wrt on it and then you should be good to go.
-
I've turned on Client Isolation on all but 3 APs (they do not support it, already ordered replacements that support it).
I'm using 2 8-port smart switches that to per port VLAN to isolate some wired clients/APs.
I'll look into replacing the 24-port unmanaged switches for managed ones.
Thank you for the suggestions/comments.
-
The only way you might be able to get away with a slightly simpler configuration is if your new switches support "private VLANs", the actual name varies by brand/implementation. Basically you define one upstream port (the gateway, pfSense) and define the other ports as client ports, and then the client ports may only talk to the upstream port. It's similar to AP client isolation, but for wired clients.
Using Separate VLANs is a more secure practice, but also significantly more to manage.
