Segmenting Wireless Traffic from Internal LAN traffic

kiddsupreme

My apologies up front if this has been answered already (it most certainly has, but I couldn't seem to find anything about it myself). I currently have a PFSense box setup like so:

Cable Modem <–> PFSense Box <--> Unmanaged switch <--> Internal Network
                                                                      |
                                                                      |-->Wireless AP

The wireless AP is UniFi AP (from Ubiquiti Networks, 802.11N). Everything is working just as it should. However, I do not feel comfortable with all the wireless traffic bypassing the PFSense box, and was thinking about adding a 3rd Intel NIC to connect the Wireless AP into so it would look more like this:

Cable Modem <--> PFSense Box <--> Unmanaged switch <--> Internal Network
                                      |
                                      |-->Wireless AP

My question is would I have any issues that would prop themselves up, versus the setup that I currently have? The only thing that I worry about is being able to access certain internal resources from my wireless devices. Since I would most likely put the Wireless devices on their own separate VLAN (and by extension their own IP address range) would there be something I would need to implement to ensure security (maybe having RADIUS setup on the PFSense box itself, etc?). Any assistance and suggestions you could bring to the table would be welcomed and appreciated. Thanks again in advance.

johnpoz

Radius auth vs psk would be up to you - I don't see it as something a home or smb would need.  A strong psk is more than secure enough - where enterprise comes in handy is the ability to allow specific users on or off.  Say when they quit or get fired you don't have to change the global psk and everyone has to know it, etc.

In a home setup this is rarely the case, so just wpa2 with good strength psk and unique ssid should be sufficient.

I run my wireless on its own network segment 192.168.2.0/24 while my wired lan is 192.168.1.0/24 - one thing you might have issue is with anything that is multicast or broadcast based not working as easy as before.  For example wired devices will not see your chromecast if on your wireless segment. Printing with say airprint (mdns) will not work if devices are on the different segments.  This is why I run my printer on my wireless segment via a wire (hate wireless connected printers).

If you use windows network neighborhood browsing to access your shares this will not work across segments without wins, etc.  It comes down to running a segmented network vs wireless on its own having anything to do with wireless.  The nice thing is you will now be able to firewall between your segments.  And think of it this way all broadcast/multicast traffic that wired devices were creating will not be mucking up your wireless bandwidth ;)

I also run unifi AP the AC model, and I put the controller on the wireless segment just for ease of adoption of the AP, etc.  The controller is running in a VM, and 99% of the time only traffic to it is between it and the AP so I saw really no reason to have to create firewall rules to allow that traffic between wired and wireless segments and also why route that traffic.

So you will prob want to add a switch and nic to pfsense so you can put wired devices on that segment as well.  Or move up to a managed switch so you can isolate the traffic that way.

stephenw10

If you add an extra NIC you won't have to setup a VLAN, the AP will already be on a separate VLAN.

It's also probably possible to setup a VLAN directly from the access point to pfSense to segregate it without having to add an extra NIC.

Steve

kiddsupreme

@johnpoz:

Radius auth vs psk would be up to you - I don't see it as something a home or smb would need.  A strong psk is more than secure enough - where enterprise comes in handy is the ability to allow specific users on or off.  Say when they quit or get fired you don't have to change the global psk and everyone has to know it, etc.

In a home setup this is rarely the case, so just wpa2 with good strength psk and unique ssid should be sufficient.

I run my wireless on its own network segment 192.168.2.0/24 while my wired lan is 192.168.1.0/24 - one thing you might have issue is with anything that is multicast or broadcast based not working as easy as before.  For example wired devices will not see your chromecast if on your wireless segment. Printing with say airprint (mdns) will not work if devices are on the different segments.  This is why I run my printer on my wireless segment via a wire (hate wireless connected printers).

If you use windows network neighborhood browsing to access your shares this will not work across segments without wins, etc.  It comes down to running a segmented network vs wireless on its own having anything to do with wireless.  The nice thing is you will now be able to firewall between your segments.  And think of it this way all broadcast/multicast traffic that wired devices were creating will not be mucking up your wireless bandwidth ;)

I also run unifi AP the AC model, and I put the controller on the wireless segment just for ease of adoption of the AP, etc.  The controller is running in a VM, and 99% of the time only traffic to it is between it and the AP so I saw really no reason to have to create firewall rules to allow that traffic between wired and wireless segments and also why route that traffic.

So you will prob want to add a switch and nic to pfsense so you can put wired devices on that segment as well.  Or move up to a managed switch so you can isolate the traffic that way.

Thanks John for the information. I just had one (I think) more question. I was/am planning on upgrading to the Unifi AC Access Point. I was going to have that device plugged into my PFSense box, as previously described. I wanted to know, however, if it would be possible to put the existing UAP (802.11N 2.4Ghz only) Access Point I have in another part of the house for wireless coverage. Or would that not work? Basically, I was thinking on having the AC AP do 802.11N (5Ghz and 2.4Ghz) and 802.11ac and the UAP do 802.11n (2.4Ghz only band supported) and 802.11g (for supporting devices such as the Nintendo 3DS that my son uses). Would there be a way for the UAP to connect back over a wireless connection to the UAP-AC? Thoughts? Suggestions? Or am I barking up the wrong tree and just sell the UAP?

stephenw10

You mean run it as a wireless repeater or have it appear as a different wifi network?

Steve

Derelict

These are really questions for Ubiquiti.

Does the UAP support "Mesh" mode?  Commonly known as wireless extending?

Note that when you do that, you are reducing your available WiFi bandwidth because everything has to go over the radio at least twice.

If you want to put the UAP in a different part of the house and your home is wired for cable, you might look at a couple MoCA bridges.

I'd run away from the powerline "solutions."  I don't know anyone who has been happy with them.  MoCA works great.

stephenw10

Just to present another view I know a few people who have swapped in Ethernet over poweline equipment to replace marginal wifi with very good results. That's in the UK so conditions may not be identical.

Steve

johnpoz

I know the people I have suggested them too have been very happy and get great speeds on the ones I have tested have more than capable of solid 100mbps connections.