Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can I have another subnet for a guest WiFi network?

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      WilsonL
      last edited by

      My home network in a nutshell is as follows:

      I'm not even sure if my unmanaged switch is passing through VLAN tags. Now I question if it's even possible. Security isn't a big deal for me but I do want the two virtual networks being broadcasted to be in their own subnet.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        A quick look at a packet sniffer (wireshark) on the backend of the unmanaged switch can tell you if the tags are passing.  If they are, then yes, it can work.

        As long as you are CERTAIN that bad actors aren't going to be connecting to the switch.

        I would not mix tagged and untagged traffic.  I would tag both VLANs and, if possible, tell Tomato to discard untagged traffic.

        This is really no different than what I do.  I have to use MoCA to distribute different VLANs to APs in my house.  That network is, essentially, an unmanaged hub.  Passes dot1q tags just fine.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • W Offline
          WilsonL
          last edited by

          @Derelict:

          A quick look at a packet sniffer (wireshark) on the backend of the unmanaged switch can tell you if the tags are passing.  If they are, then yes, it can work.

          As long as you are CERTAIN that bad actors aren't going to be connecting to the switch.

          I would not mix tagged and untagged traffic.  I would tag both VLANs and, if possible, tell Tomato to discard untagged traffic.

          This is really no different than what I do.  I have to use MoCA to distribute different VLANs to APs in my house.  That network is, essentially, an unmanaged hub.  Passes dot1q tags just fine.

          Thanks for the reply and you're right about using solely only tagged VLANs. However, this is my own home and I have no concerns about security. I want to be able to just plug a desktop into my switch and access the untagged network.

          I guess the real problem is I don't know how to configure VLANs in Tomato. If somebody could give me a quick tutorial of how this would work that would be great. I've read somewhere that most of the time consumer switches don't drop VLAN tags and only forward packets based on MAC address. So I should be fine on that point unless if somebody wants to verify that (my switch is a TP-Link TL-SG1005D).

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            A Tomato forum would be a much more productive place to ask that question.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • W Offline
              WilsonL
              last edited by

              @Derelict:

              A Tomato forum would be a much more productive place to ask that question.

              You're right and I've created a post there as well. Is there a tutorial you can point me to on checking VLAN tags with Wireshark? I failed to mention a very important point about my setup and that is I'm using VirtualBox in Windows as a host for PfSense. I now realize this could affect VLAN tags.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                I understand that for all things pfSense, the forum rocks, but you are not having pfSense issues.

                I really don't want to be a dick, but http://lmgtfy.com/?q=what+is+a+vlan

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • W Offline
                  WilsonL
                  last edited by

                  @Derelict:

                  I understand that for all things pfSense, the forum rocks, but you are not having pfSense issues.

                  I really don't want to be a dick, but http://lmgtfy.com/?q=what+is+a+vlan

                  Could you elaborate on your method of checking the VLAN at the switch?

                  1 Reply Last reply Reply Quote 0
                  • W Offline
                    WilsonL
                    last edited by

                    Update: I have good news and bad news. The good news is that I've determined that my Tomato access point handles VLANs perfectly and my switch does in fact passthrough VLAN tags. I enabled the DHCP server on my Tomato router on a separate bridge and configured VLAN ID 3 to it. I can confirm on my laptop with Realtek's Diagnostic tool that there is in fact a VLAN on VLAN 3 from Tomato.

                    Now the bad news is although Tomato works and my switch isn't causing any problems it seems that PfSense is the problem. The VLAN from PfSense simply does not work.

                    Could somebody take a look at the following specs and speculate on where the issue may lie?

                    Host
                    OS: Windows 8.1 Pro
                    NIC: 2x Realtek 8111E PCI-E GBE

                    Guest
                    VM: VirtualBox 4.3.14
                    OS: PfSense 2.1.4
                    Virtual NIC 1: Intel PRO/1000 MT Desktop 82540EM - Bridged - em0
                    Virtual NIC 2: Intel PRO/1000 MT Desktop 82540EM - Bridged - em1

                    It seems that VLANs don't work in my setup. Any ideas from here?

                    TL;DR: Tomato passes to me VLAN tags. PfSense does not and my setup is virtualized with VirtualBox. I want to get VLANs working on my odd PfSense configuration.

                    1 Reply Last reply Reply Quote 0
                    • W Offline
                      WilsonL
                      last edited by

                      2nd Update:

                      I'd like to announce that I've solved the issue. I couldn't get rid of the problem with VLAN tags getting stripped by my NIC (or perhaps it was VirtualBox's fault) but one way to fix this is to download Realtek's Diagnostic Utility (below). Then go to Network and Sharing Center > Change adapter settings > Realtek PCIe GBE Family Adapter (choose the one that's for your LAN!). Disable anything that has the word VirtualBox. Then open the Realtek Diagnostic Utility and create VLAN 1 as well as the additional VLAN you need. Now wait 3 minutes for each VLAN you configure as it installs the drivers into Windows. Now you may notice under Network and Sharing Center > Change adapter settings there are two new adapters called Realtek Virtual Adapter. Each of these are adapters to your VLAN. Open each of them and enable any mention of VirtualBox. Go to VirtualBox and assign each Realtek Virtual Adapter as a network card for your PfSense VM (PfSense shouldn't be running). Start your PfSense VM and configure your two new virtual NICs. Now you have two operable VLANs but they show up as ethernet interfaces in PfSense. That works too.

                      http://www.realtek.com/Downloads/downloadsView.aspx?Langid=1&PNid=13&PFid=5&Level=5&Conn=4&DownTypeID=3&GetDown=false

                      This solution works but it's limited to how many network adapters VirtualBox can create. I'm eager to help anyone as I know how much pain and suffering I went to figure out this solution on my own. I'm subscribed to this thread and I'll be reading upcoming replies. Anyone who wants to do the same thing can contact me here and I'll see how I can explain it to you.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.