Giving DHCP to a VLAN TAG?
-
Hi,
So I was wondering if someone could help me out understanding if its possible to do this on pfSense. My Setup is fairly simple for testing purposes, I have 3 NIC em0(WAN) ue0(LAN) and vr0 (OPT1). What im trying to accomplish is to VLAN Tag OPT1 with an unifi AP see picture below. I have bridge OPT1 to give the AP 192.168.3.9 then on the unifi controller i would give a VLAN TAG ID of 10 and an SSID of Guests. The part that im stumped is how to give the VLAN Tagg (guests) 192.168.4.0/24 on the unifi. On ddwrt i would use DNSMasq to give DHCP to the unifi. I would want to replace the DDWRT for the Unifi. What I was wondering if its possible transferring the DNSMasq commands to pfSense and having somewhat the same commands on the firewall also.DNSMasq DDWRT
# Enables DHCP on br1 interface=br1 # Set the default gateway for br1 clients dhcp-option=br1,3,192.168.10.1 # Set the DHCP range and default lease time of 24 hours for br1 clients dhcp-range=br1,192.168.10.100,192.168.10.150,255.255.255.0,24hThen I would use on ddwrt the firewall to give access to the internet
#Allow guest bridge access to Internet iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #Block access between private and guest iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP #NAT to make Internet work iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` #Block torrent and p2p iptables -I FORWARD -p tcp -s 192.168.10.0/24 -m connlimit --connlimit-above 50 -j DROP iptables -I FORWARD -p ! tcp -s 192.168.10.0/24 -m connlimit --connlimit-above 25 -j DROP #Block guest access to router services iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-resetThank you
-
Stop bridging and get a managed switch. The switch should support 802.1q VLANs and DHCP helpers / DHCP relay.
-
Why are you bridging? What would be the point? You have a 2nd interface to put your AP on.. I have the same setup. this is my wlan segment. I then have a guest ssid that is a vlan with tag 200.
this vlan interface is added to the physical interface that is wlan. The port is trunked, so that the native vlan for my wireless segment is 20 and the guestwlan is 200 is carried over the trunk.
If you want to play/use vlans then you need a switch that understand thems.
What are you thinking your going to accomplish with a bridge??
-
-
ROFL
-
I love it! I think I might add that to my signature ;)
-
LOLZ too funny the picture
anyways, @johnpoz well my idea is to have the WIFI in the same subnet as my LAN 192.168.3.1/24 and then use VLAN tagg for another subnet 192.168.10.1/24. So if I understood correctly I would connect my AP to vr0 then would i enable DHCP? Because for my main subnet the DHCP is handled by windows server. Well I practically have my Nighthawk as a Switch i thought i could ditch it :(
-
so you want guest wireless while your normal wireless is on your lan segment..
then get a switch that understands vlans plug your AP into a switch port.. Trunk that port. Setup your ssid for whatever vlan you want, setup a relay/helper on the pfsense vlan to send the dhcp request to your AD dhcp server.. Not sure why wouldn't just let pfsense run dhcp for a guest vlan.
Why do you want to run 2 wireless networks if one of them is not a guest and isolated from your other network?
My guest network I don't even allow to query pfsense for dns or talk to pfsense in anyway other then ping for testing connectivity and pfsense hands out dhcp in this guest vlan.
-
allright im trying to replicate what i had on DDWRT see picture. The Unifi AP can handle VLAN TAGS, which therefore the AP would get the main WIFI 192.168.3.1/24 which is connected to vr0 then a tag VLAN(10) 192.168.10.1/24. The DHCP would handle windows server ONLY for the main WIFI 192.168.3.1/24 and for the guest 192.168.10.1/24 pfSense could handle the DHCP. The only part which im stuck is giving it DNSMasq for the DHCP on 192.168.10.1/24, or maybe im confusing myself or something? I was wondering how come i can do it on DDWRT but not on pfSense.
Thank you
-
you have "servers" on wifi?? WTF?? Why??
I run multiple vlans on pfsense without a problem - very common setup.
I have 2 physical networks lan 192.168.9.24 and wlan 192.168.2/24. On the wlan interface there are 2 vlans as well wlanguest 192.168.4/24 and ps3 192.168.5.24
How do you have this connected to pfsense and on what interfaces with what switch? The switch port to pfsense em2 is trunked allowing those vlans. The port connected to my AP is also trunked so it can carry the vlan 200. The port the ps3 is connected to is access in vlan 100
-
oooo snap…I think i get it now..see picture of your setup if im right. So your AP is broadcassing 3 SSID your wlan (192.168.2/24), your wlanguest (192.168.4/24) and PS3 (192.168.5/24). I guess i could try that but I was wondering if its possible for the wlan be 192.168.9/24 same as the LAN?
Thank you
-
https://forum.pfsense.org/index.php?topic=88942.msg491700#msg491700
-
Thanks Derelict So all i need is a managed switch that supports VLANS?
-
And an understanding as to what you're doing. Buying gear is easy…
http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I
-
no ps3 is not over the wifi, its a wired connection - I just leverage that physical interface vs my lan interface. The yes my normal ssid is on different vlan than my guestssid
And derelict is correct, just having a switch that supports vlan is not a lot of help if you don't understand the basics of vlans.
-
oooo allright, so in theory it would possible to have my LAN and WIFI in the same subnet if I would get a switch that supports VLANS?
EX: LAN:192.168.3/24–----- DHCP WINDOWS SERVER
WIFI:192.168.3/24------DHCP WINDOWS SERVER
GUEST WIFI: 192.168.10/24 (VLAN 100)-----pfSense DHCPAlso on a side note @johnpoz on your WIFI 192.168.2/24 did you enable DHCP? Because in my case the DHCP is handled by windows server so everything on the LAN and WIFI 192.168.3/24. Then I would let the pfSense handle the DHCP for the guests.
-
No. Different VLANs get different subnets. If you want them on the same subnet put them on the same VLAN or just use a dumb switch.
Look at the diagram I linked to again. It describes exactly how to put wifi together with some LAN hosts (VLAN 100) with a separate wifi VLAN for guests (VLAN 200).
-
What your dhcp server is doesn't matter as long as its on the same vlan, if you don't have a dhcp server on that vlan then you need a helper/relay that sends the dhcp request it sees on that vlan to whatever dhcp server has the scope for that network/vlan
this can be done on the switch or pfsense can do it as well, you just can not run a dhcp server if your running a relay. And keep in mind there are not automatic firewall rules if running relay. While if you run dhcp server on pfsense it auto creates the firewall rules that are hidden from the gui to allow dhcp server to get the traffic no matter what other rules you might have in place that would block it.
Yes you can do what your asking where your lan and wifi are on the same vlan, if you don't actually setup one then its vlan 1 or the native vlan without any tags.. Your vlan guest wifi vlan would be tagged.
Again without basic understanding of vlans your in for a bumpy ride..
Do some vlan basics
https://www.thomas-krenn.com/en/wiki/VLAN_Basics
http://www.firewall.cx/networking-topics/vlan-networks/214-vlan-concept.html
http://www.alliedtelesis.com/media/fount/how_to_note_alliedware_plus/overview_vlans.pdf
http://www.smallnetbuilder.com/lanwan/lanwan-howto/30071-vlan-how-to-segmenting-a-small-lan -
Thanks I will give it a try and keep you posted. But first i need to buy me the Switch. Right now I have the nighthawk r7000 ddwrt as switch and works fine with VLANS. But having it only as a switch is wasteful that why I would want to do the other method.
Thank again for everything
-
Hi,
Its me again ;D So i got me a EdgeRouter X which supports VLAN tagging. So what I did was to added 2 VLANS on my LAN (EM1)-
VLAN 2–--192.168.5.1/24-----on em1
-
VLAN 3----192.168.2.1/24-----on em1
Then on the firewall I would let all traffic pass just for now but when i connect to Guests Wifi i get the DHCP but no internet Also cannot ping pfSense 192.168.3.254 but I can ping my windows server 192.168.3.253
Did I miss something?
Thank you
See pictures
-
