Clients not getting IP address from DHCP in DMZ
-
separate switches or VLANs. (for the third time)
-
If the cameras are wireless, you will either need to get another AP and run it through another physical NIC in pfSense, or check if your current AP can do virtual SSIDs with VLAN tagging. If it is the latter, then you would still need to get a managed switch so you can handle the VLANs between your AP and pfSense if you want other wireless clients to be on the LAN subnet.
-
Yes, webcams are wireless too. My question was, can I separate "wireless" webcams (DMZ) from other wireless LAN clients connecting to a single AP. That AP connects to a physical switch and then to pfSense. I guess I can't do it with a single AP and I need the third NIC on the server. I thought there might be a non-physical way of doing it.
-
Just like switches, an AP can put one wireless network on one VLAN and another wireless network on another VLAN, if it has the hardware and software necessary. The tagged switch port will keep them separate in the switch and the tagged switchport going to pfSense will give the traffic to the correct pfSense VLAN interface.
-
I might have to flash the AP with OpenWRT to do VLAN, currently Gargoyle doesn't. If the AP can set VLANs, do I still need buy a managed switch?
-
Almost certainly yes.
-
I might have to flash the AP with OpenWRT to do VLAN, currently Gargoyle doesn't. If the AP can set VLANs, do I still need buy a managed switch?
I assume your path will be AP <-> Switch <-> pfSense. If you are going to be running VLANs on the AP then every device in the chain will need to be VLAN aware, this includes the switch. So in this setup you will need a managed switch. OpenWRT handles VLANs quite well provided the AP hardware has that feature.
Another option is to put an additional physical NIC in pfSense and plug your AP into it. You could then create two VLANs for your WiFi LAN and DMZ. Downside is your wireless LAN devices would need to be on a different subnet from your wired LAN devices. This could cause issues for applications that need to be on the same subnet to function (Sonos speakers and the controller app is one example).
A third option is to add a wireless NIC to pfSense and use it as an AP for the DMZ. I don't know enough about how it runs in your hypervisor to say whether it will let a virtual instance of pfSense directly manage a wireless NIC.
The easiest option to setup and manage is probably a managed switch.
-
kesawi and derelict, thank you. this noob was thinking that DMZ is simply created by assigning clients on different IP subnets.
-
kesawi and derelict, thank you. this noob was thinking that DMZ is simply created by assigning clients on different IP subnets.
Glad to be able to assist. For the majority of home and small businesses networks the wireless AP does all three jobs (AP, switch & router), and it is just as simple as that, since the AP takes care of the configuration of the VLANs, network bridging and SSIDs in the background when the user ticks the enable DMZ box in their web GUI. The guest network present on a lot of wireless routers is essentially a separate DMZ VLAN. When you start separating out functions and components, as you have, then you need to start managing and configuring them yourself.
Check out the following for some information on VLANs in small networks to get a better understanding:
-
I like the smallnetbuilder.com. Which brand is better for home use? Managed switch will be in my office, so I will prefer the fanless unit. GUI should be easy to use. Zyxel, Netgear, Dlink, TP-Link?
-
What is your budget for your managed switch? I can say nothing but good things about the cisco sg300 line.. Currently at $130-135 at amazon.. Freaking STEAL!! I picked mine up a $193 year and half ago.. And that was good price then.. Keep meaning to pick up another one to replace my OLD very limited netgear gs108t smart switch.
http://www.amazon.com/Cisco-SG300-10-10-port-Gigabit-SRW2008-K9-NA/dp/B0041ORN6U
The sg300 is a fully managed switch that even supports L3 mode if you want it.
