What is best way to run 300 VLAN on network using PFSense.
-
"I have yet to see APs that understand private VLANs"
There are many on the market that recognise VLAN's, we have one network using 5 VLANs so definitely can say our APs can (and using PFSense).Private VLANs are different. Google isolated community promiscuous private vlan
"300 SSIDs might be an issue but I don't see a problem with 300 VLANs with dynamic VLAN assignment."
You are correct about the Dynamic VLAN. Only two SSID's, traffic over separated VLAN'sYeah that's not a problem. I have never used it. Do the APs intelligently broadcast traffic among users of the same dynamic VLAN and isolate from others? I would guess they do or it would be useless but I've never tested it. What are you using? Ruckus, Aruba, Cisco or ?
-
Hi.
Not private VLAN, although that would have been interesting.
We have networks with different AP hardware. However, the Ruckus will probably be our test bed.
Roofus
-
If I had a layer 3 switch available (and it sound like you do), I'd use it to handle the VLANs. Put the pfsense inside interface on its own VLAN/subnet and let the layer 3 switch route between the VLANs and pfsens. Use ACLs on the switch to keep the various subnets from talking to each other.
-
Gomez
That is certainly an option to consider and with some appeal - It would help simplify the firewall rules etc. Currently we are using Layer 2 switches that support POE + VLAN, so this would be an addition of around £1,000. Cheaper if we could get PFSense to do it :)I do like the idea that a small Layer 3 switch feed multiple Layer 2 switches that span to the different AP units.
Where would the DHCP come from in this instance as I assume PFSense would not be able to fulfill this role in this case?
Roofus
-
You should be able to put helper IP addresses (cisco terminology) on the VLAN interfaces in the layer 3 switch that forward DHCP requests to the pfsense box. I assume pfsense could be configured with a scope for each subnet. I've never tried that with pfsense, though.
-
Since you have virtualization available, you might also consider using a virtual router to take the place of the layer 3 switch. I've never used anything other than Cisco routers, so I can't offer specific details, but I'd think it wouldn't be too difficult to create a virtual linux instance, trunk all 300 VLANs to it, set up routing in linux and use iptables for the ACLs.
I seem to recall that someone has a linux distribution specifically created to be a router.
-
You should be able to put helper IP addresses (cisco terminology) on the VLAN interfaces in the layer 3 switch that forward DHCP requests to the pfsense box. I assume pfsense could be configured with a scope for each subnet. I've never tried that with pfsense, though.
Multiple scopes are not supported.
-
Most L3 switches would support DHCP, you can also set a separate small Linux box to run dhcpd and then "ip helper" each VLAN to that IP.
-
If pfsense DHCP won't do multiple scopes, then you need something that will. It sounds like you need either a layer 3 switch that does DHCP, or a virtual router to do your layer 3 routing and hand out IP addresses.
Even if pfsense could be fixed to handle 300 VLANs, you still need something to run DHCP with a scope for each VLAN/subnet.
-
pfSense will do multiple scopes just fine. It just can't be configured to accept helper requests from multiple subnets on one interface.
-
pfSense will do multiple scopes just fine. It just can't be configured to accept helper requests from multiple subnets on one interface.
Well that's just silly.
