Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual Access Point (VAP) as Subnet on Wireless Acess Point (WAP)

    Scheduled Pinned Locked Moved Wireless
    7 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mifronte
      last edited by

      I have a NETGEAR R7000 running dd-wrt as my wireless access point off the LAN port on my pfSense router.  The main WiFi network on the WAP is part of my LAN (192.168.1.0/24).

      I followed this Multiple WLANs wiki to create a virtual access point (VAP) on the dd-wrt NETGEAR R7000 to provide a guest WiFi on a subnet (192.168.2.0/24) with the sole purpose of sharing the Internet connection, but is restricted from accessing my main LAN (192.168.1.0/24).  Here is the default dd-wrt internal device network.

      Basically on the WAP:
      The WAN (disabled and acts like a LAN port), LAN, physical 2.5GHz, and physical 5GHz interfaces are assigned to bridge br0 which is part of the main LAN (192.168.1.0/24) on the pfSense LAN port.  The VAP guest WiFi (also on the dd-wrt router) is assigned to bridge br1, which is on the subnet 192.168.2.0/24.

      According to the wiki, I needed to put the following 2 iptables rules on the dd-wrt router:

      Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)```
      iptables -I FORWARD -i br1 -d nvram get lan_ipaddr/nvram get lan_netmask -m state --state NEW -j DROP

      Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)```
      iptables -t nat -I POSTROUTING -o br0 -j SNAT --to nvram get lan_ipaddr

      I don't like the idea of enabling NAT on the WAP, but without it, the devices on the guest WiFi has no Internet connection.

      • Can static routes be used on the pfSense router instead of NAT on the WAP to allow the guest WiFi to have Internet connection or is there a better way than enabling NAT on the WAP?

      • Would this be considered double NAT since pfSense will perform NAT again for devices on the guest WiFi?

      SuperMicro Atom C2758 A1SRI-2758F 16GB
      2.7.2 (amd64)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        If you want guest or wifi networks on different vlans then you need a AP that can tag.  It might be possible to do this with something running dd-wrt, have not played with those in years.

        I would suggest you just get a real AP that does vlans.  The new unifi ac line starts at $89 for the lite model, the pro model retails for $149

        These provide for 4 SSID on each radio so you could have 8 different vlans.  You then do your control at pfsense to what you want or don't want these different vlans to be able to do.

        They just enabled DFS for both us/ca and europe has had it for awhile.  These provide for added features like band steering, air time fairness.  You can not run a controller on windows, linux, mac.  I just run mine on a vm, gives you lots of insight and control into your wifi networks.

        There is 1 thing to leverage your old wifi router as your AP as you move to pfsense, but if you really want to do wifi with all the bells and whistles I really would suggest getting a real AP.  They are POE that allows for proper placement, etc. etc..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          mifronte
          last edited by

          For a Unifi AP with VLAN, would the switch between my pfSense and the AP need to be a smart switch that support VLAN?

          SuperMicro Atom C2758 A1SRI-2758F 16GB
          2.7.2 (amd64)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Yes if your going to run vlans you need a switch to support vlans unless your going to just plug the AP directly into a nic on pfsense.  Then you don't need a smart switch..  But smart switches are very reasonable..  You do not need 1000 $ enterprise switch here ;)

            8 port gig smart under $40..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • G
              gjaltemba
              last edited by

              Currently, I have 3 unmanaged 8 port gigabit switches. Any feedback on replacing them with a used Cisco Small Business Smart Switch (SG200-26) or something else will be appreciated.

              1 Reply Last reply Reply Quote 0
              • M
                mifronte
                last edited by

                Yes I would need at least a 24-ports PoE smart switch.  Any recommendations to a robust value switch that doesn't break the bank?

                In the meantime, if I wanted to get the subnet on my current AP working without NAT, can I define a static route on my pfSense to the subnet?  From my understanding, without NAT on the AP, the pfSense would not be able to find by subnet on the AP.

                SuperMicro Atom C2758 A1SRI-2758F 16GB
                2.7.2 (amd64)

                1 Reply Last reply Reply Quote 0
                • M
                  mifronte
                  last edited by

                  @johnpoz:

                  Yes if your going to run vlans you need a switch to support vlans unless your going to just plug the AP directly into a nic on pfsense.  Then you don't need a smart switch..  But smart switches are very reasonable..  You do not need 1000 $ enterprise switch here ;)

                  8 port gig smart under $40..

                  I am still researching smart switches, but can you elaborate on how to setup the VLANs using the Unifi AP Pro (just ordered it based on your recommendation) plugged directly into my pfSense 3rd interface?  My pfSense has 4 total inferfaces with two currently being used (WAN & LAN).  I haven't found any  VLAN settings on the pfSense GUI.  I know I have to configure VLAN on the AP, but I don't quite understand what's needed to be done on the pfSense box.

                  I would like the non-guest WiFi to be part of LAN (full access), but the guest WiFi to only have Internet access.  However, I would like devices on my LAN and non-guest Wifi to have full access to devices on the guest WiFi.

                  This is my first foray into VLAN and so I am trying to read as much as possible and put it all together in the context of pfSense.

                  SuperMicro Atom C2758 A1SRI-2758F 16GB
                  2.7.2 (amd64)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.