Separate LAN and WLAN
-
And both of those interfaces are connected to the same unmanaged switch?
-
No. They are different network cards on my server. If I had both of them plugged into the same switch that would create a network loop and nothing would work correctly.
-
Then your /16 "management" host would not work. You are confused about something. If you have pass any any rules on the interface your /16 host is on that's why you can access the other network. It has nothing to do with your /16.
The real tool here is separate interfaces with firewall rules preventing untrusted hosts from accessing things they shouldn't. Netmasks really don't come into play.
-
How have you put your network together? See diagram
How many ethernet interfaces does your pfSense have? 2, one in (on-board NIC) and one NIC card out
What kind of switch are you using to connect the DD-WRT devices? All 4 DD-WRT are set to AP/dumb_switch, so one of the DD-WRT is the switch
What do you want devices connected to Wi-Fi to have access to besides the internet? For the most part, just internet. There are one or two that I want to have full access, but I assume that I can handle that with MAC rules
-
Re: https://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
There are several iptables commands, at the end of the page. Dose this help?
-
yeah that gear cannot give you any isolation without going to VLANs on the DD-WRT devices. I will be zero help with that. Every time I try to DD-WRT something I brick it.
-
dd-wrt can do some really neat stuff above and beyond anything the native firmware does. But if what you want is vlans for your different ssid, I really would suggest you get real AP with vlan support, and then a switch with vlan support.
What specific version of dd-wrt are you running on what specific hardware? While dd-wrt my have support for vlans, from what I recall it did not work on all chipsets that dd-wrt ran on, etc.
Post your vlan setup you have setup on dd-wrt for atleast your dd-wrt connect to pfsense and then a downstream AP..
Your vlans should be setup here.. With trunking on the ports that are you uplink, etc.
That being said even if get it to work.. I really would suggest you get a switch with real vlan support and AP with support as well. This can be done on a very low home budget.. A 8 port gig switch with vlan support can be had for under $40, and a AC AP with vlan support from unifi is like $89 to start..
-
Thanks for the feedback. Most of this is me not knowing what questions to ask. Now that I'm headed in the right direction (knock on wood) I think I can get this.
I'm studding up on VLAN, trunks, native, management, 802.1Q and why I should care.
I think the hard part is going to be on the pfSense side. The pfSense Documentation site "VLAN Trunking" says "There is a lot more detail on VLANs…and more in The pfSense Book" then goes on to tell you how to set up your switch.
So, if anyone knows of a good how-to once I get the trunk to pfSense, that would be a big help.
What specific version of dd-wrt are you running on what specific hardware? All of them are running the firmware that's on the wiki:
Linksys E800*
Netgear WNR3500L (main switch)
Linksys WRT54GL
Also, a openWRT Linksys E1700, not on network yet.*only one not on the VLAN list. But I can restrict this one so that only I'm using.
-
Well, sort of good news…
I just picked up a Cisco Catalyst 3560 PoE-48, for $20USD
Going to take me a week* to set up and get it running. But that should help things a lot.
*I'm guessing here. Never had a real switch before.
-
you got a 3560 for $20??
Is it a G or just 10/100? Do you have any use for poe or 48 ports? You would of prob been better off getting a cheap gig switch to be honest..
As to pfsense being the hard part - yeah don't think so.. You add a vlan, give it tag ID.. It is now just like any other interface in pfsense.
-
It says 3560G on it, but my understanding was that it's 10/100.
No use for PoE right now, but I've seen some cool ideas for R-Pi. And I'll probably only use 15 ports, but for $20 it's still rather cool 8)
Do I understand right, I have to add VLAN from Package Manager? I'm not seeing it there, or in any drop down.
-
no there is no package to add.. you add a vlan here..
This is where you add tag and what physical interface the vlan sits on..
Curios what version of the ios is on it.. I would guess quite dated, and without cisco account no real "legit" way to get the code updated. But if you look you can find them ;) If you have questions about that - drop me a pm once you get the switch.. Normally the G on the end would mean gig.. Pretty sure that 3560 line has been EOL for quite some time. http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/eol_c51-696372.html
I would have to login and look when was last version of ios relased, but from that eol doc shows like jan of 2014 was last software release that was not security related.
But yeah for 20$ great little find.. let me know the exact model number when you get it and will check latest software version for you. Looks like released some code in 2015 so that is pretty good.
-
Thank you, I found it now.
