Multiple IP Networks on 1 Interface
-
What is the make and model? If its some consumer sort of AP then highly doubtful it does. Now you can do some vlans with old wifi routers with 3rd party firmware on them, like dd-wrt or openwrt, etc. If that is what your using for an AP, the vlan support is still dependent on the hardware - some devices that support dd-wrt for example can not do vlans even if dd-wrt supports it.
-
What is the make and model? If its some consumer sort of AP then highly doubtful it does. Now you can do some vlans with old wifi routers with 3rd party firmware on them, like dd-wrt or openwrt, etc. If that is what your using for an AP, the vlan support is still dependent on the hardware - some devices that support dd-wrt for example can not do vlans even if dd-wrt supports it.
No its a newer AP from Amped wireless. Will check into it.
-
So looked at their
While it lists this as a feature..
"Add up to eight additional wireless networks for other rooms or offices. Each network can be customized with unique passwords and bandwidth restrictions for guests."It says nothing about vlan support.. So while you might be able to limit their bandwidth depending on which SSID they are on - seems to me they are still all on the same layer 2 as it goes to your router.
APA2600M, at $200.. WTF.. no vlan support??
Under their data sheet for requirements it only lists
"A router or network switch with an available network (LAN) port"Says nothing that these devices need vlan support.. So tells me it does NOT support vlans!! Its consumer hyped up marketing crap if you ask me.. Sell it and get a real AP that does vlans!! If you want to isolate your devices! And then be able create firewall rules between these networks.
Unifi Pro, supports 8 ssids on each band. DFS channels, ATF, Dynamic vlans even is only $130.. The HD that is wave 2 AC lists for $349..
https://unifi-hd.ubnt.com/To get vlans looks like you need to go with their pro series - APR175P, shows it supports vlans.
-
So looked at their
While it lists this as a feature..
"Add up to eight additional wireless networks for other rooms or offices. Each network can be customized with unique passwords and bandwidth restrictions for guests."It says nothing about vlan support.. So while you might be able to limit their bandwidth depending on which SSID they are on - seems to me they are still all on the same layer 2 as it goes to your router.
APA2600M, at $200.. WTF.. no vlan support??
Under their data sheet for requirements it only lists
"A router or network switch with an available network (LAN) port"Says nothing that these devices need vlan support.. So tells me it does NOT support vlans!! Its consumer hyped up marketing crap if you ask me.. Sell it and get a real AP that does vlans!! If you want to isolate your devices! And then be able create firewall rules between these networks.
Unifi Pro, supports 8 ssids on each band. DFS channels, ATF, Dynamic vlans even is only $130.. The HD that is wave 2 AC lists for $349..
https://unifi-hd.ubnt.com/To get vlans looks like you need to go with their pro series - APR175P, shows it supports vlans.
Appreciate your help. Checked the config and yes cannot find anything to do with vlan support so does not look possible. Is there no other solution possible with PFSense?
Cheers!
-
Other solution for what? When you want to isolate networks you either need to isolate them at physical layer to create your different layer 2 networks, or you need to do it with vlans. This is networking 101.. This is not something special to pfsense in any way shape or form..
So you either need a bunch of dumb switches an interfaces and AP to put all the devices on different networks, or you need devices that can create the different layer 2 networks via vlans..
Running different IP address on the same wire does not isolate anything..
-
Other solution for what? When you want to isolate networks you either need to isolate them at physical layer to create your different layer 2 networks, or you need to do it with vlans. This is networking 101.. This is not something special to pfsense in any way shape or form..
So you either need a bunch of dumb switches an interfaces and AP to put all the devices on different networks, or you need devices that can create the different layer 2 networks via vlans..
Running different IP address on the same wire does not isolate anything..
Like I said before I'm not looking for rock solid security. I get vlan's are great if you happen to have enterprise hardware. I don't as we have established and don't really want to buy new hardware. Multiple networks on the same interface would however create different broadcast domains and isolate the two networks for the common user. Or in my case if I wanted to put some non-user devices in their own network. IE the user would still need to know of the other network and be able to change policy to reach it and the firewall would still be able to control routed traffic. I don't see why this is such a terrible solution in my situation, once again given that vlan's are not an option right now.
-
" I get vlan's are great if you happen to have enterprise hardware"
You can get a vlan switch for like $40.. Wouldn't call this enterprise hardware. You can pick up a AC vlan AP for $89 retail - not going to bust the bank.
You can run multiple layer 3 networks on a same layer 2 if you want. But not going to work for dhcp.. You can not run 2 different dhcp servers on the same interface handing out different pools in different networks.
You could run dhcp in 1 network, and then assign different ranges of IPs based upon mac to so some clients get say 192.168.0.x/23 and others get 192.168.1.x/23 - this is 1 network.
Pfsense is NOT going to let you run a dhcp server on a VIP address.
So to do with you want for dhcp you would have to setup reservations for every mac..
Dude save yourself a bunch of pain and suffering and get yourself a vlan switch and a AP.. Could be done for $120..
https://www.amazon.com/dp/B00K4DS5KU/ref=twister_B06XDLVVF6?_encoding=UTF8&psc=1
$30https://www.amazon.com/Ubiquiti-Unifi-Ap-AC-Lite-UAPACLITEUS/dp/B015PR20GY
$78$108 and all your problems are gone! depending how many different devices you need wired on different vlans you could prob get away with 5 porter for $25 vs 30.. But for $5 I would get the 8 porter.
Its not the greatest switch in the world - but it does vlans!
Running multiple layer 3 on the same layer 2 does not create multiple broadcast domains - it would be just 1 wire.. So broadcast from device on 192.168.1/24 would be seen by 192.168.2/24 etc.. Since broadcast goes to FF:FF:FF:FF:FF:FF This is why you would have issues with trying to run dhcp on the sort of setup your talking about!
You can create vips on the interfaces for whatever networks you want - you could run 100's of L3 networks on your wire - but your not going to be able to run dhcp on these VIP addresses.
-
Hi thanks for your input.
Yes my original idea was to set 2 DHCP servers one would deny any DHCP requests except for those in the list. The list isnt very large so not really a big deal to populate. It would still leave the other DHCP as a possible issue for getting the correct IP however based on the initial networkless broadcast (255…255). So really I guess the only sure way would be to just use statically assigned addressing.
Don't live in the states so those prices don't work for me. None the less not really interested in buying anything right now.
Not sure I follow your example on broadcast domains. Every network has a broadcast domain. Broadcast domain should only be replied to by the same network it belongs to. I'm aware one could sniff it out...etc.
broadcast of 192.168.0.63 would be for 192.168.0.1 - 192.168.0.62Anyway does not really matter much. Posted here to see if there were other options out there but does not seem so.
Thanks for your input/advise.
-
yes every network has a broadcast IP 192.168.0/24 would be 192.168.0.255, but what MAC address do you think that goes too??
See attached is a broadcast to the network broadcast address .255 - look at the MAC.. That is a directed broadcast, but dhcp would be a full broadcast to 0.0.0.0 same all F's mac..
How exactly are you going to run 2 dhcps on the same wire on pfsense?? So even if you deny all on one, and reversed the deny on the other so your devices could only get their reservations. Pfsense will not let you run them in such a borked configuration..
If you want to do the borked config vs doing it correctly, then you would have to setup static IPs for everything.. Or run the second dhcp on something else other than pfsense and then limit what the dhcp servers will hand out IPs for.. If your going to go to all of that trouble - prob just be easier to setup static IPs on the devices themselves, etc.
Good luck!
-
yes every network has a broadcast IP 192.168.0/24 would be 192.168.0.255, but what MAC address do you think that goes too??
See attached is a broadcast to the network broadcast address .255 - look at the MAC.. That is a directed broadcast, but dhcp would be a full broadcast to 0.0.0.0 same all F's mac..
How exactly are you going to run 2 dhcps on the same wire on pfsense?? So even if you deny all on one, and reversed the deny on the other so your devices could only get their reservations. Pfsense will not let you run them in such a borked configuration..
If you want to do the borked config vs doing it correctly, then you would have to setup static IPs for everything.. Or run the second dhcp on something else other than pfsense and then limit what the dhcp servers will hand out IPs for.. If your going to go to all of that trouble - prob just be easier to setup static IPs on the devices themselves, etc.
Good luck!
Yes exactly that's what I wrote more or less as well. :)
So not really worth doing right now but will have to do some thinking on what I should do.
Thanks for your help.
