Adding AP to PFSense , Vlan trunking

Adnanx · Jul 31, 2017, 8:33 AM

Hello everybody

I have two questions

First one How can i add AP to PFSense ( to work as wireless controller )

and are AP and wireless router will do the same job if they configure wih bridge settings

Second question i install PFSense on pc that connected to switch 1 and switch 1 is connected to the core switch which is distributing traffic to other switches as the figure shows

how can i use vlan called wifi in all switches 1 ,2 ,3, 4 core and so on so that i can connect AP to any switch and it will work with wireless controller

johnpoz · Jul 31, 2017, 9:03 AM

You would trunk (tagg) the vlans you want between your switches..

Every connection you list in your drawing would be trunked (vlans tagged).. Unless you have your core switch doing routing, is that a L3 switch and your routing traffic at it? If not and pfsense is doing the routing between vlans then you need to tag all the vlans on uplinks between switches/routers (pfsense).

What are the make and model of your switches?

NogBadTheBad · Jan 15, 2018, 4:50 PM

Are all the switches vlan aware ?

If they are :-

Create the VLANs you require on the switches.
Pass those VLANS across the other links to switches, the uplink ports need to carry all the VLANS and also the port that connects to pfSense
Configure the ports that the AP and controller will go on.

I've set mine up like this :-

LAN 172.16.1.1 2a02:xxxx:yyyy:1::1 < VLAN 4093 untagged
USER 172.16.2.1 2a02:xxxx:yyyy:2::1 < VLAN 2 tagged
GUEST 172.16.3.1 2a02:xxxx:yyyy:3::1 < VLAN 3 tagged
IOT 172.16.4.1 2a02:xxxx:yyyy:4::1 < VLAN 4 tagged
DMZ 172.16.5.1 2a02:xxxx:yyyy:5::1 < VLAN 5 tagged
VOICE 172.16.6.1 2a02:xxxx:yyyy:6::1 < VLAN 6 tagged

One of the vlan's will more than likley need to be untagged, if your going to get a Ubiquity AP you'll need an untagged vlan for the AP & CloudKey.

I made the LAN interface my untagged network management subnet, switches & access-points sit here.

Creating vlans in pfSense is dead easy :-

Interfaces ->Interface Assignments
VLANS
+Add
Select the Parent Interface, add the vlan number & Description
Configure the IP info on the interface

I've also renamed my interfaces from OPTx to their function.

Remember you need to carry all the vlans required on the edge switch across the interlink.

Adnanx · Jul 31, 2017, 10:18 AM

@johnpoz:

You would trunk (tagg) the vlans you want between your switches..

Every connection you list in your drawing would be trunked (vlans tagged).. Unless you have your core switch doing routing, is that a L3 switch and your routing traffic at it? If not and pfsense is doing the routing between vlans then you need to tag all the vlans on uplinks between switches/routers (pfsense).

What are the make and model of your switches?

all switches are extreme switch
the core switch is extreme 8000 series and switch 1,2,3,4 are extreme switch x250e

Adnanx · Jul 31, 2017, 10:31 AM

@NogBadTheBad:

Are all the switches vlan aware ?

If they are :-

Create the VLANs you require on the switches.

Pass those VLANS across the other links to switches, the uplink ports need to carry all the VLANS and also the port that connects to pfSense

Configure the ports the the AP and controller will go on.

I've set mine up like this :-

LAN 172.16.1.1 2a02:xxxx:yyyy:1::1 < VLAN 4093 untagged
USER 172.16.2.1 2a02:xxxx:yyyy:2::1 < VLAN 2 tagged
GUEST 172.16.3.1 2a02:xxxx:yyyy:3::1 < VLAN 3 tagged
IOT 172.16.4.1 2a02:xxxx:yyyy:4::1 < VLAN 4 tagged
DMZ 172.16.5.1 2a02:xxxx:yyyy:5::1 < VLAN 5 tagged
VOICE 172.16.6.1 2a02:xxxx:yyyy:6::1 < VLAN 6 tagged

One of the vlan's will more than likley need to be untagged, if your going to get a Ubiquity AP you'll need an untagged vlan for the AP & CloudKey.

I made the LAN interface my untagged network management subnet, switches & access-points sit here.

Creating vlans in pfSense is dead easy :-

Interfaces ->Interface Assignments

VLANS

+Add

Select the Parent Interface, add the vlan number & Description

Configure the IP info on the interface

I've also renamed my interfaces from OPTx to their function.

Remember you need to carry all the vlans required on the edge switch across the interlink.

yes my switch is vlan aware

fisrt the port of switch 1 that connect PFsense to Switch 1 shoud be un tagged

second ports from switch 1 to core and versa are tagged also from core to any switch

Finally switch 2 , 3 , 4 the port that is connected to AP will be untagged

and i have to make vlan in pfsense with the same tag and add it it will be as a sub-interface of lan with it's ip separated from lan

also how i can AP to pfsense i mean in web interface

johnpoz · Jul 31, 2017, 11:33 AM

"fisrt the port of switch 1 that connect PFsense to Switch 1 shoud be un tagged "

No - not unless pfsense is just on a transit network to your core switch

"Finally switch 2 , 3 , 4 the port that is connected to AP will be untagged "

NO - unless you just going to run 1 network via wifi that all clients are on the same vlan no matter what ssid they use, etc..

If your going to run more than one vlan via wireless - then those vlans to your AP would be tagged on the uplink port to the AP.

Are you going create the vlans on pfsense and route between them on pfsense? Or is it just a transit network between pfsense and the core switch, and the core switch is doing all the routing?

NogBadTheBad · Jul 31, 2017, 11:39 AM

Don't, save your self a lot of trouble and buy a Ubiquity AP they are cheap as chips and you'll be able to have multiple wireless networks off the one device.

johnpoz · Jul 31, 2017, 1:17 PM

"First one How can i add AP to PFSense ( to work as wireless controller )"

You want pfsense to be your AP for your wireless? As NogBadTheBad mentions - that is not very good idea.. Get yourself real AP or APs that support vlans. The mentioned Unifi stuff is very cost friendly and feature rich!! The AC lite models are like $78.. So very reasonable priced, pro models retail for $130 but have seen them cheaper.

Adnanx · Jul 31, 2017, 3:23 PM

No i dont want pfsense as wireless AP
And no i dont want pfsense to route the vlans , my core do every thing i want one vlan for wifi and i want pfsense to distribute the internet through wifi vlan :-\ i have more than 25 switches in more than 8 places
I have for ex d link Ap i want to connect it to switch 2 and get internet also i want to manage the client through pfsense that's it i dont want pfsense to route any thing and i want one vlan exited in all 25 switches that can provide internet for ap

johnpoz · Jul 31, 2017, 4:40 PM

well if pfsense is your edge only, and you have downstream router.. ie your core switch.. Then pfsense would be connected via a transit.

Pfsense could give two shits about vlan IDs then. And you are correct the connection from pfsense to your switch, and then the connection from that switch to your core switch would/could be untagged.

You would just need to configure routing with pfsense, so it knows about this downstream networks and the gateway IP to get there - ie the IP of your core switch on that transit network

you would then need to adjust the firewall rules on this transit interface (lan I assume in pfsense) to allow your downstream networks. And you would need to make sure your outbound nat rules on pfsense are doing the natting of these downstream networks.

Pfsense will not be able to do dhcp for these downstream networks.. Pfsense can only be dhcp for networks that are attached to it.