Can VLANs on a Cisco AP work with PFSense?
-
Depends exactly what the model is, is it a standalone AP or does it require a wireless controller?
It's been ages since I've touched a standalone Cisco AP, it should just be a matter of configuring ethernet0, ethernet0.100, ethernet0.200 and then associate the dot11radio interfaces.
Then have the uplink pass the native, 100 & 200 vlans.
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3.html
You may be better configuring it via the web interface.
https://www.youtube.com/watch?v=krSDfvRbWX0
-
@nogbadthebad Standalone. The AP is model AIR-AP3702I-UXK9 running ap3g2-k9w7-xx.153-3.JA4 firmware.
Thanks for the link. I found that video over the weekend and started following along at the CLI. Just wasn't sure this would all work with PFSense. Also, a warning to anyone who hasn't watched this video -- the volume of the terminal bell is 11 while his mic is at 5.
Maybe I can skip around the video and get more out of. If the VLAN traffic is compatible then I'll keep going.
-
vlans are vlans are vlans.. Anything that supports vlans should work with any other device that supports vlans..
Its a standard.. unless you were doing something with cisco proprietary vlan stuff - say VTP then there should be any problems. Or their ISL..
-
I'm running 6 SSID's of several Cisco AP's (Non CAPWAP)
/Bingo
-
Yes, this should absolutely be possible.
And in fact you will probably get much better results if you route everything over the VPN from one SSID and nothing on the other. All or nothing will break far fewer things.
Steve
-
@stephenw10 I'll give it a whirl then. Thanks everyone!
-
I'd be tempted to test it on an unused pfSense interface if you have one, then move the ap to the HP switch once its working, if you have a spare one and a poe injector.
-
Think of VLANs as physically separate interfaces and ask your question again. If the answer is yes, then it will still be yes with VLANs. All you have to do is match VLAN IDs. Incidentally, here I have pfsense connected to a Cisco switch, connected to a Unifi AP and have a guest WiFi connected via VLAN. I just made sure that they all were configured for the same VLAN ID.
BTW, if you have 2 SSIDs, you'd normally have 1 VLAN and the main LAN, unless you have specific reasons for not putting your main WiFi on the main LAN.
-
@nogbadthebad said in Can VLANs on a Cisco AP work with PFSense?:
I'd be tempted to test it on an unused pfSense interface if you have one
@nogbadthebad That's a great idea. If I run into snags which the HP switch I'll keep this in mind.
-
@jknott said in Can VLANs on a Cisco AP work with PFSense?:
BTW, if you have 2 SSIDs, you'd normally have 1 VLAN and the main LAN,
Hmm now that makes sense. The HP switch has a "Default" VLAN which, I guess, is everything that isn't on a specific VLAN. If I create a second VLAN for the bypass SSID, I essentially have two VLANs but really it's only one since all LAN traffic is on the "Default"
Now that I'm thinking this through a little more, how does PFsense see traffic from the "bypass" VLAN? Can I use a VIP on the LAN interface, or do I need to have a PHY?
-
If you're using VLANs, you create one on a physical interface. For example, I created VLAN3 on my LAN interface for my guest WiFi. I then configured my switch to pass VLAN3 on the ports connected to pfsense and my AP and then configured VLAN3 and 2nd SSID on my AP.
-
@jknott said in Can VLANs on a Cisco AP work with PFSense?:
If you're using VLANs, you create one on a physical interface.
Ok I see. When I created VLAN 200 in pfsense, it ended up assigned to my LAN interface as em1.200. I was experimenting a couple weekends ago and didn't catch it was a virtual nic. It's making more sense now, thanks.