Setting up VLAN ;segmenting the network using PFSENSE
-
Hello,
We run pfsense as our router & intend to configure our network such that we have a guest wifi network and the corporate wifi network.
the network now has several fully managed Dlink switches, that means this switches support VLAN,tagging of ports etc.
So i would like procedural assistance in configuring the 2 VLANS in the switches,i.e how to go about it and do i have to do this in every switch?
And also in segmenting the traffic in the pfsense such that there are two different network with different IP's ,where one is the default corporate existing network, whose DHCP is the windows server and the other segmented network/subnet/internet traffic whose DHCP is the Pfsense and a firewall rule that allows each traffic to go its respective VLAN in the switches.
Access points in several floors connects to these switches and each of these access points suppports mutilple SSID..so I intend to be that for the guest wifi network, clients should access internet but in a different network all together and where they cant access our corporate devices e.g printers etc.
-
And what are these AP.. support of multiple SSIDs does not always mean they support vlan tagging of the SSID if your using what amounts to a user wifi router as AP, etc..
As to procedural help for you d-link switches.. Your going to be better off RTFM for your switch or via dlink forums, etc. What is the make and model of these switches? Maybe someone uses them.
Here is a example drawing I did up for another user that PM about their network.. This should help as an overview.
So in this example pfsense has 3 interfaces used on the "local" side of pfsense. Lan and VPN would be two layer 2 networks (vlans on the switch - not in pfsense) Where the switch would isolate this traffic but its not tagged. While the wlan interface in this drawing has a native untagged network just like lan and vpn, it also does vlan tagging on that interface and handles your wifi tagged ssid based vlans.
So in a wired network you can do tagged or untagged "vlans" with wifi your going to have to do tagging of the vlans. This is can be confusing to new vlan users.
In the example there are 2 switches, this can be expanded to as many switches as you have, etc. The term "trunk" here reflects the cisco use of the term to man a port that carries tagged vlans. The color coding of the ports reflects what the native vlan of that port is, etc.
This is pretty good overall example of how in a very simple network how you could isolate different networks from each other some tagged and others untagged "vlans" So in pfsense you would have setup of interface of wlan, and then on top of that physical interface you would create the "vlans" for your wifi networks.
Hope that helps.
-
yup, that was me, thanks again John!!
-
Thanks John
the Access points are WAP200 Wireless-G Access Point , they do have Vlan & QoS options.Yes I checking on Dlink forums with regards to the switches. But the switches are Des 3200 28P & 52
So my questions are in Pfsense, We have the WAN & LAN interface already. So I create another interface in pfsense i.e Guest VLAN with a different network ID from our(corporate subnet).Under Guest VLan Interface IP4 configuration what should be the upstream gateway for that interface?
And then under firewall Rules, I intend to create a rule such that traffic from that interface ..there is source and destination…source should be the new Interface offcourse and destination? the intention is the traffic from this interface is routed to the Guest VLAN configured in the switches...is there any rule to configure?
for clients that s connects to the Guest LAN and WLAN I intend to enable dhcp server on this interface from the pfsense...is there anything to configure apart from this?
thank you
-
And what are these AP.. support of multiple SSIDs does not always mean they support vlan tagging of the SSID if your using what amounts to a user wifi router as AP, etc..
As to procedural help for you d-link switches.. Your going to be better off RTFM for your switch or via dlink forums, etc. What is the make and model of these switches? Maybe someone uses them.
Here is a example drawing I did up for another user that PM about their network.. This should help as an overview.
So in this example pfsense has 3 interfaces used on the "local" side of pfsense. Lan and VPN would be two layer 2 networks (vlans on the switch - not in pfsense) Where the switch would isolate this traffic but its not tagged. While the wlan interface in this drawing has a native untagged network just like lan and vpn, it also does vlan tagging on that interface and handles your wifi tagged ssid based vlans.
So in a wired network you can do tagged or untagged "vlans" with wifi your going to have to do tagging of the vlans. This is can be confusing to new vlan users.
In the example there are 2 switches, this can be expanded to as many switches as you have, etc. The term "trunk" here reflects the cisco use of the term to man a port that carries tagged vlans. The color coding of the ports reflects what the native vlan of that port is, etc.
This is pretty good overall example of how in a very simple network how you could isolate different networks from each other some tagged and others untagged "vlans" So in pfsense you would have setup of interface of wlan, and then on top of that physical interface you would create the "vlans" for your wifi networks.
Hope that helps.
In our PFSense , we just have to cards , LAN & WAN.under the LAN interface as the parent I have created a sub interface for the guest vlan, logically…. will this work or is it advisable to add one extra NIC card on the pfsense machine, and this extra NIC card i configure it to serve new Guest VLAN i intend to create
