Tutorial - pfSense, OpenWrt - multiple SSIDs and VLANs



  • I have created a tutorial for adding multiple SSIDs (guest wifi network) with VLAN support on an OpenWrt router/ap and pfSense firewall.
    This tutorial is based on pfSense version 2.3.2 and OpenWrt CC 15.05.1. Other versions should work too, but the steps might be different.
    You can download the tutorial as PDF file for offline viewing as well: MEGA | uploaded.net
    (please report if a link is down)

    –----------------------------------------------------------------------------------

    First we’re going to create the VLANs on our pfSense box.
    Go to Interfaces and choose VLANs. After that press the Add button.

    For Parent Interface choose your LAN connection.
    For VLAN Tag choose your desired VLAN ID.
    The VLAN Priority can be set to 0.
    Description can be anything you like. After that press Save.

    Once you have saved your VLAN configuration it will look something like this.
    Add more VLANs the same way, if you like.

    Now go to Interface Assignments, choose VLAN 10 and press Add.

    A new interface has now been added, interface OPT1.
    Now click on OPT1, so we can edit the interface.

    Tick the Enable box and give the interface a description.
    IPv4 Configuration Type must be set on Static IPv4.
    IPv4 Address can be whatever you want. I choose 192.168.10.1 with a /24 subnet. After that press Save.

    Next we go to Services  –> DHCP Server and choose your VLAN.
    Tick the Enable box and choose your DHCP Range. After that Save.

    For the next step we go to Firewall  –> Rules and we choose our VLAN.
    At this point there should be no rules configured for our VLAN. Press Add to add a new rule.

    Action: Pass Interface: Your VLAN Address Family: IPv4
    Protocol: any   Source: VLAN_net     Destination: any
    Description can of course be anything you like. After that press Save.

    We’ve now created an Allow any/any rule, so all traffic can go through this VLAN.
    Additional rules can be added per your own preference.

    Now let’s go to our OpenWrt router/ap. Go to Network  –> Wireless.
    Add your desired SSIDs here. For this tutorial I’ve created two 5GHz SSIDs and two 2.4GHz SSID’s.
    SSID: test and SSID: test-guest.

    Now go to Network  –> Swtich. The standard switch configuration on my TP-Link Archer C7 is below.
    Port 1 is WAN, port 2 -5 are LAN ports, CPU is eth1 and port 6 is eth0.

    Press the Add button and choose the same VLAN ID as we’ve created on our pfSense box.
    The CPU port needs to be tagged, as well as the port that is connected to your pfSense box.

    After that we go to Network  –> Interfaces. The screenshot below shows a standard interface layout.
    Click on the Add new interface button.

    Give the new interface a name and create a Custom Interface.
    The custom interface needs to be eth1, “dot”  VLAN ID.
    So in the case of VLAN ID 10 it needs to be: eth1.10
    Press submit.

    You’ll be brought to the newly created interface after pressing submit.
    Now go to Physical Settings and tick the box to create a bridge over the specified interface(s).
    Also tick the box of the VLAN (eth1.10) and choose the SSID you want the VLAN to be assigned to.
    I choose both the guest SSIDs, 5GHz and 2.4GHz. Click Save and Apply.

    The new VLAN interface is now created and visible on the Interface Overview.
    At this point we’re ready! The guest SSID is connected to VLAN 10.



  • This is a great tutorial.

    I have the following hardware & software:
    SG-2220 - pfsense
    DIR-645 Running OpenWRT (latest) - running two SSID for HOME and GUEST networks
    HW Procurve 1810G-24 port managed switch

    My pfsense router is connected to the WAN, then to the managed switch (LAN) on port 1
    my DIR-645 is connected to the managed switch (LAN) on port 2

    I followed the tutorial and my guest users get an IP (eventually) over DHCP but have no DNS, LAN, or internet traffic

    I assume that I need to setup something in the managed switch correct? ???



  • Thanks for the very good tutorial, panja. I am using a Wndr3700v2 with Lede 17.01 as operating system. I followed your tutorial but pfsense does not assign an IP-address to machines on the guest wifi. If I assign a Ip-address on the machine, it can connect to the network, but not the internet. (All machines connect via openvpn-client running on pfsense).

    I bridged the wan port on the AP (Lede) to the lan-interface (to make use of it) and deleted the wan and ipv6 inteface as I don't need them.
    Might that be a problem? Or maybe I configured the vlan wrong? Take a look at my setup:
    http://imgur.com/EdjDRfi
    (Lan1 is connected to pfsense)

    @kiowadriver: Does the dir-645 run stable with openwrt for you? I tried v.15.05 on my dir 645 some time ago and the wifi was way too slow to be usable. That's why I bought a new router as AP last week (the vanilla software on the dir-645 has not been updated in two years…)



  • Hi, I need exactly this, and after doing it, I'm stucked at the point that my clients are not being assigned their IP addresses….

    Anything we should take in to consideration?, firewall rules?, interface bridging?, etc.



  • I'm just running in a very similar environment. Anybody got this solved?

    What I found out till now...but first my setup.

    pfsense with e.g. WIFI on VLAN20
    OpenWRT assigned and bridged, eth0.20 (VLAN ID 20)
    DHCP Server on pfSense set, range set etc.

    Anyway it works but just with an static IP assigned to the Client behind OpenWRT (TP-Link WDR4300, CC 15.05)

    The DHCP Server is not serving. Or at least what I found out is that there are none Requests forwarded to it.

    So as I see the Requests get stuck at OpenWRT Level as they are not reaching the pfSense. (FW Rule "default allow any" for VLAN-Interface created)

    I just read a bit and it might be that the additional package relayd could be a problem, read sth about this on a different router.

    Conclusions:

    • with a static IP on the Clientsite Clients get access to the Web

    • DHCP Server is not serving / several Packet Captures for Port 67 & 68 (DHCP) captured just nothing on the VLAN-Interface

    Would be really appreciating if someone got an idea or yet even such a setup (OpenWRT via VLAN -> DHCP Requests / leases) running...

    Thanks at all
    BSA66



  • If you're not seeing the Forest by all the Trees you might need a break 😁

    The solutions (yet at least for my problem) was as simple as it could be.

    On TPLink WDR 4300 with OpenWRT under "Network" - "Switch" Port 1 is the WAN. And this one should for all uplinked VLANs be tagged as even as the CPU is.

    Anyway, DHCP Server leases its adresses and at least my Problem is soluted.

    If anyone in the further should run into issues with OpenWRT on TPLink Routers but is sure that everything is accurate configured...check out the Switch Tab and make sure CPU && WAN (this is Port 1) are both tagged.

    The CPU is the Routerboard itself and Port1 as mentioned above the Uplink on WAN for delivering the segmented VLANs.

    I am just still wondering why it worked with static IPs. The only way I might suggest would be that the CPU might have processed here? I am just a little bit unsure if this should be a "missed feature" or might be a bigger (security breaching / breachable ?) bug... It wasn't as fast as it was without VLAN Tags on pfSense and as fast as it responds now. So might it really have been the CPU that worked that missconfigured VLAN switching out in this case.. ?!?


    BTW & (at least) TPLink WDR4300 related: if your router isn't capable of VLAN for WIFI (you aint got a Wifi Port on the Switch Tab) you can check under the "Interfaces" Tab if it is bridged (br) on LAN.
    A simple workaround I did to get Wifi on a VLAN separated from LAN was to deconfigure the BRIDGE WIFI - LAN and take an unused Port (in my case the 4th and last one), bridge this to Wifi and put this port in a VLAN.
    This way you might separate your Wifi (2.4GHz or 5GHz or both as I did) from your LAN and be able to route it through a VLAN either.



  • This post is deleted!