Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest Network

    Scheduled Pinned Locked Moved Wireless
    3 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JayneCobb
      last edited by

      I'm new to pfSense. (Been running it about 2 weeks)

      Hardware:
      EnGenius ECB1200 AP
      EnGenius EGS7228P Managed switch
      pfSense router/gateway

      I would like to set up a guest wireless network that has Internet access only. All of the network equipment is VLAN aware. Would VLAN tags be the best way to setup the guest network? If yes what rules/NAT would I need to define?

      Thanks

      1 Reply Last reply Reply Quote 0
      • kesawiK
        kesawi
        last edited by

        I'm not familiar with the general features of your hardware, but in principle you setup separate VLANs for your LAN and GUEST networks. You'll need to add the VLANs to pfSense and assign the LAN and GUEST networks to the respective VLANs, and enable VLAN tagging on the switch ports that your pfSense router and AP are connected to. Note that you will lose connectivity when reconfiguring VLANs, so make sure that you have console access to the pfsense router in the event you can't access the webGUI. Also, make sure you keep the VLAN of one NIC on the switch set to the management VLAN, before switching all of the ports and management LAN over.

        NAT is pretty simple, you basically want to copy what exists for the LAN, but change the source address to suit the subnet of your GUEST network.

        I'm assuming that you want to block traffic from your GUEST to LAN. By default pfSense blocks all traffic on the GUEST network, so you need to specify the traffic you want to allow.

        The rules should be in the following order on the GUEST interface:

        • Block all traffic to the LAN Network from any source.

        • Allow the particular traffic from GUEST Network to GUEST address you want to access services on pfSense (eg 53 for DNS, 123 for NTP, ICMP if you want guests to be able to ping pfSense, etc)

        • Block all traffic to GUEST address

        • Block any particular traffic you don't want GUEST having access to on the WAN (This is only if you have subsequent allow rules that are fairly broad range)

        • Allow the particular traffic from GUEST Network to any you want to access on the WAN (eg 80 & 443 for web browsing, 25, 110, 143, 465, 587, 993, 995  for email, 53 for DNS if you want them to be able to use an external provider, 123 for NTP, ICMP so that they can ping)

        • Block all traffic to anywhere - This is a general catch all which you don't need, unless you want your firewall logs filling up with blocked traffic from the defult rule

        If you're running squid or other proxy on the GUEST interface you'll need to add some access controls in the squid configuration or select the Do not forward traffic to Private Address Space (RFC 1918) destinations from the squid preferences to make sure your LAN isn't accessible from the GUEST network via the proxy server.

        1 Reply Last reply Reply Quote 0
        • J
          JayneCobb
          last edited by

          Got it working. Thanks for the help. I don't know why but VLAN's are confusing topic for me. Kinda like driving directions are for my wife.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.