Add a Guest WIFI using 6-port Netgate & unmanaged switch

GregRexUzelac

We have a staff WiFi and want to add a guest WiFi. Do we have to buy a VLAN-capable managed switch, or can we use a spare pfSense eth port?

Current cfg:
-pfSense 2.3.2
-Netgate 6-port, Port1:GW1/Comcast, Port2:GW2/AT&T, Port3:LAN/172.16.30.1
-24-port unmanaged GbE switch, LAN
-(4) EdiMax CAP1200 APs, (1) is the array controller and (3) are APs within the array, Staff WiFi
-Windows Server DHCP server, 172.16.30.20 serving 172.16.30.x (can use pfSense's DHCP if rqd)
-8-port GbE PoE switch for the APs, unmanaged. Connects to the (4) CAP1200 APs and to the 24-port LAN switch

Steps to add an isolated Guest WiFi ????
-Cfg EdiMax CAP1200 APs for STAFF VLAN10 and GUEST VLAN20 (choose tagged opt, yes??)
-8-Port PoE AP switch, move eth that was going to 24-port LAN switch so now goes to Netgate eth Port4
-Configure pfSense:
  Add VLAN10/Staff and VLAN20/Guest on eth Port4?
  Add (2) interfaces, Port4/VLAN10 (WIFI_Staff) & Port4/VLAN20 (WIFI_Guest)?
  "Bridge" Port4/VLAN10/Staff to LAN so employee laptops are on the LAN
  Add a DHCP server for WIFI_Guest (VLAN20) interface. 192.168.1.1 serving 100-150
  Cfg WIFI_Guest to use GW1/Port1/Comcast

Derelict

I would get a PoE managed switch and do it right.

What you have outlined, in general, might work but I would just get the right gear for the job.

Example: https://www.amazon.com/dp/B00P7RAIZS/ref=twister_B00NUX24S0

Guest

We have a staff WiFi and want to add a guest WiFi. Do we have to buy a VLAN-capable managed switch, or can we use a spare pfSense eth port?

The WLAN APs should be having VLAN support, so you could set up a VLAN for private (staff) one
and a guest network. If there will be a domain or AD/DC managed network at the worksplace
you could also high up the security for the entire network, by using something such as;

• LDAP Server or role on MS Windows Server for wired devices
• Radius Server or role on MS Windows Server or Linux Server for all WiFi devices (staff)
• Captive Portal on the pfSense for all WiFi clients (guest network)
• VLANs with his own subnet
  –192.168.1.0/24 staff WiFi
  -- 192.168.2.0/24 for guests WiFi
  -- 192.168.3.0/24 printers
  -- 192.168.4.0/24 PCs
  -- 192.168.5.0/24 servers
  and so on.....

Current cfg:
-pfSense 2.3.2
-Netgate 6-port, Port1:GW1/Comcast, Port2:GW2/AT&T, Port3:LAN/172.16.30.1

Would be nice to know now your budget here in that game play!

-24-port unmanaged GbE switch, LAN

Would be able to get a Cisco SG200-24P or Cisco SG300-24P switch likes you are able to pay
or need it. The SG300 is a layer3 switch that is able to route the VLANs by it self and mostly
with wire speed!

-(4) EdiMax CAP1200 APs, (1) is the array controller and (3) are APs within the array, Staff WiFi

Are they VLAN capable?

-Windows Server DHCP server, 172.16.30.20 serving 172.16.30.x (can use pfSense's DHCP if rqd)

Would be nice to see some other security roles on that server!

-8-port GbE PoE switch for the APs, unmanaged. Connects to the (4) CAP1200 APs and to the 24-port LAN switch

And also here you might be able to handle that traffic with a smaller variant of that named above switches
I was guessing! SG200-10P or SG300-10P.

Steps to add an isolated Guest WiFi ????

Create on the pfSense some VLANs and also on the Switch and then on the WiFi APs!
They must be tagged between the pfSense and the Switch and also between the Switch and
the WiFi APs, because there should be holding then even 2 VLANs each for a WiFi location one
for the staff and one for the guests.

-Cfg EdiMax CAP1200 APs for STAFF VLAN10 and GUEST VLAN20 (choose tagged opt, yes??)

There are two available scenarios:

• You will need VLAN capable Switch and WLAN APs
  Connected over a PoE Switch that is capable of VLANs
• You will need only VLAN capable WiFi APs
  You might connecting the WiFi APs directly to the pfSense appliance

Please not the VLAN1 is the default VLAN on many switches so it should be for the admins only!
It would be also making many sense to activate the client isolation for the guest and staff WiFi
VLAN because then all devices are not able to have a look on the other devices inside of that
VLAN.

-8-Port PoE AP switch, move eth that was going to 24-port LAN switch so now goes to Netgate eth Port4

Is that PoE Switch VLAN capable?
Are the WiFi APs multi-VLAN capable?

There would be two common ways to go, pending on what the switches and WiFi APs are able to do
and also based on your budget.
1. pfSense is routing the entire VLANs and you may only need a layer2 Switch
2. The Switch is routing the entire VLANs and the pfSense is holding the Captive Portal for guests
and the Windows Server has a radius server role installed that is securing the WiFi clients for the
staff. For sure there are many other ways out there to go with but this both might be the most
common ways.

Get a SG200-24P (Layer2) pfSense is routing then the VLANs or SG300-24P (Layer3) the switch it
self will then routing the entire VLANs and connect them all to that switch!