Add a Guest WIFI using 6-port Netgate & unmanaged switch



  • We have a staff WiFi and want to add a guest WiFi. Do we have to buy a VLAN-capable managed switch, or can we use a spare pfSense eth port?

    Current cfg:
    -pfSense 2.3.2
    -Netgate 6-port, Port1:GW1/Comcast, Port2:GW2/AT&T, Port3:LAN/172.16.30.1
    -24-port unmanaged GbE switch, LAN
    -(4) EdiMax CAP1200 APs, (1) is the array controller and (3) are APs within the array, Staff WiFi
    -Windows Server DHCP server, 172.16.30.20 serving 172.16.30.x (can use pfSense's DHCP if rqd)
    -8-port GbE PoE switch for the APs, unmanaged. Connects to the (4) CAP1200 APs and to the 24-port LAN switch

    Steps to add an isolated Guest WiFi ????
    -Cfg EdiMax CAP1200 APs for STAFF VLAN10 and GUEST VLAN20 (choose tagged opt, yes??)
    -8-Port PoE AP switch, move eth that was going to 24-port LAN switch so now goes to Netgate eth Port4
    -Configure pfSense:
      Add VLAN10/Staff and VLAN20/Guest on eth Port4?
      Add (2) interfaces, Port4/VLAN10 (WIFI_Staff) & Port4/VLAN20 (WIFI_Guest)?
      "Bridge" Port4/VLAN10/Staff to LAN so employee laptops are on the LAN
      Add a DHCP server for WIFI_Guest (VLAN20) interface. 192.168.1.1 serving 100-150
      Cfg WIFI_Guest to use GW1/Port1/Comcast



  • Netgate

    I would get a PoE managed switch and do it right.

    What you have outlined, in general, might work but I would just get the right gear for the job.

    Example: https://www.amazon.com/dp/B00P7RAIZS/ref=twister_B00NUX24S0



  • We have a staff WiFi and want to add a guest WiFi. Do we have to buy a VLAN-capable managed switch, or can we use a spare pfSense eth port?

    The WLAN APs should be having VLAN support, so you could set up a VLAN for private (staff) one
    and a guest network. If there will be a domain or AD/DC managed network at the worksplace
    you could also high up the security for the entire network, by using something such as;

    • LDAP Server or role on MS Windows Server for wired devices
    • Radius Server or role on MS Windows Server or Linux Server for all WiFi devices (staff)
    • Captive Portal on the pfSense for all WiFi clients (guest network)
    • VLANs with his own subnet
      –192.168.1.0/24 staff WiFi
      -- 192.168.2.0/24 for guests WiFi
      -- 192.168.3.0/24 printers
      -- 192.168.4.0/24 PCs
      -- 192.168.5.0/24 servers
      and so on.....

    Current cfg:
    -pfSense 2.3.2
    -Netgate 6-port, Port1:GW1/Comcast, Port2:GW2/AT&T, Port3:LAN/172.16.30.1

    Would be nice to know now your budget here in that game play!

    -24-port unmanaged GbE switch, LAN

    Would be able to get a Cisco SG200-24P or Cisco SG300-24P switch likes you are able to pay
    or need it. The SG300 is a layer3 switch that is able to route the VLANs by it self and mostly
    with wire speed!

    -(4) EdiMax CAP1200 APs, (1) is the array controller and (3) are APs within the array, Staff WiFi

    Are they VLAN capable?

    -Windows Server DHCP server, 172.16.30.20 serving 172.16.30.x (can use pfSense's DHCP if rqd)

    Would be nice to see some other security roles on that server!

    -8-port GbE PoE switch for the APs, unmanaged. Connects to the (4) CAP1200 APs and to the 24-port LAN switch

    And also here you might be able to handle that traffic with a smaller variant of that named above switches
    I was guessing! SG200-10P or SG300-10P.

    Steps to add an isolated Guest WiFi ????

    Create on the pfSense some VLANs and also on the Switch and then on the WiFi APs!
    They must be tagged between the pfSense and the Switch and also between the Switch and
    the WiFi APs, because there should be holding then even 2 VLANs each for a WiFi location one
    for the staff and one for the guests.

    -Cfg EdiMax CAP1200 APs for STAFF VLAN10 and GUEST VLAN20 (choose tagged opt, yes??)

    There are two available scenarios:

    • You will need VLAN capable Switch and WLAN APs
      Connected over a PoE Switch that is capable of VLANs
    • You will need only VLAN capable WiFi APs
      You might connecting the WiFi APs directly to the pfSense appliance

    Please not the VLAN1 is the default VLAN on many switches so it should be for the admins only!
    It would be also making many sense to activate the client isolation for the guest and staff WiFi
    VLAN because then all devices are not able to have a look on the other devices inside of that
    VLAN.

    -8-Port PoE AP switch, move eth that was going to 24-port LAN switch so now goes to Netgate eth Port4

    Is that PoE Switch VLAN capable?
    Are the WiFi APs multi-VLAN capable?

    There would be two common ways to go, pending on what the switches and WiFi APs are able to do
    and also based on your budget.
    1. pfSense is routing the entire VLANs and you may only need a layer2 Switch
    2. The Switch is routing the entire VLANs and the pfSense is holding the Captive Portal for guests
    and the Windows Server has a radius server role installed that is securing the WiFi clients for the
    staff. For sure there are many other ways out there to go with but this both might be the most
    common ways.

    Get a SG200-24P (Layer2) pfSense is routing then the VLANs or SG300-24P (Layer3) the switch it
    self will then routing the entire VLANs and connect them all to that switch!