Virtualized Pfsense Vlan Access Point
I have a question, may be farfetched but it's worth a try.
I have a completely virtualized environment using ESXI 6, in other words my Home-Lab and I would like to take one of my Pfsense Vlans and run it to an access point. Now, my Pfsense router receives an IP Address from my Untangle Firewall which is on the same vSwitch, but I have a Windows DHCP Server on another switch that is able to see all Vlans and it hands out IP Addresses to all devices on the each Vlan via DHCP Relay.
If I were to add an access point I would assume that it would receive an Ip Address from the Windows DHCP Server and then have a dhcp server of it's own which isn't what I want. I simply want to use the Access point to allow a wireless connection to the Vlan and if possible my other 2 Vlans. Is this possible or would there be a conflict?
So you run both untangle and pfsense on the same network?? Why?? But anyway that is not here nor there about an AP..
An AP provides a "bridge" between a wifi network and a wired network - nothing more, nothing less. Not sure where you got the idea wit would be running a dhcp server? Unless your talking about taking some wifi router you have laying around and using is an AP.. If its as easy as connecting one of its lan ports to the network(vlan) you want it to be on. Turn off its build in dhcp server.. And for ease of admin give it a lan IP that is on the network your connecting it too.
There you go AP.. But you would most likely be better served getting a real AP that can be properly placed because it can do POE, and has vlan support for its different ssid - so you can create multiple wifi networks on different vlans.. Once you connect your wifi devices to a network, what vlans they can talk to would depend on your routing and firewall rules.
I completely understand, thank you! Now, I use Untangle for Web Content Filtering since I haven't found anything on Pfsense up to par in my opinion. I'm rather new to Pfsense, but not virtualization so please note this whole environment we are speaking of is being hosted on one ESXI Server with one NIC, just for testing purposes..
Anyways, I've provided images that I hope will help you see how the network is setup below. The network is fully functional with an Active Directory, DNS and Group Policy services on the network and they get internet through one nic on the ESXI server to my physical wireless router connected to my ISP. So it's on a completely different router per say, a virtual router which is untangle so no interference with my physical network at all other than the ESXI Management IP Address.
Thanks - but I am quite familiar with esxi and or vms in general and run pfsense myself on esxi. So your pfsense is just a testbed install. My question was more to if you like and use untangle - I don't how pfsense comes into play at all. If your running untangle I really see no use for pfsense..
Not sure what your wanting to do exactly… But I don't see why you would be tagging port groups on your vswitches that are not even tied to the real world.. If you want to create a virtual network and route between them.. What is the point of tagging port groups on the vswitch - why not just use different vswitch for that network segment? Those port groups tagged with vlan 100, 200 and 300 seem pointless.
The vlan tags and what not were just for testing purposes, mainly to play around with different settings. I use Untangle only for filtering content on the whole network regardless of what switch it may be on or network. It is the only way to and from the Internet and I haven't found something that Pfsense offers that is up to par with untangles filtering with the amount of information it provides based on an array of rules that have been set.
Also, I was trying to find a way to create multiple networks on one switch rather than a switch for every network to see how it would function. So as provided in the picture I can add a device to the switch with a respective vlan tag and they're not allowed to communicate with each other based on the firewall rules that I have set in pfsense.
I really do appreciate your help in guiding me in the right direction even though we have gotten a little off topic, but it's for the best of things.
If I were to add an access point I would assume that it would receive an Ip Address from the Windows DHCP Server and then have a dhcp server of it's own which isn't what I want.
It's been mentioned before, but if you're using a SOHO wifi router, then yes, they are defaulted to grab DHCP on the WAN port and hand out DHCP on the LAN ports, but you would just log in, give it a static IP, and disable the DHCP server.
I simply want to use the Access point to allow a wireless connection to the Vlan and if possible my other 2 Vlans. Is this possible or would there be a conflict?
Sure it's possible… with the right equipment. If you have a managed switch, but using an AP that does not support VLAN's, you'll need a separate AP per VLAN. If you have a managed switch with an AP that does support VLAN's, you would just trunk the AP do your switch and configure separate SSID's for each VLAN.
I use Untangle only for filtering content on the whole network regardless of what switch it may be on or network. It is the only way to and from the Internet and I haven't found something that Pfsense offers that is up to par with untangles filtering with the amount of information it provides based on an array of rules that have been set.
I agree with your reasoning as I have the same concept running at home with the same two products, but I would take a more streamlined approach to the design instead of double NATing two firewalls in router mode. The consensus from both forums seems to be that PFsense is the better, faster firewall/router while Untangle is the better UTM. I would re-design your network and use PFsense as your edge firewall and run Untangle behind it in bridge mode and disable the firewall app. That's how I run it. Then if you add the now very affordable Untangle home license… you get all of the enterprise features.
Now that UT supports VLANS, according to this doc -> https://support.untangle.com/hc/en-us/articles/202508586-Configure-VLAN-Interfaces-in-Bridged-Mode you would create tagged VLAN interfaces on your bridge which would allow traffic to pass thru to each VLAN on PFsense.
The other option is to add a managed, L3 switch and terminate your VLAN's on the switch. In this case, you would configure the ip helper-address for each vlan.
I went ahead and attempted to rebuild the network, but I have ran into a problem.
vSwitch (0) - vmnic 0
Untangle External & Internal (Bridged)
Pfsense Network 1
Windows 7 Client
My traffic isn't filtered at all via untangle web filter lite. The previous network configuration I had setup did exactly what I wanted, but was double natted given that untangle was an actual router and I gave my Pfsense router a static IP Address in which I could create Vlans and networks to other switches seamlessly. I also understand that Untangle must be installed "inline" in order for it work correctly. In order to even get close to Pfsense Vlans I must make sure the network is working properly. I'm very confused.
Did you create the tagged interfaces? If not, I believe UT strips the tags, disassembles the packet and reassembles it on the other end. When this happens, I'm not sure if the traffic gets passed through the UVM, but I'm not totally sure.
Even though it works the way you're doing it, I would suggest adding two extra nics and dedicate two NIC's to each VM. Then I would re-install UT. I used the OVA… deployment was really easy.
I use untangle with the home license switched from pfsense for better filtering and utm features and have it working with vlans fine so to tell the truth I am very happy with ut and have not experienced any slow downs compared to pfsense, So I really am not seeing the use case of pf sense here just use UT as firewall/router also, the less complications the better things work