2WAN-2SSID
-
I need some professional opinion on setting up following framework:
Hardware:
1. Router: PC running pfsense with WAN and LAN ports
2. Unmanaged switch
3. Two Unify-AC access pointsThe setup I am trying to achieve is following:
1. Router gets the internet connection on WAN and sets up separate VPN tunnel. This results in two WAN interfaces: original WAN and VPN-WAN
2. Unify Access points broadcast two SSIDs (SSID-WAN and SSID-VPN-WAN) each. Clients connected to SSID-VPN-WAN should have all traffic go throug VPN-WAN, clients connected to SSID-WAN should have WAN for their traffic.Is this achievable with hardware I have listed? I've educated myself on subnetting and VLANS. Am I going the right direction?
Thanks!
-
You'll need a managed switch if you want multiple SSIDs on each access-point.
I would go for 3 or maybe more VLANS, a vlan for each SSID, one for the LAN USERS.
I've got a SG-4860 router with a single WAN interface, 3 Linksys LGS308P 8-Port Gigabit PoE+ switches and a Ubiquiti UniFi AC Pro.
I have 5 use VLANS :-
VLAN ID VLAN Name Type
1 UNUSED Static
2 USER Static
3 GUEST Static
4 IOT Static
5 DMZ Static
100 VOICE Static
4093 DefaultThe switch port that connects to the SG-4860 is setup to carry the following VLAN 2 Tagged, VLAN 3 Tagged, VLAN 4 Tagged, VLAN 5 Tagged & VLAN 4093 Untagged PVID.
The switch port that connects to the AP is setup to carry the following VLAN 2 Tagged, VLAN 3 Tagged, VLAN 4 Tagged & VLAN 4093 Untagged PVID.
-
I haven't played with Unify a lot. However, I do have similar setup here in my location.
I am using Open-Mesh AP which allows me to create multiple SSID and NAT it. In my case, I have SSID for internal which is bridge to internal network and SSID for guest which is NAT inside the AP.
Internal SSID : 192.168.1.X network
Guest SSID: 10.255.20.X network -> NAT to 192.168.1.X (All NAT is purely done by AP not in pfSense)
My AP IP is 192.168.1.10 - for exampleI am using 2 ISP in this case. The faster ISP, I use for internal LAN and the slower ISP, I give it to guest. (You can do this on ISP-regular and ISP-VPN in your case)
All I did was to setup different route in firewall rule. All internal will be routed to faster ISP and the guest which is source from 192.168.1.10 will be routed to slower ISP.
If the Unify can't do NAT for other SSID, then you need to consider getting DD-WRT router which allow multiple SSID with NAT.
Thank you
-
If the Unify can't do NAT for other SSID, then you need to consider getting DD-WRT router which allow multiple SSID with NAT.
It can't you need a managed switch, why cludge your Guest SSID with NAT.
-
If the Unify can't do NAT for other SSID, then you need to consider getting DD-WRT router which allow multiple SSID with NAT.
It can't you need a managed switch, why cludge your Guest SSID with NAT.
This is what I meant by NAT guest SSID
http://blog.danjoannis.com/?p=1362
This will work if you don't have manage switch but still can separate the guest internet and private internet
See the screenshot of my firewall configuration and how I achieve to separate the network by NAT the guest without using manage switch.
-
That's fine how your doing it, the Guest WiFi is still NAT'd twice isn't it, once on the DD-WRT unit and once on the pfSense router.
IMO double NAT = Bad.
If the OP decides to go with a Unifi AP's he'll need a managed switch.
-
That's fine how your doing it, the Guest WiFi is still NAT'd twice isn't it, once on the DD-WRT unit and once on the pfSense router.
IMO double NAT = Bad.
If the OP decides to go with a Unifi AP's he'll need a managed switch.
I agree, double NAT can be bad for certain application. I am just proposing another option if the OP doesn't want to get manage switch.
-
Guys, thanks a lot for your suggestions. I went ahead and bought managed switch. Can someone suggest setting this up without double NATting?
-
No double NAT as NAT only takes place on the pfSense router.
Assuming you've purchased a Ubiquity access-point, you'll need to do this :-
pfSense
-
Create a VLAN per subnet via Interfaces -> VLANs and tag each one with a different number.
-
Assign the interface and give it a meaningful name.
-
Apply IP addresses to the interface.
Switch
-
Create the VLANs on the switch using the same VLAN tag numbers
-
Create a trunk port containing all the VLANs you want to pass from the router to the switch, also do this if you're connecting another switch to the switch that connects to the pfSense router, untagged PVID & tagged.
My pfSense box connects to GE1, the ap GE2 and another switch to GE8 via an ethernet over power gizmo.
- Configure the trunk port that the AP connects to it carries the VLANs you require, if you were only ever to use one subnet you could set it at an switch port untagged PVID but IMO its better to set it up as a trunk so you can add additional subnets if required ( up to 4 per Ubiquity AP group )
Unifi Controller
- Create the SSID/SSIDs you require via Settings -> Wireless Networks, click on Advanced Options, tick VLAN and put the VLAN ID in.
AP
- Connect it the the switch port, its IP address needs to come from an untagged VLAN.
 -
