Isolating Guest SSiD and Staff SSiD on different DHCP subnet
This is my first posting on this forum ever, hope I'll be clear and concise… so here we go:
Newly installed PfSense 2.3.3 with 3 nics,
WAN (rl0) goes (obviously) to ISP Static IP
LAN (ste0) IP 10.100.100.10 - Subnet Mask 255.255.255.0 - Gateway (none)
DHCP scope 10.100.100.100 to 10.100.100.199 (first bank)
DHCP scope 10.100.100.200 to 10.100.100.249 (second bank)
Connected tp a D-Link DES-1210-52 managed switch having IP 10.100.100.20
OPT (xl0) IP 192.168.200.10 - Subnet Mask 255.255.255.0 - Gateway (none)
DHCP scope 192.168.200.100 to 192.168.200.199 (first bank)
DHCP scope 192.168.200.200 to 192.168.200.248 (second bank as rollover)
Connected to an external wireless access point NetGear FVS318N having IP 192.168.200.20
NetGear has two SSiD (Staff and Client) configured, and it has no DHCP enabled and is not connected in the WAN port
So far, all LAN client are working, my staff has access to the printers, the server, the Internet. Everything is fine on LAN side
proper rules are applied. DHCP is working fine and SIP phones are connecting flawlessly.
On the OPT side however, although everything is working just fine, client are receiving DHCP address and can surf the net without seing
our LAN, but the staff is also receiving IP address from the 192.168.xxx.yyy DHCP pool, thus not seing our LAN, unable to access server and printers.
Note: SIP phones will never be on this DHCP pool.
My question is: Is it possible to configure one VLAN's (VLAN10) to use the second bank form the LAN DHCP without bridging OPT to LAN for the SSiD ''Staff'' in order for them to be on the same subnet.
And at the same time use another VLAN (VLAN20) to use IP address from the 192.168.xxx.yyy DHCP to continue restricting LAN access
I know I would remove the IP address present on the OPT interface, as well as it's DHCP scope, and start from scratch. But before going ballistic,
I want to know if creating two VLAN's of different subnet, and binding them to the SSid of the NetGear wireless router is possible.
I know that buying another wireless router and trunking it to the switch would do the trick.
By the way, I know I can set VLAN's on the NetGear, But right now, I can't ping the NetGear (which is 192,168.200.20) from 10.100.100.xxx, I would like to have it in the LAN subnet, should I set the NetGear to 10.100.101.xxx and use NAT to send Staff SSiD to 10.100.100.xxx?
Would just putting the Staff ssid in the lan subnet work for you? If yes then make vlan10 interface IP 10.100.100.15 - Subnet Mask 255.255.255.0 and cable that to D-Link DES-1210-52
"and binding them to the SSid of the NetGear wireless router is possible."
Highly unlikely that any soho netgear wireless router supports vlans.. While they can do a guest network, its not actually a vlan that can be handed off out its switch ports its just between its switch ports and its 2 wifi networks it creates.
If you want to put ssids on different networks/vlans then you need an AP that supports that.
My DLink, Asus and Linksys flashed routers have switch ports that support vlan.
It's a matter of the firmware to support VLANs, just about any hardware that you find integrated in WLAN routers/APs is VLAN capable now.
gjaltemba wrote: "Would just putting the Staff ssid in the lan subnet work for you?"
I Like this as an option, I will give this a try tomorrow and get back to you… Thanks budy, really appreciate the help!!!
johnpoz wrote: "Highly unlikely that any soho netgear wireless router supports vlans.."
I gave the make and model of the implied wireless router, and it does support VLAN's tagging.
And this brings me to mention an old saying: "When you don't know, don't pretend to know"
I'll get back to you gjaltemba
I learn a lot from johnpoz. He is the man. Respect.
Sorry I missed that model in your stream of words.. That is not your typical wifi router.. That is a VPN firewall ;) While sure looks like you can assign a vlan ID to ssid.. Where do you tag that vlan going out a switch port to connect to pfsense?
Where is the config on the port connected to pfsense that you tagged it? Where are you vlans on pfsense? Are you wanting to split the vlans via your smart switch to connect to your lan and opt networks as untagged?
"but the staff is also receiving IP address from the 192.168.xxx.yyy DHCP pool, "
If your devices are not getting IP from the correct dhcp server this points to problem at your L2, ie vlans not tagged on the connection to pfsense. Or vlans not correctly setup on your switch.. You can for sure have vlan X connected to your lan, and vlan Y connected to your opt..
""When you don't know, don't pretend to know""
Are you saying I don't know what I am talking about?? Really?? That's what it looks like.. Wow! ;) That is funny.. hehehehe Mister 2 post wonder…
Sorry JohnPoz for the confusion,
But really I was talking about me… I read myself back, and (Wouawe) it sure sounded like I was blaming you...
Excuse my english for I am a french speaking guy from Quebec, we have a tendency to translate as we speak, making backward things...
As for my problem, right now the PFsense having 3 NICs, LAN1 is providing DHCP to all LAN clients just fine, On the OPT1 I have setup DHCP and all the users connecting to the NetGear in AP mode are accessing the Internet no problem. It's just that my boss raised the fact that we have two (2) SSiD on for staff and one for Clients (hotspot)... I did the use the original netgear original wireless access point IP address range, just for security sakes.
Thus isolating the Wired from the Wireless, Now how can I allow only the Staff SSiD to access the LAN network while allowing Client SSiD access only to internet...
Should I use NAT, (NAT has no way to know which IP comes from what SSiD to my understanding)
Should I bridge LAN1 and OPT1 to the same IP (10.100.100.10), then create a VLAN only for the Client SSid? then a different DHCP would have to be for the VLAN, how to configure all this eludes me,
Or should I say, how to ensure that the best configuration possible has been tought of...
Any way, If you have any suggestion I am looking at all the proposals...
I might want to add, right now, having a DHCP scope of 192.168.200.100 -> 192.168.200.199 and
the Netgear being set to 192.168.200.20 makes it impossible for me to ping or access the NetGear from
10.100.100.xxx with subnet mask 255.255.255.0, Is there a way, with respect to this post that I can gain
access to this NetGear… Of course I'll change any configuration if needs be...
Or should I start this in another topic?
"It's just that my boss raised the fact that we have two (2) SSiD on for staff and one for Clients (hotspot)"
So you have 3?? Dude where is that in your config? You only have 2 networks assigned in pfsense? How exactly do you have 3 different networks? Or you just have different SSID that are on the same network?
If you want to create different networks via vlans and SSID.. Then your AP (FVS318N) needs to tag these different vlan IDs to the different SSIDs, You can then split those vlans at your switch to different physical connections on pfsense. Or you need to create vlan interfaces on pfsense, and the port(s) connected to pfsense from your switch or AP need to have that traffic tagged with the vlan ID so pfsense can know what network is what.
As to what your different networks/vlans can do either outbound to the internet or to each other would depend on what firewall rules you put in place on the different interfaces of pfsense.
So you can do it couple different ways you can bring all your vlans into 1 interface on pfsense via tags and let pfsense sort them out. Or you can let your switch break out the vlans to different physical interfaces and then run all of those into pfsense as untagged on physical interfaces on pfsense.
Or you can do a combination of the 2 where say lan comes in on its own physical interface, and then your wifi comes in on a different physical interface into pfsense with the tags on them.. Or you could prob do since your AP has multiple switch ports that you can put into different vlans.. You could have multiple vlans on physical ports coming off your switch all untagged.
But nowhere in your setup have you mentioned how you get the vlan IDs you assign on your AP to pfsense?? Seems like you have your AP directly connected to a physical interface on opt1.. But you have not created any vlan interfaces on this physical interface? So how does pfsense know what vlan traffic is based upon the tag coming in from your AP. You can create vlan IDs on your AP all you want, but if you just connect it to untagged Layer 2 network, pfsense will think all of that is on the same network!
It's a typo, my humble excuse, it should have read ''we have two (2) SSid, one for staff and one for clients''
Sorry, anyway… I haven't solve the issue yet, but you know how Boss's are, I am implementing another FW in
a remote location, etc etc...
I'll be back...
Thanks for all the efforts and pardon my misunderstanding...