Isolating Guest SSiD and Staff SSiD on different DHCP subnet
-
"and binding them to the SSid of the NetGear wireless router is possible."
Highly unlikely that any soho netgear wireless router supports vlans.. While they can do a guest network, its not actually a vlan that can be handed off out its switch ports its just between its switch ports and its 2 wifi networks it creates.
If you want to put ssids on different networks/vlans then you need an AP that supports that.
-
My DLink, Asus and Linksys flashed routers have switch ports that support vlan.
-
It's a matter of the firmware to support VLANs, just about any hardware that you find integrated in WLAN routers/APs is VLAN capable now.
-
Hi Guys,
gjaltemba wrote: "Would just putting the Staff ssid in the lan subnet work for you?"
I Like this as an option, I will give this a try tomorrow and get back to you… Thanks budy, really appreciate the help!!!
johnpoz wrote: "Highly unlikely that any soho netgear wireless router supports vlans.."
I gave the make and model of the implied wireless router, and it does support VLAN's tagging.And this brings me to mention an old saying: "When you don't know, don't pretend to know"
I'll get back to you gjaltemba
Thanks,
-
I learn a lot from johnpoz. He is the man. Respect.
-
"FVS318N "
Sorry I missed that model in your stream of words.. That is not your typical wifi router.. That is a VPN firewall ;) While sure looks like you can assign a vlan ID to ssid.. Where do you tag that vlan going out a switch port to connect to pfsense?
Where is the config on the port connected to pfsense that you tagged it? Where are you vlans on pfsense? Are you wanting to split the vlans via your smart switch to connect to your lan and opt networks as untagged?
"but the staff is also receiving IP address from the 192.168.xxx.yyy DHCP pool, "
If your devices are not getting IP from the correct dhcp server this points to problem at your L2, ie vlans not tagged on the connection to pfsense. Or vlans not correctly setup on your switch.. You can for sure have vlan X connected to your lan, and vlan Y connected to your opt..
""When you don't know, don't pretend to know""
Are you saying I don't know what I am talking about?? Really?? That's what it looks like.. Wow! ;) That is funny.. hehehehe Mister 2 post wonder…
-
Sorry JohnPoz for the confusion,
But really I was talking about me… I read myself back, and (Wouawe) it sure sounded like I was blaming you...
Excuse my english for I am a french speaking guy from Quebec, we have a tendency to translate as we speak, making backward things...As for my problem, right now the PFsense having 3 NICs, LAN1 is providing DHCP to all LAN clients just fine, On the OPT1 I have setup DHCP and all the users connecting to the NetGear in AP mode are accessing the Internet no problem. It's just that my boss raised the fact that we have two (2) SSiD on for staff and one for Clients (hotspot)... I did the use the original netgear original wireless access point IP address range, just for security sakes.
Thus isolating the Wired from the Wireless, Now how can I allow only the Staff SSiD to access the LAN network while allowing Client SSiD access only to internet...
Should I use NAT, (NAT has no way to know which IP comes from what SSiD to my understanding)
Should I bridge LAN1 and OPT1 to the same IP (10.100.100.10), then create a VLAN only for the Client SSid? then a different DHCP would have to be for the VLAN, how to configure all this eludes me,Or should I say, how to ensure that the best configuration possible has been tought of...
Any way, If you have any suggestion I am looking at all the proposals...
Greg!
-
Hi Guys,
I might want to add, right now, having a DHCP scope of 192.168.200.100 -> 192.168.200.199 and
the Netgear being set to 192.168.200.20 makes it impossible for me to ping or access the NetGear from
10.100.100.xxx with subnet mask 255.255.255.0, Is there a way, with respect to this post that I can gain
access to this NetGear… Of course I'll change any configuration if needs be...Or should I start this in another topic?
Greg!
-
"It's just that my boss raised the fact that we have two (2) SSiD on for staff and one for Clients (hotspot)"
So you have 3?? Dude where is that in your config? You only have 2 networks assigned in pfsense? How exactly do you have 3 different networks? Or you just have different SSID that are on the same network?
If you want to create different networks via vlans and SSID.. Then your AP (FVS318N) needs to tag these different vlan IDs to the different SSIDs, You can then split those vlans at your switch to different physical connections on pfsense. Or you need to create vlan interfaces on pfsense, and the port(s) connected to pfsense from your switch or AP need to have that traffic tagged with the vlan ID so pfsense can know what network is what.
As to what your different networks/vlans can do either outbound to the internet or to each other would depend on what firewall rules you put in place on the different interfaces of pfsense.
So you can do it couple different ways you can bring all your vlans into 1 interface on pfsense via tags and let pfsense sort them out. Or you can let your switch break out the vlans to different physical interfaces and then run all of those into pfsense as untagged on physical interfaces on pfsense.
Or you can do a combination of the 2 where say lan comes in on its own physical interface, and then your wifi comes in on a different physical interface into pfsense with the tags on them.. Or you could prob do since your AP has multiple switch ports that you can put into different vlans.. You could have multiple vlans on physical ports coming off your switch all untagged.
But nowhere in your setup have you mentioned how you get the vlan IDs you assign on your AP to pfsense?? Seems like you have your AP directly connected to a physical interface on opt1.. But you have not created any vlan interfaces on this physical interface? So how does pfsense know what vlan traffic is based upon the tag coming in from your AP. You can create vlan IDs on your AP all you want, but if you just connect it to untagged Layer 2 network, pfsense will think all of that is on the same network!
-
Hi Johnpoz,
It's a typo, my humble excuse, it should have read ''we have two (2) SSid, one for staff and one for clients''
Sorry, anyway… I haven't solve the issue yet, but you know how Boss's are, I am implementing another FW in
a remote location, etc etc...I'll be back...
Thanks for all the efforts and pardon my misunderstanding...
