Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wi-Fi AP on LAN… Best way to isolate guests?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mothra
      last edited by

      I have a Wi-Fi AP on my LAN that gives DHCP to my known/trusted devices… what I'd like to do is when guests connect, either put them on a VLAN or OPT1 or DMZ or whatever makes the most sense so that they can't have access to the LAN interface. I can't seem to wrap my head around how to approach this being that the AP is using the LAN DHCP to assign IPs using the LAN DHCP settings. My AP has as Guest feature, but I'd really like to just put them on their own interface and keep them there at the firewall level.

      TIA

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        If by AP you mean a old wifi router your using as AP then its guest feature will not really work.  The way those do a guest is only when they are the router, and the guest can not talk to the lan ports or the other wifi but have internet access.

        If you want to create guest network via your AP and pfsense you need an AP that does vlans.  Then its easy peasy lemon squezzy ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          tmoore
          last edited by

          Could you share the steps involved in setting up the guest network using vlans?  It may be easy, but not obvious.

          Also, I have similar questions as in this post https://forum.pfsense.org/index.php?topic=138846.msg758855#msg758855 about how to set up a vlan.

          Thanks,

          Tom

          1 Reply Last reply Reply Quote 0
          • V
            Velcro
            last edited by

            I'll take a shot at helping out…having gone thru this myself.

            Step1
            You need an AP that is VLAN capable...a lot of folks recommend Unifi AP(Ruckus is also well regarded...there are other posts regarding this discussion, some OSS and reflashing a wireless router is also an option...I haven't done that before). I don't have a lot of experience with other APs but I have a Unifi AP(+/-$100) which works fine.

            It is also advised you get a managed switch capable of VLANs(+/-$50). You might be able to convert your current router to AP mode but it depends on your AP...tmoore I don't think Airport express is VLAN capable, I also believe the SG1000 has only 1 LAN NIC so you will likely need a VLAN capable AP to do a guest.

            Step2
            Add VLANs to your pfSense configuration, I laid the steps out in this post:
            https://forum.pfsense.org/index.php?topic=138680.msg758552#msg758552

            Step3(Might make sense to combine this with step2)
            Isolate your networks using the rules, I posted a screen shot of my rules on this forum:
            https://forum.pfsense.org/index.php?topic=138989.0
            (Thank Johnpoz for the help with these!)

            I hope that helps get you started...

            (tmoore you have very long posts...I found it more effective in the forum to break it down into smaller questions!)

            Good luck to both of you! If you have any questions or need help reach back out!!

            V

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.