Wi-Fi AP on LAN… Best way to isolate guests?

  • I have a Wi-Fi AP on my LAN that gives DHCP to my known/trusted devices… what I'd like to do is when guests connect, either put them on a VLAN or OPT1 or DMZ or whatever makes the most sense so that they can't have access to the LAN interface. I can't seem to wrap my head around how to approach this being that the AP is using the LAN DHCP to assign IPs using the LAN DHCP settings. My AP has as Guest feature, but I'd really like to just put them on their own interface and keep them there at the firewall level.


  • LAYER 8 Global Moderator

    If by AP you mean a old wifi router your using as AP then its guest feature will not really work.  The way those do a guest is only when they are the router, and the guest can not talk to the lan ports or the other wifi but have internet access.

    If you want to create guest network via your AP and pfsense you need an AP that does vlans.  Then its easy peasy lemon squezzy ;)

  • Could you share the steps involved in setting up the guest network using vlans?  It may be easy, but not obvious.

    Also, I have similar questions as in this post https://forum.pfsense.org/index.php?topic=138846.msg758855#msg758855 about how to set up a vlan.



  • I'll take a shot at helping out…having gone thru this myself.

    You need an AP that is VLAN capable...a lot of folks recommend Unifi AP(Ruckus is also well regarded...there are other posts regarding this discussion, some OSS and reflashing a wireless router is also an option...I haven't done that before). I don't have a lot of experience with other APs but I have a Unifi AP(+/-$100) which works fine.

    It is also advised you get a managed switch capable of VLANs(+/-$50). You might be able to convert your current router to AP mode but it depends on your AP...tmoore I don't think Airport express is VLAN capable, I also believe the SG1000 has only 1 LAN NIC so you will likely need a VLAN capable AP to do a guest.

    Add VLANs to your pfSense configuration, I laid the steps out in this post:

    Step3(Might make sense to combine this with step2)
    Isolate your networks using the rules, I posted a screen shot of my rules on this forum:
    (Thank Johnpoz for the help with these!)

    I hope that helps get you started...

    (tmoore you have very long posts...I found it more effective in the forum to break it down into smaller questions!)

    Good luck to both of you! If you have any questions or need help reach back out!!


Log in to reply