Guest Network



  • In the near future I am planning to replace my router with a computer with 3 network ports running pfsense.
    The first one will be wan and the second one my privat lan. The third one should be for the guest network. I already know how to configure pfsense that all devices on that network can only access the internet but not the devices that are connected to the privat lan (port 2) from another forumpost that I found. But I would also like to configure it that the devices connected to the guest network cannot access eachother for better privacy.
    Is that possible?
    And is it also possible that there is no device limit on that network (by automaticaly using different subnets?)?

    I am new to pfsense so all help is appreciated :D


  • LAYER 8 Global Moderator

    devices talking to each other on the same network has nothing to do with pfsense.  Pfsense is the gateway off a network, other than say maybe dhcp and dns for the clients on the network it does not control or have any way of limiting them from talking to each other.

    If you want to prevent wireless clients from talking to each other you would need to use an AP that supports client isolation or AP isolation, it goes by a few names.  If these are wired clients you would need switch that supports private vlans.  Which is basically the same thing just in the wired world.



  • In the near future I am planning to replace my router with a computer with 3 network ports running pfsense.

    APU2C4 or SG-2440 might be a good choice to start with.

    The first one will be wan and the second one my privat lan.

    Could be done with ease. By suing VLANs or by plain routing and connecting a dump network switch.

    The third one should be for the guest network.

    Wired or wireless or perhaps both? Again a network switch and plain routing or using VLANs is matching here.

    I already know how to configure pfsense that all devices on that network can only access the internet but not the devices that are connected to the privat lan (port 2) from another forumpost that I found.

    Going by network switches that are dump and using firewall rules or going with managed switches and by switch ACLs
    might be another route to walk on.

    But I would also like to configure it that the devices connected to the guest network cannot access eachother for better privacy.
    Is that possible?

    For sure if this are wireless clients you might be able to activate the client isolation in pfSense too.

    And is it also possible that there is no device limit on that network (by automaticaly using different subnets?)?

    Limits are mostly given only by the CIDR or by the used hardware and perhaps pending on the other network infrastructure.


  • LAYER 8 Netgate

    But I would also like to configure it that the devices connected to the guest network cannot access eachother for better privacy.
    Is that possible?

    For wired guests, wireless guests, or both?

    For multiple guest networks or one network?



  • @BlueKobold:

    @Derelict:

    The guest network will be an unmanaged ZyXel PoE Switch with multiple APs connected to it, it is supposed to be one network.
    Is the client isolation in pfsense enough or do the APs have to support it too?

    About the device limit, can I just enable CIDR or is there anything else needed? I am sorry if it is a stupid question but I am new to this advanced networking stuff.


  • LAYER 8 Netgate

    There is no "client isolation" in pfSense. It is a layer 3 firewall. It cannot keep 192.168.1.100 from talking to 192.168.1.101 on a /24 network. pfSense will never even see the traffic between them in that case.

    That isolation must be done in Layer 2 - the switching/access point layer.

    Your unmanaged switch is going to be useless there as well.

    What you need is to connect all your access points to a managed switch with some capabilities similar to Cisco's private VLAN edge or protected port feature. This allows you to configure it so ports 2 through 10 can all exchange traffic with port 1 but not with each other. You would put your access points on ports 2 - 10 and pfSense on port 1. Other switches might be able to be configured using asymmetric VLANs or uplink ports.

    In addition, all of your access points will need to have a wireless client isolation feature to keep clients from talking to each other on the AP itself. That is a fairly standard feature.

    This all scales fairly well for one Layer 3 network but gets a LOT more complicated where multiple VLANs/Networks are concerned.

    Potential google terms in italics.



  • @Derelict:

    There is no "client isolation" in pfSense. It is a layer 3 firewall. It cannot keep 192.168.1.100 from talking to 192.168.1.101 on a /24 network. pfSense will never even see the traffic between them in that case.

    That isolation must be done in Layer 2 - the switching/access point layer.

    Your unmanaged switch is going to be useless there as well.

    What you need is to connect all your access points to a managed switch with some capabilities similar to Cisco's private VLAN edge or protected port feature. This allows you to configure it so ports 2 through 10 can all exchange traffic with port 1 but not with each other. You would put your access points on ports 2 - 10 and pfSense on port 1. Other switches might be able to be configured using asymmetric VLANs or uplink ports.

    In addition, all of your access points will need to have a wireless client isolation feature to keep clients from talking to each other on the AP itself. That is a fairly standard feature.

    This all scales fairly well for one Layer 3 network but gets a LOT more complicated where multiple VLANs/Networks are concerned.

    Potential google terms in italics.

    Thank you, this really helped. I might just replace the switch as it is fairly old already.


Log in to reply