Architecture questions (VLAN, Wifi, …)

  • I'm thinking of diving into pfSense after being pretty darn disappointed with my Linksys 1900AC.

    What I'd like to have is a network with the following features:

    • pfSense connected to Comcast and my local LAN

    • A wifi access point with at least two SSIDs

    One SSID will be for our Private wifi,
      One SSID for our Guest wifi – but it will also be just plain WPA2 with a password.

    Private WIFI access should be isolated from the local LAN.

    • I'm thinking of getting a UAP-AC-LITE or -LR connected to the local LAN OR directly to the pfSense.

    I think this needs to be done with VLAN tagging, and I believe that what I need to do is create two VLANs, each with their own DHCP on the pfSense box, and a trunked port on the pfSense box.  Then, I think I'll be creating two SSIDs on the Uniti, each tagged with a VLAN ID.

    Option 1: If I connect the Uniti to a dedicated trunked port on the pfSense and the local LAN to another pfSense port, then that should give me what I want?

    Option 2: If I want to connect the Uniti to the local LAN out at a leaf node, then I believe the local LAN has to be on a trunked port, and every wired device on the local LAN needs to be manually tagged at the device (or is there a concept of a default VLAN so only the wifi is tagged?)

    As far as security -- I only care that the Private WIFI is isolated (not worried about wired access).  Since in both option 1 and 2 the VLAN is created between the two devices, someone trying to change their tag on their wifi device should be ineffective?  (whereas someone on the wired LAN could access any VLAN by setting their own ID)

    Do I have this right?

    (And Option 2 might not even be necessary because I'll have POE and can just put the Uniti almost anywhere.  But it sounds like I should get a pfSense with at least two LAN ports (and one WAN))

  • LAYER 8 Global Moderator

    At min yes your pfsense box should have 2 nics, more the better for future growth on local networks not having to share vlans on the same physical interface.  But 2 will work just fine - 4 would be better ;)

    1)  If you had a 2nd nic other than "lan" on pfsense then you could have 2 networks one private wifi and 1 guest wifi, and more even if you wanted.  The current code of unifi allows for up to 8 SSIDs.  And if you get fancy with dynamic assigned vlans you could really have as many as you wanted since the same ssid could be used and then depending on the client auth assign it to a specific vlan.

    1. if you have a vlan capable switch, which it sounds like you do - have not seen a POE switch that was dumb and didn't do vlans ;)  Then yes from your switch you would connect to the pfsense nic and then trunk this.  Then any vlans you assign to that "lan" port could be created on pfsense and your switch and your AP.  So your clients could be on the lan network same as any wired client, or they could be put on different private wifi, and then you could have guest as well, etc.

    The use of a real AP with vlan support and switch that does vlans pretty much gives you ability to do anything you want with your wifi.  You can could put a ssid on any wired network you want this way.  You can then use pfsense to firewall between different vlans your wired and wireless clients on to get you the control you want.  Say for example while you don't want guest to access all of your network - but you do want them to be able to say access your printer or plex server.  Simple firewall rule and that access could be allowed, etc. etc..

  • No, I only have dumb switches and don't really want to buy smart ones.

    The two netgate boxes on I'm looking at either have [WAN] [LAN] or [WAN] [LAN] [OPT1] [OPT2]

    So I was thinking [LAN] would be my private/wired LAN and [OPT1] would go to the Uniti, be VLAN trunked for both private and guest VLANS, plug the Uniti directly into [OPT1] with an optional inline POE power source, and create two WIFI SSID's, one for each VLAN.  That was option 1.

    OR I trunk [LAN] and put the Uniti somewhere downstream.  But it seems that would require trunking [LAN] and I'm not sure what other repercussions that has – it seems like all of my wired devices would transmit untagged packets that would hit the trunked [LAN].    That's option 2.

    Is there any way to make that work beyond making all of my wired devices tagged?  (Which isn't possible on some of my devices.)

  • I bought the SG2440 (vs the 2200) and a Unifi Pro….I appreciated getting the extra ports later including a seperate interface for mangement. I think the 2440 has a faster processor for Snort, pfBlocker, etc...

    If money is the issue you can save a few $$ by getting the smart switch later and go with a 2200...

    Regarding the trunks unless I missed a step...I didn't have to "tag" any clients, just the swtitch, Unifi both are VLAN capable and create the tagged VLAN interfaces in pfSense. You can create a non-VLAN interface with the Unifi Pro which also acts as the trunk for your VLANs

    I assumed the tagged traffic was separate and VLANS were 90% as safe as a seperate network...I am open to being "schooled"!

  • LAYER 8 Global Moderator

    "No, I only have dumb switches and don't really want to buy smart ones."

    That is a pretty "dumb" idea ;)  A smart switch that can do vlans can be had for like $30 for an 8 port gig.. Out of the box you can just use it as a dumb switch and never even look at its gui if you don't want too..  But when needed it can do vlans.  The cost of entry level "smart" switches is sometimes even cheaper than "dumb" switch…  If your buying dumb switches - I would call that DUMB decision ;)

    Who said anything about making your wired devices tagged??  If you have a 2nd nic you can plug the AP directly into it.. And create whatever networks you want for wifi via the untagged network which is needed for management of the AP.. Then you can have wifi networks that are on the untagged network or on vlan networks.

    "You can create a non-VLAN interface with the Unifi Pro which also acts as the trunk for your VLANs"

    Huh??  What are you saying?  how would a non-vlan interface be your trunk?  You do not set anything on any of the AP them selves for the port.. If the port is connected to swith port, then that switch port has to be configured to allow the specific vlan tags - in cisco world this is trunk port.  And there can be 1 untagged network/vlan

    On the AP the management IP of the AP itself is untagged... You can create ssid then and put them on tagged (vlans) or if you do not set a vlan ID then they would be untagged and on the untagged network the AP is connected to.

  • Just to clarify my setup…

    I have the SG2440,
    I use LAN for pfSense management only
    I connect the Opt1 interface directly to my Unifi AP with its own IP address (Not a VLAN) but it has its own SSID
    I have 2 VLANs set up using the Opt1 as a "Parent interface" (Isn't a parent interface the same as a trunk interface?)
    These VLANs are tagged in my Unifi AP with their own IP address and
    Each of these VLANs broadcast a seperate SSID with their own password
    I have a smart switch but don't use it as I have available SSIDs left on my Unifi AP and available nics on my SG2440 for expansion

    While I could have just bought the SG2200, in hind site I am happy with the extra processing power I get with my SG2440 and I have extra Nics for expansion....

    I am still refining my rules and other configurations but like the segration I am getting on my network...

  • LAYER 8 Global Moderator

    ""Parent interface" (Isn't a parent interface the same as a trunk interface?)"

    Never heard the term used like that - but get your meaning now.

    "I have a smart switch but don't use it as I have available SSIDs left on my Unifi AP and available nics on my SG2440 for expansion"

    Ok - but not sure how those tie together.. If used the smart switch between your pfsense opt1 interface and your AP you could then put wired devices on any of the networks be it untagged native vlan or tagged vlans.

    pfsense opt1 – trunk --- smart switch -- trunk --- AP

    Of this smart switch you could then have devices on your untagged opt1 network (192.168.5/24 I assume) and wired devices could also be placed on either your 6/24 or 7/24 networks

    That was my only point.  But if you have no need wired devices on any of these networks your using on your opt1 interface then no you do not need to use it if you want.

  • Thanks Johnpoz…you rule!

  • Ok, I received my 4 port netgate box yesterday so started configuring it with a Unifi AP (single nic).

    The architecture I'd like is to have a guest LAN (via SSID) and a private LAN (via wire and SSID).

    I started off putting a private VLAN and guest VLAN on the AP with associated SSID's.  On PFSense I made a single physical interface have both VLANS.  Then I realized that there was no way for the AP to boot and get DHCP off of the private LAN because the AP doesn't tag its management LAN.

    So… then I untagged the private LAN and just went with just a guest VLAN.  Configured the AP to only have a tag on the guest VLAN.  Configured PFSsense to have both an untagged LAN and the guest VLAN on a single physical interface.

    Works... but ... the firewall doesn't.  It seems like packets get from guest to private and vice versa without hitting the firewall.  If I log the accepted packets, the pings don't show up.  I've tried blocking incoming and outgoing.

    Now I'm wondering if I should go back to two VLANs and then making a small management lan .. but then I realized I'll have the same problem. The guest VLAN will somehow be able to talk to the management untagged LAN.


    I saw a reference in another post ( which talks about having another vlan internally?  But I don't understand what is going on there.

    Additional test:

    Put my phone on the guest network with a ping program on it.  I can ping a host on the private network even when there are no firewall rules (and I can't surf the web).  The default rules should be deny all, right?  Somehow I'm bypassing the firewall.

  • So….

    I think I got it working.  First problem is that on my iPhone ping app, the text is so small I didn't realize it was scrolling showing pings with no responses!  Second, it looks like I have to stop pinging for a while and retest or the firewall things it must be some kind of continuous connection.

    So, for now on the Guest VLAN I block the Private Network as an outgoing destination.  Blocking incoming on the Private from Guest Network still doesn't seem to work.

    Is there a way to block everything on Guest that isn't the internet?  I'm assuming blocking "!WAN" would only unblock the WAN's specific subnet for my connection.

    ....and why can I only block outgoing packets from guest -> private, but can't block them on the incoming side on the private network?

  • rrauenza,
    Congrats on the new Netgate product…

    To answer your questions:

    1. Here is a good thread that discusses some stricter rules you might consider implementing on your interfaces( It goes into the rules to use on your interfaces to get internet access and "isolation" answer your question you likely don't want a "!WAN" rule on any of your interfaces if you want to access the internet with that interface.

    2. I suspect you likely have the default "Any, Any" rule on your original LAN which allows this interface access to "all" including your guest interface, web, etc... You can seperate/isolate this interface by replacing the rules with similar rules discussed in the above thread(don't mess with the anti-lock out default rule yet...this prevents you from screwing up and locking yourself out of the pfSense GUI.

    3. Consider using a dedicated interface on your Netgate for your AP for AP Administration(No VLAN, seperate SSID, fixed leases for trusted clients only, lock everything else out). Use this interface as the parent for your guest VLAN(You might want to add a IOT device VLAN while your at it for untrusted IOT devices). i.e. LAN=Wired(Maybe admin interface), WAN=Router, Opt1(LAN2)=Unifi AP(parent to all your VLANs)

    Some elements that I discovered and helped me when I set up my network are:

    1. After your Unifi AP is setup you rarely need to touch it (except for changing SSID passwords), I found no value in any of the charts, graphs, etc in the controller...I am able to see leases, restrict access to certain devices in pfsense alone. Maybe consider getting the Unifi App on your phone for basic password changes for your AP. You need the controller for initial VLAN setup but after that its kind of a dumb device.
    2. I set up a dedicated wired only Interface for pfSense GUI access only for security reasons
    3. Try to understand the rules on the link above so you understand the how info flows thru your firewall and within the interface, specifically Port 53(DNS), 80(HTTP) and 443(HTTPS) traffic.
    4. Understand what the DNS Resolver (also called "Unbound") does...while the concept is basic its tricky to setup especially when you add VPN, pfBlocker, OpenDNS(if you choose).

    Whats your end goal?

    Here is another thread that helped me:

    1. Consider using a dedicated interface on your Netgate for your AP for AP Administration(No VLAN, seperate SSID, fixed leases for trusted clients only, lock everything else out). Use this interface as the parent for your guest VLAN(You might want to add a IOT device VLAN while your at it for untrusted IOT devices). i.e. LAN=Wired(Maybe admin interface), WAN=Router, Opt1(LAN2)=Unifi AP(parent to all your VLANs)

    I think I understand what you're saying here – instead of putting the AP (and probably the cloud key since I think they find each other over UDP broadcasts) on the private lan, make its own subnet and dedicated nic?  I considered this, but this is a home network so I'm trying to keep it somewhat simple.

    I may be making an IoT network eventually, though... without a vlan switch (I might eventually get the 8 port ubiquity), I'll need to figure out how to have a wired IoT and a wireless IoT.  I think that requires bridging a dedicated IoT nic with the IoT vlan.

    I'll be looking over your other numbered answers today, too!  Thanks for the help!

  • Here is a thread with advice on the AP/Controller setup:

    Johnpoz, kapara and NogBadTheBad had some awesome advice on how to set up the AP properly so you maintain access…

    I am still feeling guilty I can't use/access my controller but after VLAN setup I haven't needed to.

    Good luck! When you get ready to expand your functionality reach out again...

  • So I found and whipped up a bbcode formatter …

    Here's what I actually have configured.  (I need to submit the bbcode formatter to the author.)

    ☱ Outputting to stdout ...
    Version 15.8


    | Option | Value |
    | –---- | –--- |
    | hostname | pfSense |
    | domain | |
    | timeservers | |
    | timezone | America/Los_Angeles |
    | language | en_US |
    | dnsserver | |


    | Name | Enabled | Description | Interface | Address | Subnet |
    | –-- | –----- | –--------- | –------- | –----- | –---- |
    | lan | x | PRIVATE | igb1 | | 24 |
    | opt1 | x | GUEST | igb1_vlan1000 | | 24 |
    | wan | x | WAN_COMCAST | igb0 | dhcp | |


    | Name | Tag | Interface | Description |
    | –-- | –- | –------- | –--------- |
    | igb1_vlan1000 | 1000 | igb1 | |

    DHCP ranges
    DHCPd configuration for {lan}(#interfaces "PRIVATE")

    | Option | Value |
    | –---- | –--- |
    | enable | x |
    | defaultleasetime | |
    | maxleasetime | |


    | From | To |
    | –-- | – |
    | | |

    Static mappings

    | MAC | Address | Hostname |
    | –- | –----- | –------ |
    | 00:1c:2a:00:4c:64 | | envisalink |
    | 80:2a:a8:4f:98:0a | | unifi |
    | 90:02:a9:92:7b:42 | | dvr |
    | 00:1d:c0:62:01:c0 | | envoy |
    | 0c:c4:7a:30:17:f2 | | tendo |

    DHCPd configuration for {opt1}(#interfaces "GUEST")

    | Option | Value |
    | –---- | –--- |
    | enable | x |
    | defaultleasetime | |
    | maxleasetime | |


    | From | To |
    | –-- | – |
    | | |

    NAT rules

    | Disabled | Interface | Source | Destination | Protocol | Target | Local port | Description |
    | –------ | –------- | –---- | –--------- | –------ | –---- | –-------- | –--------- |
    | x | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):25565-25566 | tcp | | 25565 | Port Foward Minecraft |
    | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):9418 | tcp | | 9418 | Port Foward 9418 (git) to ssh |
    | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):867 | tcp | | 22 | Port Forward 867 to ssh |
    | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):443 | tcp | | 443 | Port Forward HTTPS |
    | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):80 | tcp | | 80 | Port Forward HTTP |
    | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):993 | tcp | | 993 | Port Foward IMAPS |
    | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):1587 | tcp | | 1587 | Port Forward SMTP Auth |
    | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):2525 | tcp | | 2525 | Port Forward SMTP for EasyDNS |

    Filter rules

    | Disabled | Interface | Type | IP | Protocol | Source | Destination | Description |
    | –------ | –------- | –-- | – | –------ | –---- | –--------- | –--------- |
    | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | | NAT Port Foward 9418 (git) to ssh |
    | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | | NAT Port Forward 867 to ssh |
    | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | | NAT Port Foward IMAPS |
    | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | | NAT Port Forward SMTP Auth |
    | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | | NAT Port Forward SMTP for EasyDNS |
    | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | | NAT Port Forward HTTP |
    | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | | NAT Port Forward HTTPS |
    | x | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | | NAT Port Foward Minecraft |
    | | {lan}(#interfaces "PRIVATE") | reject | inet46 | | any | {opt1}(#interfaces "GUEST") | |
    | | {lan}(#interfaces "PRIVATE") | pass | inet | | {lan}(#interfaces "PRIVATE") | any | Default allow LAN to any rule |
    | | {lan}(#interfaces "PRIVATE") | pass | inet6 | | {lan}(#interfaces "PRIVATE") | any | Default allow LAN IPv6 to any rule |
    | | {opt1}(#interfaces "GUEST") | reject | inet46 | | any | {lan}(#interfaces "PRIVATE") | |
    | | {opt1}(#interfaces "GUEST") | pass | inet | | any | any | |
    | | {opt1}(#interfaces "GUEST") | pass | inet6 | | any | any | |

    Syslog configuration

    | Option | Value |
    | –---- | –--- |
    | enable | x |
    | logall | x |
    | logfilesize | 1048576 |
    | nentries | 100 |
    | remoteserver | |
    | remoteserver2 | |
    | remoteserver3 | |
    | sourceip | |
    | ipproto | ipv4 |

    ☰ Successfully outputted pfSense config as bbcode.

Log in to reply