2 Lan's One PFsene with own Wan (Wifi Unification)



  • Hi guys

    I am reaching out in the hope that somebody can assist me with this.

    Trying to get more coverage in our existing office block by allowing devices to roam om different AP's in the office but still only connect on their allowed LAN

    Unifi Controller sits on 10.0.2.222/20 Network1

    Network1: We call it Auto (Pfsense with 3 Network Cards) 1xWan 1 x Lan and then a spare one at the moment
    10.0.1.0/20
    Own GW/FW (Internet) Pfsense
    3x Unifi AP AC Pro
    1x Unifi Outdoor+
    3 x Netgear manageable switches
    5 Vlans ( 4/5 only on switch 2 at the moment) all ap's will plug into this switch
    1 Default
    2 Auto VoiP
    3 Auto-Video

    2xSSID (LSA and LS-Guest)

    Network2: We call it PRO
    Own GW/FW (Internet) –Some other firewall managed by and external company
    192.168.1.0/24
    NPS for Auth (192.168.1.1x)
    Has own SSID (LSP)
    3x Unifi AP AC Pro

    The idea is to add all the AP's to Network1 and allow the guys sitting on Network2 to connect to their own network
    while the guys on Network1 are still only connected on their side. (the two networks should not see each other) , I need some help with somebody on here with an idea of how i would approach this setup on my pf sense.... any advice would help a brother out as this task has been placed on back burner so long and the uppers are getting itchy with me.

    Any help would be greatly appreciated and if you need info please ask i will aim to answer quickly


  • LAYER 8 Global Moderator

    Could you please draw this.. So you have 2 pfsense with their own internet connections and then a managed switch with vlans on it..

    This switch is only doing layer 2, its not routing right?

    Something like this..  If so you could put your wifi clients on any AP on any vlan you want be based on SSID or dynamic vlans based upon radius auth, etc.




  • Hi John

    Let me try and simplify

    two networks - each their own subnet / switches and firewall's / own dhcp /dns  with their own Wan connections (same server room split with mesh ) companies where separate entities sharing office space but have since merged (sadly not the network yet) … network should still be apart only want  to join all the wifi ap's in the office to get beter coverage when you are on both side of the office.

    Side1 has a Pfsense (3 network cardS) with 3 manageable switches and 4 Ap's  and Side two has a unknown brand FW with 2 switches and 3 Ap's

    I was hoping to just run a cable from their switch to the open port I have available on my pfsense and setup routing in some form (vlan maybe) so if you access their ssid on the lan it sends the auth via pfsense to their lan and in turn getting a ip on their range and giving them access to their network.

    Hope this make sense


  • LAYER 8 Global Moderator

    " each their own subnet / switches and firewall's / own dhcp /dns"

    If these switches are separate connect them… So once a client connects to the specific ssid/vlan they can get to either side.. forget about the routing between these networks - you do not need to do that until the networks join into 1.

    But really easy leverage all the AP for both networks - where clients can be put on any network you want via the vlan and that ssid, or the dynamic vlan.. As long as the switches the AP connect to are managed this is simple setup.

    Does this drawing help.

    Does not matter what brand firewall is on the side - your just doing doing everything at layer 2 with vlan IDs.. As long as the switches share the same vlan IDs for the different networks you can let traffic flow wherever you want be it to pfsense or the other firewall, etc.  Clients will be on the vlan they join via ssid, etc.



Log in to reply