WiFi accesspoint bridged to a vlan



  • I've added vlan interface under vlans, added wlan ap to wlan interface enabled both and made bridge, ..

    when i tcpdump i can see dhcp request and dhcpoffer, .. but for some reason the client doesn't get an IP or it doesn't set it, I've added IPv4 and IPv6 rules to allow any…

    Tried disabling firewall pfctl -d on console, .. checked if vlanpcp was enabled in sysctl. Anyone any ideas?


  • Rebel Alliance Global Moderator

    If you have an AP… Why are you making a bridge on pfsense?  Connect your AP to what never you want to connect it to on your switch.  IF your trying to do multiple networks/vlans on your AP - does it support them?

    What are you using for your AP, how/where exactly are you physically connecting it?



  • What i'm doing is separating some devices from the regular network. Devices like fire alarms .. I don't want things like that in the same network as laptops or mobile phones for me should also be in a different network. So I thought I can create a new wlan and bridge it to the vlan where it's actually supposed to connect/exist.

    I assume the wireless card does support it because when I use openwrt/lede it does work. But to be honest I'd prefer a freebsd AP over an linux one.


  • Rebel Alliance Global Moderator

    freebsd and AP - yeah not a good choice.. Freebsd and wifi not good fit at all..

    So you do not have an actual AP your trying to use some card in pfsense? Drop that idea - its only going to bring you grief and be just a total PITA.

    Get a real AP, or 2 or 3 etc… I have 3 in my house and have multiple vlans on the wifi - yes isolation of your iot devices is a good idea..



  • The issue i have with these type of devices is that often they do not fix security issues, .. ubiquiti has done a good job so far though I must admit.

    It's not some computer with a card though I bought APU2 to create a real AP point out of this. With real pcie cards. But maybe FreeBSD isn't the best choice, .. you might be right there.


  • Rebel Alliance Global Moderator

    how much did you apu2 and wifi card cost?  Its easier to just get a actual AP ;)  what security concerns do you have? krack?  Is your AP going to be a wireless client - wifi uplink?  If not - then not really a concern.



  • uplink, however at this point it's not "krack" that I'm concerned with, .. it's future problems, .. at this point krack has been fixed by numerous vendors like ubiquiti and yes an actual accesspoint is cheaper then apu2 that's true.


  • Rebel Alliance Global Moderator

    Then I really see no point in your direction.  It cost more money, it has less features, its uglier and a hack - does this apu2 run via POE? And its performance is never going to be close to what a real AP is designed to do.  For some unforeseen possible security issue?  How do you actually mount this apu2 for best wifi coverage?  Prob looks terrible mounted in your ceiling ;)

    Sorry this makes zero sense..

    And actual AP maker is going to be very aware of security issues and patch them ASAP.. Or they look bad, and their good name gets thrown in the shitter by everyone, etc..



  • @Ofloo:

    What i'm doing is separating some devices from the regular network. Devices like fire alarms .. I don't want things like that in the same network as laptops or mobile phones for me should also be in a different network.

    Not sure if you are using Unifi gear already, but you can create multiple SSIDs (don't remember the max per AP off the top of my head) and have each SSID on a separate VLAN, that can then be handled by separate VLAN/Interface on your main pfSense box. This will give you the desired effect. (assumes you have a VLAN capable switch, etc.)

    If you need more than the allowed SSIDs for VLANs, you can go the dynamic VLAN route with the UNIFIs using the freeRadius package in pfSense for authentication, or some other.

    HTH


  • Rebel Alliance Global Moderator

    If you turn off uplink monitoring on the unifi you can do 8 ssid per band.. So that would be 8 on 2.4 and 8 on 5 if you wanted. If you leave monitoring on your limited 4 per band.

    You also mention dynamic - yup you can do that for clients that support wpa enterprise.  Not too many iot devices support that - BUT!!! they do have MAB working with PSK now.  So you can assign your iot device a vlan after it auths to your PSK via its mac on freerad running on pfsense.
    https://community.ubnt.com/t5/UniFi-Feature-Requests/UniFI-vlan-assignament-with-mac/idc-p/2176926#M13020

    This is a killer feature for iot devices.  Which allows you have really unlimited number of vlans for such devices and all they need to support is your typical wpa2-psk auth method.  It would be better if they supported enterprise - but the makes of such devices just don't seem to get it..



  • Thanks johnpoz…this is pretty cool indeed...off to try it now as it fixes my silly SONOS auth issues...


  • Rebel Alliance Global Moderator

    I have not consolidated my ssids yet, but I did test it using freerad running on pfsense and works just fine.  This will allow me to move to 3 ssids in total which will be nice.  1 for eap-tls for my devices that have certs.  The ssid which is what I will use for all iot devices to put them on their different vlans and then guest ssid which will be for friends and family that come over, etc.

    I am currently only using 4, but have lumped a few iot devices together on 1 vlan - which I would like to move them onto different ones, etc.  I was going create them via ssids since can do 8 now - few upgrades back they enabled that.  Roku devices on their own, while echo's and nest and harmony, etc.. all share the same vlan with smart lightbulbs and power plugs.. Would much rather isolate all of those sorts of devices by family.. Nest with Protect, echo's all on their own - different makers of lightbulbs and switches all on their own, etc.  Doing it the SSID way would me alot of ssids ;)  This solution is way better…  Just haven't had the play time yet to pull the trigger on it.

    What I wish you could do was set the native vlan for the wpa-psk ssid other than native untagged vlan - once they allow for management vlan this will be someone moot.  Which I also hear is coming..  But currently can not setup say vlan 100 for your wpa-psk ssid your going to dynamic assign via mac, and then if mac 123 get vlan 200 and if mac 456 get vlan 300, etc.

    What it does look like happens though if you set this up that if there is no user based on mac address setup in radius device never actually gets on - the psk doesn't work.. Client never gets far enough to get an IP, etc.



  • @johnpoz:

    What I wish you could do was set the native vlan for the wpa-psk ssid other than native untagged vlan - once they allow for management vlan this will be someone moot.  Which I also hear is coming..  But currently can not setup say vlan 100 for your wpa-psk ssid your going to dynamic assign via mac, and then if mac 123 get vlan 200 and if mac 456 get vlan 300, etc.

    Sounds like you are trying to get to 1 SSID :-) with everything being assigned dynamically.  I do get your point about the Unifi gear not being able to dynamically assign a VLAN that is also a static for another SSID on the same AP, but for iOT gear I don't see that as an issue. For gear that you don't have RADIUS MAC auth, being sinkholed into a VLAN to nowhere is not such a bad thing. I do see the need for it in other use cases though.


  • Rebel Alliance Global Moderator

    1 ssid would be I nice goal - but don't really see it as viable option.  For starters not aware that you could mix wpa-enterprise with wpa-psk.. My trusted devices require eap-tls to get on that network, etc.

    And the psk I would use that are on a isolated guest network would prob be easier then the psk I would use on my vlan psk where my iot devices go, etc.

    Yeah your exactly right you can not seem to be able to assign a static IP on same ssid you do dynamic - which agree not a big deal.  But would like that vlan to be different than some untagged vlan which is currently the vlan that the AP IPs and controllers sit on, etc.  Once you can tag the admin vlan in unifi that whole concern does go away.  And from my testing if there is no auth to the radius with the mac you just don't get anything, etc.