WiFi accesspoint bridged to a vlan
-
The issue i have with these type of devices is that often they do not fix security issues, .. ubiquiti has done a good job so far though I must admit.
It's not some computer with a card though I bought APU2 to create a real AP point out of this. With real pcie cards. But maybe FreeBSD isn't the best choice, .. you might be right there.
-
how much did you apu2 and wifi card cost? Its easier to just get a actual AP ;) what security concerns do you have? krack? Is your AP going to be a wireless client - wifi uplink? If not - then not really a concern.
-
uplink, however at this point it's not "krack" that I'm concerned with, .. it's future problems, .. at this point krack has been fixed by numerous vendors like ubiquiti and yes an actual accesspoint is cheaper then apu2 that's true.
-
Then I really see no point in your direction. It cost more money, it has less features, its uglier and a hack - does this apu2 run via POE? And its performance is never going to be close to what a real AP is designed to do. For some unforeseen possible security issue? How do you actually mount this apu2 for best wifi coverage? Prob looks terrible mounted in your ceiling ;)
Sorry this makes zero sense..
And actual AP maker is going to be very aware of security issues and patch them ASAP.. Or they look bad, and their good name gets thrown in the shitter by everyone, etc..
-
What i'm doing is separating some devices from the regular network. Devices like fire alarms .. I don't want things like that in the same network as laptops or mobile phones for me should also be in a different network.
Not sure if you are using Unifi gear already, but you can create multiple SSIDs (don't remember the max per AP off the top of my head) and have each SSID on a separate VLAN, that can then be handled by separate VLAN/Interface on your main pfSense box. This will give you the desired effect. (assumes you have a VLAN capable switch, etc.)
If you need more than the allowed SSIDs for VLANs, you can go the dynamic VLAN route with the UNIFIs using the freeRadius package in pfSense for authentication, or some other.
HTH
-
If you turn off uplink monitoring on the unifi you can do 8 ssid per band.. So that would be 8 on 2.4 and 8 on 5 if you wanted. If you leave monitoring on your limited 4 per band.
You also mention dynamic - yup you can do that for clients that support wpa enterprise. Not too many iot devices support that - BUT!!! they do have MAB working with PSK now. So you can assign your iot device a vlan after it auths to your PSK via its mac on freerad running on pfsense.
https://community.ubnt.com/t5/UniFi-Feature-Requests/UniFI-vlan-assignament-with-mac/idc-p/2176926#M13020This is a killer feature for iot devices. Which allows you have really unlimited number of vlans for such devices and all they need to support is your typical wpa2-psk auth method. It would be better if they supported enterprise - but the makes of such devices just don't seem to get it..
-
Thanks johnpoz…this is pretty cool indeed...off to try it now as it fixes my silly SONOS auth issues...
-
I have not consolidated my ssids yet, but I did test it using freerad running on pfsense and works just fine. This will allow me to move to 3 ssids in total which will be nice. 1 for eap-tls for my devices that have certs. The ssid which is what I will use for all iot devices to put them on their different vlans and then guest ssid which will be for friends and family that come over, etc.
I am currently only using 4, but have lumped a few iot devices together on 1 vlan - which I would like to move them onto different ones, etc. I was going create them via ssids since can do 8 now - few upgrades back they enabled that. Roku devices on their own, while echo's and nest and harmony, etc.. all share the same vlan with smart lightbulbs and power plugs.. Would much rather isolate all of those sorts of devices by family.. Nest with Protect, echo's all on their own - different makers of lightbulbs and switches all on their own, etc. Doing it the SSID way would me alot of ssids ;) This solution is way better… Just haven't had the play time yet to pull the trigger on it.
What I wish you could do was set the native vlan for the wpa-psk ssid other than native untagged vlan - once they allow for management vlan this will be someone moot. Which I also hear is coming.. But currently can not setup say vlan 100 for your wpa-psk ssid your going to dynamic assign via mac, and then if mac 123 get vlan 200 and if mac 456 get vlan 300, etc.
What it does look like happens though if you set this up that if there is no user based on mac address setup in radius device never actually gets on - the psk doesn't work.. Client never gets far enough to get an IP, etc.
-
What I wish you could do was set the native vlan for the wpa-psk ssid other than native untagged vlan - once they allow for management vlan this will be someone moot. Which I also hear is coming.. But currently can not setup say vlan 100 for your wpa-psk ssid your going to dynamic assign via mac, and then if mac 123 get vlan 200 and if mac 456 get vlan 300, etc.
Sounds like you are trying to get to 1 SSID :-) with everything being assigned dynamically. I do get your point about the Unifi gear not being able to dynamically assign a VLAN that is also a static for another SSID on the same AP, but for iOT gear I don't see that as an issue. For gear that you don't have RADIUS MAC auth, being sinkholed into a VLAN to nowhere is not such a bad thing. I do see the need for it in other use cases though.
-
1 ssid would be I nice goal - but don't really see it as viable option. For starters not aware that you could mix wpa-enterprise with wpa-psk.. My trusted devices require eap-tls to get on that network, etc.
And the psk I would use that are on a isolated guest network would prob be easier then the psk I would use on my vlan psk where my iot devices go, etc.
Yeah your exactly right you can not seem to be able to assign a static IP on same ssid you do dynamic - which agree not a big deal. But would like that vlan to be different than some untagged vlan which is currently the vlan that the AP IPs and controllers sit on, etc. Once you can tag the admin vlan in unifi that whole concern does go away. And from my testing if there is no auth to the radius with the mac you just don't get anything, etc.
