VLAN for my wireless



  • Hoping someone can help with some advice.  Currently I have a Comcast business modem acting as my router/DHCP server plugged into an old PC with 2 nics (WAN/LAN) running pfSense bridged.  Then I have a managed switch and 1 Access Point connected to that.  I want to have 2 wireless networks.  One for guests and one for me.  I know everyone is going to tell me to bridge the Comcast modem and use pfSense as my router but I would prefer to keep it this way.  I was actually able to setup a VLAN (VLAN2) on the pfsense LAN nic and enabled DHCP server on it.  I set the port on the switch connected  to the AP and to the pfSense box to accept tagged VLAN2 packets and untagged default VLAN1 packets.  I setup two SSID's one with VLAN2 and one with the default VLAN1.  It works most of the time.  When I connect to the default VLAN1 SSID I always get an IP from the Comcast modem.  When I connect to VLAN2's SSID I usually get an IP from pfSense with the exception that sometimes I get an IP from the Comcast Modem.  If I do ipconfig /renew I get an IP from pfSense like I want.  So how do I fix this without having to make pfSense my main router and keeping it bridged?  Is it even possible?

    Thanks so much for any advice!



  • What exactly is bridged here? i'm not following why you have something bridged.

    And you're saying that your AP has two SSIDs configured, or are you referring to your AP + the Comcast wifi? If the former then that's good, if the latter then I'm assuming you're aware that if you connect to Comcast SSID the pfSense sees nothing.



  • The pfSense box is bridged.  So all traffic from the Comcast modem goes right through the pfSense WAN and LAN nic to the switch.  The pfSense box does no routing.  The WAN and LAN nic are bridged to a single virtual interface OPT1.  Which I allow all traffic through in the OPT1 firewall.

    The AP a LAPAC1200 is cable of having multiple SSID's.  So I have two SSID's setup on it.  One for internal and one for external.  The internal is set to the default VLAN1 and the external is set to the VLAN I created VLAN2.  The comcast modem does not have WiFi.

    Hope that makes sense.



  • You're aware that this means that DHCP packets from the Comcast are also flowing through to the pfSense LAN because of this?



  • Yes I am aware.  It's what I actually want.  A transparent firewall.  All my PC's and Wireless clients get an IP from Comcast modem.  The problem I am having though is that the Comcast DHCP packets also get onto VLAN2.  Which is what I don't want to happen.



  • So the VLAN2 wireless client is asking for a DHCP address, pfsense is the first to receive it and sends out it's response. But since you have LAN bridged to WAN, the DHCP broadcast also reaches the Comcast router, and it sends out its own DHCP response.

    Have you logged into the Comcast device and simply turned off the DHCP service?



  • Sorry I didn't read that correctly.

    In pfSense, do you have the DHCP service only on the VLAN2 port, and turned off on VLAN1 & LAN?



  • Yes that's correct.



  • Hmm. I'm about out of ideas. That bridge config is something I'm not familiar with. Perhaps you make make a firewall rule on VLAN2 to specifically block port 67 & 68 from the Comcast IP?


  • LAYER 8 Global Moderator

    If your getting an IP from a different dhcp server then you do not have your networks isolated like you think at L2..

    "running pfSense bridged."

    Why would you run it like that?



  • Yeah that's what I'm finding out.  Not isolated the way I want.  I want to be able to easily take the pfSense box out of line and just plug an ethernet cable from Comcast back into the switch and have everything work except for the External VLAN2 wireless.  That's why I want to setup it up this way.  They more I experiment and talk to people the more I think its not possible.



  • Is there some need to have it this way?

    A more "standard" way would be a regular pfSense install, having the WAN allowed to use PrivateIPs (default is block), have LAN & VLANs on unique subnets, and leverage the firewall to allow things to flow through (for example, for VLANs to access a printer on the Comcast LAN.



  • ^^^^
    VLANs are typically used when multiple SSIDs are used.  One application would be a guest WiFi, where guests, on their own SSID VLAN are only allowed access to the Internet, but internal users, with their own SSID can access the network, as well as Internet.



  • @moikerz:

    Is there some need to have it this way?

    A more "standard" way would be a regular pfSense install, having the WAN allowed to use PrivateIPs (default is block), have LAN & VLANs on unique subnets, and leverage the firewall to allow things to flow through (for example, for VLANs to access a printer on the Comcast LAN.

    Basically just the reason I mentions above, about wanting to be able to easily take the pfSense box out of the equation and still have everything work except the VLAN2 Wireless.  At this point I will either run pfSense as my full blown router or add another nic in it to be able to isolate the VLAN2.


  • LAYER 8 Global Moderator

    Why do you not just connect pfsense wan to your current network… Then pfsense lan to this network your AP is on for your other SSID..

    Now if pfsense is off or blows up or you pull it only thing gone is the 2nd SSID.

    I don't see any reason to bridge anything on pfsense from what you have explained.



  • @johnpoz:

    Why do you not just connect pfsense wan to your current network… Then pfsense lan to this network your AP is on for your other SSID..

    Now if pfsense is off or blows up or you pull it only thing gone is the 2nd SSID.

    I don't see any reason to bridge anything on pfsense from what you have explained.

    The reason why I set it up this way is that with it bridged I can still see all the traffic flowing in and out of the network.  I can filter the traffic, and still create firewall rules on the bridge limiting bandwidth to certain IP's.


  • LAYER 8 Global Moderator

    And you could do all that with a nat as well..


Log in to reply