Network set up/config advice needed

  • Far from a network expert, so bear with me. I would like to have my pfSense box act as a router for one vlan and a firewall for two vlans.

    I currently have a pfSense box serving a home network. I am adding a mesh wireless solution to it. My wife wants to use the parental controls and filtering so I plan on using the wifi router as the router for the wireless vlan.

    I was going to continue using the pfSense box as the router for the wired network.

    Is this feasible or am I making things too complicated?

  • Netgate Administrator

    You mean the filtering/parental controls are in the wireless 'router'?


  • Yes. The per child time limits, filtering etc does not work if the wireless router is set up as an access point.

  • Netgate Administrator

    Ok. Assuming you don't want to move the filtering and time limits to pfSense then you can do exactly as you've shown in the diagram.

    It will almost certainly be more complex to setup the filtering in pfSense, probably a lot more. You could always switch to that later anyway.

    The switch shown as layer 3 there probably should be in layer 2 mode unless you have a good reason not to.

    Wireless clients will be behind double NAT but that probably won't cause you any issues.

    Are you going to bring those two segments into pfSense as VLANs?


  • I guess that was really my question. Can I bring both VLANS into the pfSense box on one interface? Maybe now that I know my question, I can probably search the forums better  ;D

    The wireless router has an app, so the wife can adjust the kids allotted time, or turn it off entirely. I know I can is essence do the same thing in pfSense, but the app is the selling point for her.

  • LAYER 8 Global Moderator

    If you want to firewall between vlans then they should be brought up to pfsense just use layer 2.  If your going to use layer 3 on your switch then it would be connected to pfsense via a transit network and pfsense would have no vlan IDs setup on it..

    You could always do both layer 3 and layer 2 to that switch if you wanted.

    Most often when users say layer 3 - they just do so because the switch is capable of it, but they are really just using it as layer 2 switch.

    To be honest unless you were going to be setting up a lab, home user has zero reason to run downstream router - ie layer 3 switch.  Just let pfsense do all the routing/firewall between your vlans. If you want to let some wifi networks be natted be hind some wifi router - just plug it in to one of your networks/vlans and its no different than any other client on your network..

  • Going to show my lack of knowledge here . . . so I can just plug my wifi router into the existing pfSense network and it would just be another client on the network?

    I need DHCP on the wifi router for the parental controls to work. So then I disable it in pfSense, and let the wifi router handle DHCP.

    I don't really have a need to firewall off the VLANS, so I'm thinking I don't need them in the first place. I was thinking I needed them because of the two routers.

  • Netgate Administrator

    The wifi router will probably be getting it's IP via DHCP by default so you would leave DHCP enabled on pfSense to allow that.

    If that device is the only client on that interface in pfSense you could set it static and disable dhcp but it's probably easier not to.

    You should just be able to connect it. The only 'gotcha' is to be sure the wifi router is using a different subnet on it's internal interface than pfSense is using. The default, 192.168.1.X, is very common so there may be a conflict there. If so you can change either of them to avoid it.


  • LAYER 8 Global Moderator

    Yup you can plug in any wifi router like that and it would be just like any other client on the network - the only gotcha is what stephenw10 mentioned is if network your plugging the wan of your wifi router into is same as what wifi router is using behind it then there will issues.

    Your only gotcha here is if your wanting devices on network of the wifi routers want to be able to access stuff behind the wifi router.  And you have no security from clients behind the wifi router from accessing stuff on the wifi router wan network..  Since they are actually going to look like they are on that network..

    While it is simple way to do what your wanting to do - it is not the most secure setup..  When looking to isolate wifi from the rest of your network.  If what your looking to do is control the wifi clients and this wifi router provides the features you want, then it is a simple solution.

    I would isolate that wifi routers wan to its own vlan on pfsense so you can prevent those wifi clients from talking to your devices if so desired.  But if they are just your kids devices its prob not a big issue.

  • Thanks all! I'll dive into this weekend.

Log in to reply