• Home user here with level 2 switch behind pfSense & SG-2440. OPT2 is an available unused port.

    While researching vLan for routing IoT from a cloud service (seems like at a minimum I would need a smart switch for starters) it has occurred to me that using OPT2 from a dedicated wifi AP could serve the same purpose.

    Is my assumption correct? If I install a wifi access point on OPT2 it seems to me that it could provide the same protection that one would get using a vlan. I'm unsure about the routing, pfSense is at If I made opt2 something like would this work correctly, understanding that I may need to create rules to block my LAN from this subnet?

  • Netgate Administrator

    Yes, that would work.

    You would need to add firewall rules to restrict traffic between the subnets. Probably you want to restrict devices on the IoT subnet reaching your LAN rather than the other way around.


  • Thank you for taking the time to answer.

    For anyone looking for this same method, I set this up on OPT2 and then I created an alias for OPT1 & LAN. Then on OPT2 I created a destination rule !alias (not alias) to restrict OPT2 devices from OPT1 & LAN. So far it seems to be working.

    I can see how it is probably better to use a vlan but I don't have a managed switch at this time.

  • Netgate Administrator

    The only thing that is perhaps better about using a VLAN would be not introducing more wifi networks into an already crowded space. Though if your IoT devices require wifi that would only be achievable if your access point(s) support multiple SSIDs with VLANs.

    I see no problem with what you've done here.