Setting Up Multiple Wireless SSIDs w/ 1 Access Point
I'm up and running nicely with 2 SSIDs on my Advanced Tomato AP connected to OPT1 on my pfSense box.
Clients can connect to either SSID, and get to the Internet. Works great!
But I would like to create additional SSIDs (Guests, Home, VPN, Clear). And in Advanced Tomato and previously in my Asus configuration, no problem. I can do that on each 2.4/5 card without issues.
How do I do this and get pfSense to see anything beyond that one OPT1 connection? I've tried doing VLANS on the Tomato but this never translates into an actual "Interface" I'm able to manipulate on pfSense.
pfSense doesn't see the additional SSIDs, VLANs or LAN "bridges" I've created on the Tomato. It just sees that one OPT1 interface and that's it.
There has to be a way to create multiple SSIDs and get pfSense to see them and setup various rules.
Can you point me in the general direction? Any help is much appreciated.
How do I create multiple SSIDs on my Advanced Tomato router that pfSense can see as Interfaces or VLANS and manipulate like it does with the default OPT1 port now?
Tell the access point to tag the SSID with a VLAN.
Create a new VLAN on pfSense on the interface connected to the access point.
Assign that VLAN to a new interface on pfSense.
Make that VLAN interface behave how you would like (DHCP, firewall rules, etc.)
I can now see the Interface in pfSense. I configured it the same way as the default built-in wireless. This "guest" network was setup as a VLAN on the Tomato interface. It's there. I can see the SSID.
But when I connect to it, I never get a DHCP address? But DHCP is setup and running on this interface in pfSense.
I'd like to see what's up but I don't see any errors on pfSense because I suspect it's not even getting passed by the router. Yet if I connect to the other SSIDs... I'm in no problem.
I have noticed while DHCP is enabled on the Interface, there are no active leases. At least the other Interface that has the original SSIDs being broadcast, does show an active lease for the default router.
Not sure why this other VLAN setup isn't coming thru in the same way but the Interface does show up per the suggestion to create the VLANs and match them up by VID number.
If the AP is connected to the port and the port has a VLAN and there is an interface assigned to the port and there is a DHCP server active on the interface and you do not get an address, then I would suspect the AP is not tagging the traffic with the VLAN tag.
AP is not tagging the traffic with the VLAN tag.
- AP is connected to an Ethernet Port
- Port has a VLAN and is tagged
- Added a VLAN in pfSense using the same VID #
- pfSense sees the Interface and I add it
- Assigned a static IP (same as inside the Tomato) to the interface
- Enabled DHCP on that Interface
I guess it could be that the Tomato isn't tagging the traffic with the VLAN tag which then forwards to pfSense and does DHCP. Because as far as I can tell, Windows is giving me the 169.x.x.x address which means I'm not getting past the Tomato AP.
So question becomes.. why isn't the router tagging that?
Because if I connect to the default SSIDs.. either of them it works. Just not this VLAN.
Could be a Tomato bug... I found a lot of people saying the WebGUI doesn't properly tag VLANS and you have to do it thru the command line.
AP is connected to an Ethernet Port
What is an "Ethernet Port"? A port on the firewall?
Assigned a static IP (same as inside the Tomato) to the interface
I don't understand that.
Sorry. Never used Tomato.
Might be a good time to post your Interfaces > Assignments page.
I should have been more clear.. I've connected ETH1 to my laptop in order to "Share" it out via VirtualBox
So it's within the VM environment. Amazingly it works with the default SSIDs. That traffic and interface shows up.. works great.
It's this VLAN thing. Which got me thinking that Tomato isn't tagging that traffic or something and it doesn't even pass anything to pfSense.
I'm in the midst of trying to figure out why. The VID is set and the Tag option is checked. Looks great but any other device that sees this Guest network, can connect (so the AP is fine with it) but no Internet. And no IP of what it should be as configured within the pfSense interface.
If I connect to say.. Tomato24 (default SSID no VLAN).. it's awesome. No problem. pfSense sees that interface and away it goes.
I am going to be pretty much unable to help you with getting the VLAN tags passing through the AP and virtual environment. I don't use Tomato or Virtualbox. Sorry.
If the pfSense interface is assigned to something like VLAN 10 on igb0, the interface is enabled and numbered, and the DHCP server is active, then all it is waiting for is traffic to arrive there tagged for VLAN 10.
I've seen VLAN 10 mentioned somewhere in another tutorial.
Makes me think you are correct from the get-go. The AP isn't tagging the traffic appropriately because it's not connecting to pfSense and DHCP, etc etc
I think you've helped a lot actually. It's not pfSense.
It's how traffic is being tagged and how it's not going where it should to get an address from pfSense which sees the Interface and has the service enabled.
Gotta be this AP VLAN configuration for an additional SSID.
For whatever reason.. I unchecked the Port 1 on my VLAN 1 ... and because of that, the wireless traffic passing now gets assigned correctly in pfSense.
Simply unchecked Port 1 for VLAN 1 and assigned that VLAN 3 to Port 1.
I would have thought you could send all traffic thru a single port and simply tag the frames? Maybe not in this case but I do not proclaim to understand the deep technical nuances of networking. Just the basics. Which is why I survived and now I've got 3 separate SSIDs all getting their own IP ranges and going thru pfSense!
Thanks for the help. Your comment really got me thinking.
Ah son of a ....
All I solved was by putting VLAN 3 on Port 1, the traffic works perfect but now the other SSIDs do not because there is no physical ETH connection coming out of Ports 2-4 to the pfSense box.
I thought by "tagging" the traffic, all traffic could come out of Port 1 but somehow be segmented because it was tagged and would match up on a VLAN created in pfSense.
If this does work in theory, it might not work with Advanced Tomato on my Asus RT-AC68U box. There might be some bug that isn't allowing traffic to be appropriately tagged.
Meaning, while I can create several VLANS and associate them with various Virtual Wireless networks, I can't get anything connecting to the AP to do anything with it except connect to whatever is listed on Port 1
Yes you can put multiple tagged VLANs on one physical interface. That's sort of the whole point.
That's what I thought!
So it's gotta be going back to your original point.. your AP isn't tagging your traffic appropriately so when it says VLAN3 has a VID of 3 which matches the pfSense of VLAN 3 ...
My AP isn't doing it right. I can see all the APs SSIDs. I can connect but not all of them will give me DHCP because that traffic beyond whatever says is connected on Port 1 to my pfSense box isn't getting tagged beyond the default.
I think you were right on the first time and my issue is Tomato and VLAN tagging with this specific model router.
Could be that VirtualBox's NIC doesn't support VLAN tagging either. Given this isn't an actual physical box.. with a support NIC... it may be VBox doesn't support VLAN tagging thus it's configured correctly but won't work because of a non-supported configuration. I'll have to go search to see if VBox has any issues with VLAN tagging.
"don't use the Intel PRO/1000 family of adaptors, because they will strip the VLAN tags. Instead, either use the Paravirtualized Network adaptor old default of AMD PCNet FAST III, neither of which seem to have this restriction."
I am indeed using the default Intel PRO/1000 default in my VBox setup.
I'll switch in my VBox settings for my pfSense host and see what gives.
I've come to the conclusion that VirtualBox/VMWare Player do not truly support VLAN tagging.
I can get a pretty good lab going using VBox but if I create additional SSIDs, and tag them.. the show up in pfSense but the traffic doesn't route properly.
It's not a pfSense issue. It's not an Advanced Tomato or my router.
Virtualization using these 2 products and the associated selection of virtual adapters just does not support proper tagging.
You understand both of those are free products for "simple" use or end users to play with right. If you want to play with vlan tags than use say esxi - also FREE..
Yes I understand that.. I didn't know if it would work or not.
I think esxi is beyond the specs of my simple laptop setup. But I'll look into it.