Sanity Check - VLAN or Subnets to seperate a single WiFi computer

joeschmuck · Feb 5, 2019, 11:02 PM

First of all after searching for quite a long time (over a month), I'm still confused like crazy. I'm sure once I actually physically work on this, it will make sense.

My delima: I want to separate a single WiFi device from my LAN (192.168.1.x) because let face it, my father clicks on anything that shows up on the computer screen. He's 83 and thinks the AV on the machine is a magic bullet and will save us all from certain disaster. Additionally I want to allow him access to my laser printer (192.186.1.201).

I was hoping I could configure pfsense to place his laptop on a separate VLAN/SUBnet using the DHCP Server Static IP setup. The VLAN only needs to be from the AP to the pfsense, not out to my LAN except for printing of course.

While I will buy additional hardware if needed, I'd rather not if possible.

My current hardware:
-Old laptop computer with 2 Ethernet Ports (WAN/LAN)
-UniFi AP-AC Pro (VLAN Capable) (connected directly to LAN switch)
-A few 5 and 8 port unmanaged network switches, not VLAN certified

What I fear is that I will need to buy a second USB Ethernet Adapter to dedicate to the AP and then specify a VLAN for the WiFi. Again, if I could separate my fathers computer from the rest of the network and still allow printer sharing, without purchasing more hardware, I'll be happiest.

Yup, you can tell I'm not a networking expert, barely a novice and I've been programming computers for over 40 years.

Thanks
-Joe

Grimson · Feb 5, 2019, 11:19 PM

Buy a smart/managed switch and do VLANs right.

Derelict · Feb 5, 2019, 11:24 PM

You can do it either way. I would just get a VLAN-capable switch. They're like $39 on Amazon. (or a 5-port for even less.)

https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I/

Another NIC would work but you would have to do messy things like software bridging to get the Wi-Fi how it sounds like you want it.

Printer discovery would likely take a bit of doing but with just one computer to one printer you could manually set the IP address for it and be done.

The firewall rules keeping that LAN separate from yours would be the same for physical interfaces or VLANs on a switch.

joeschmuck · Feb 6, 2019, 12:01 AM

@derelict said in Sanity Check - VLAN or Subnets to seperate a single WiFi computer:

You can do it either way. I would just get a VLAN-capable switch. They're like $39 on Amazon. (or a 5-port for even less.)

https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I/

Another NIC would work but you would have to do messy things like software bridging to get the Wi-Fi how it sounds like you want it.

Printer discovery would likely take a bit of doing but with just one computer to one printer you could manually set the IP address for it and be done.

The firewall rules keeping that LAN separate from yours would be the same for physical interfaces or VLANs on a switch.

Thank you and I appreciate the link to a suitable switch.

Last question... Does the printer Ethernet connection need to be connected to a switch that supports VLAN? I ask because from the basement (where the network comes together) I run a single Ethernet line to my home office where I have another 8 port switch in my office room that my office equipment connects to, and I may need to buy a second VLAN capable switch to share the printer properly, or run a second Ethernet cable to my home office, I have the wire so it's not a problem if needed.

Again, Thanks!

EDIT: I ordered the 8 port switch, be here Thursday! If I need another, I can order another. Good thing the wife has Amazon Prime.

Derelict · Feb 6, 2019, 12:28 AM

You can take an untagged port and connect it to any unmanaged switch. Everything on that connected switch will be on the VLAN that is untagged on the managed switch port.

You will want to AP and the pfSense interface to be connected to managed switch ports.

joeschmuck · Feb 9, 2019, 9:50 PM

So I received the 8 Port switch, played with it a little bit and then fell ill. I'm back to it today and I have presently established a VLAN10 on pfSense and I can print from that VLAN without issue and of course access the internet. I have not even installed the switch. Keep in mind that VLAN10 is over WiFi.

So my current concern is that I can access too many things on the LAN from VLAN10. I'm sure there is a way top block this traffic from happening, I just need to figure it out. I hope that I don't have to put my entire network on a separate VLAN to have that separation.

Off I go to read more on the internet to see if I can block untagged from tagged network.

Derelict · Feb 9, 2019, 9:53 PM

The rules on the VLAN10 interface should:

Pass traffic to local assets they need to access (DNS, the printer, etc)
Reject traffic to LAN Net
Reject traffic to This Firewall (self)
Pass traffic to any (the internet)

joeschmuck · Feb 9, 2019, 10:43 PM

Thanks for the advice. I found some of it before I read your message but your message was right to the point. I had to read your message a few times to understand, the third rule was kicking my butt because I didn't include the DNS in the first rule. While this type of stuff is probably easy for many people, my goodness it's a lot to think about and keep track of. I mean, I do understand it but dang!

So it looks like I have a VLAN that is isolated from everything except the printer. I will still use that 8 port switch as I desire to run some VM's on my ESXi machine on a separate VLAN and I need the switch that handles VTAGS to go between the pfSense computer and ESXi computer, so there was a benefit to having purchased it.