Router's Guest Network on different subnet with separate DHCP as main Network - Is it Protected?

  • I'm scratching my head, so I'm looking for some outside input. Apologies if this post isn't in the correct sub.

    I'm using an Amplifi HD Mesh network in bridge mode. My pfSense box is running DHCP as a PPPoE modem and router, connected to a switch off of the LAN interface, which runs to the Amplifi Router in bridge mode. My pfSense LAN interface has my main network IP set to

    However, Amplifi just released a Guest Network capability, but it is not configurable. The IPs that the Guest network hands out are in the network.

    I'm trying to determine if that Guest subnet is protected by the pfSense firewall. I can't seem to see any devices on the Guest network in the ARP table and a pcap didn't pick them up. I know that anything on the Guest network has to go out via the pfSense box to the Internet, but I can't figure out how...

    Any suggestions on where I can dig?

    Thanks all!!


  • LAYER 8

    deleted.. my bad i've read wrong.

    yeah it's probably like sthephenw10 wrote here

  • Netgate Administrator

    @kollkash said in Router's Guest Network on different subnet with separate DHCP as main Network - Is it Protected?:

    I'm using an Amplifi HD Mesh network in bridge mode.

    By that do you mean you're using them effectively in access point mode? So:

    PPPoE => (WAN) pfSense (LAN) => switch => Amplify HD ~> wifi clients

    If so it's unclear how the separate guest network would connect. Probably the amplify router is NATing the traffic to the LAN subnet. In which case it does not protect LAN from Guest but Guest clients are still filtered through pfSense to WAN.


  • @stephenw10 Thanks Steve! Yes - essentially, I'm using the Amplifi Mesh router and mesh points as APs, largely due to some of the limitations of the Amplifi HD system when I first got it.

    When you say "does not protect LAN from Guest," do you mean that Guest clients could attack clients on the main LAN?

    If the Amplifi Router is indeed NAT'ing the Guest network (inquiry sent to Amplifi to confirm), then the PFsense firewall would still be providing perimeter protection (which I think is what your comment indicates), correct?

    Thanks again!

  • Netgate Administrator

    Yes exactly.

    What you really want is the guest subnet passed to pfSense over a VLAN. That way pfSense can filter it like any other interface including traffic between GUEST and LAN. I don't know if that's possible though with Amplifi.


  • @stephenw10 Thanks again Steve! Amplifi got back to me, with the following information, after I asked if they were VLAN tagging the Guest wireless. I'm not sure if I understand totally and certainly don't know if there's any implications to the outbound filtering of the traffic via pfSense and the segregation between Guest network and main network...

    ...any insight you have is appreciated :)

    "No, we don't use VLAN tags for guest SSID. Instead of VLAN tags, we use GRE tunnel. We cannot use VLAN tags because, in wired backbone mode, there could be an ethernet switch in between that does not support VLAN tags. GRE tunnel works in every case. GRE is used to provide Guest service on mesh points."

  • Netgate Administrator

    Hmm, GRE tunnel to where? Between the amplifi nodes? To some cloud location?

    More info needed there. Not really sure how that might be used, though it probably could be....


Log in to reply