Wireless Access Point and VLANs



  • Hello all,

    I am trying to set up a free hotspot so that my neighbors can access some free internet.  For security purposes I am putting them on their own VLAN.

    The Wireless AP I have supports multiple SSID's and 802.1q trunking and will be connected to rl1.  My Home WiFi will be WEP Encrypted with a VLAN tag of 100, and the Hotspot portion will be open and have a VLAN tag of 200.  My wired network will be on rl0, while my WAN is xl0.

    Here is the Set-up I had in mind, but doesn't seem to work.

    WAN [xl0] -> pfSense -> [rl0] Wired Network (No VLANS) {192.168.2.1/24}
                                |
                                |-> [vlan0] Wireless AP (VLAN 100) {192.168.3.1/24}
                                |-> [vlan1] Wireless AP (VLAN 200) {192.168.5.1/24}
                                |-> [rl1] unasigned

    With this set-up I can't ping the gateway wirelessly or the AP from the server.  The AP's IP is 192.168.3.2, with admin VLAN at 100.

    Am I on the right track here, or am I missing something?

    Thanks for the help,
    xvalx



  • OK,

    I have most of the VLAN issues resolved (missing additional gateways).  I redid the vlan numbering. The wifi VLAN's will be 4-7 (only supports 4).  Currently I have two set-up, one SSID is on VLAN 4 and the other VLAN 5 (think of each SSID like a port on a managed switch). I have set the Admin VLAN to 1, and enabled 802.1q trunking.  Everything is working client side. I can connect to an SSID and DHCP an address for that corresponding VLAN and get out to the internet.

    The only problem is I am unable to ping or access the access point (it's set to respond to icmp, and does without 802.1q trunking enabled).

    The subnetting is like this:
    VLAN 1 -> 192.168.1.0/24  (No DHCPD)  This is the subnet the AP is on, with an admin VLAN of 1
    VLAN 4 -> 192.168.4.0/24  This is encrypted/authentication SSID for closed client side wifi
    VLAN 5 -> 192.168.5.0/24  This is open SSID for client side wifi.

    Again, any help would be appreciated.  Thanks.



  • Sounds like the AP is at fault here. You should look for something called inband VLAN management, not sure what it's named on different brands, but on Proxim it used to be called that.



  • I did setup something similar using 3com APs and all is still working perfectly.

    What I did is :

    Vlan conf on NIC rl1:

    SSID 1: Vlan 4
    SSID 2: Vlan 5

    APs conf:

    APs mapping each SSID on the correct Vlan, Administration of the APs enabled for wired access only, no vlan on the "admin" link.

    Network interface on pfSense:
    RL1 : 172.16.1.0/24   network for monitoring the APs so each AP got an ip in this range
    RL1/VLAN4 : 172.16.2.0/24 network for first SSID, the public one unencrypted and broadcasted(DHCP and captive portal enabled, limited traffic by firewall rules)
    RL1/VLAN5 : 172.16.3.0/24 network for the second SSID, the private one that is encrypted (WPA2 PSK AES) and not broadcasted (DHCP enabled, all trafic alowed)

    So I've got a network for the APs themselves, usefull for monitoring it ;-) and two other networks for each SSID. Firewall rules prevent public traffic from going to private networks.


Locked