VPN for specific SSID
I have a pfsense box with an incoming WAN connection and one LAN that is then split using an unmanaged switch to multiple connections. I have a Ruckus R600 Unleashed AP on one of the connections. I have created a separate SSID on my Ruckus AP with a separate VLAN setting of 99. I would like all clients connected to this SSID to be routed via PIA VPN. I have already setup an OpenVPN client with a Firewall alias for specific clients to go through this VPN. The issue is that if I want a client to be on the VPN only when needed, I would have to edit the alias file all the time to include/exclude clients. Instead, I was hoping to have a separate wifi SSID which is always routed through the VPN to which I can connect/disconnect as and when needed.
What do I need to do to enable this setup?
Sure that is simple policy route.. Just don't pull routes from your vpn service, since that will route everything out your vpn.
Then on firewall rules for ssid/vlan you want to use vpn - policy route (change the gateway) to use the vpn on rules.. After you allow whatever local traffic you might want to allow.
On your other ssid/vlan, just don't do that..
I created a new interface for my vlan 99 tag and enabled DHCP server on this on to a different subnet (192.168.2.0). In Firewall rules for this interface, I did an allow for all traffic from this with my PIA gateway.
After doing this, I connected my client to the new SSID, but I am not able to get on to the internet. Also, since I am under a different subnet, the pfsense router IP is also under this subnet now, which I can access, but no outside world access. How do I go about debugging this?
Also, considering that I am using an unmanaged switch (actually the Ruckus is behind a second unmanaged switch), the vlan tag is still being passed through and not stripped out, right?
Did you modify your outbound nat to nat to your vpn interface. Change to hybrid and add a nat to your vpn interface..
Unmanaged switch - not sure how you expect that to work.. It sure isn't secure.. Its ends up just being multiple layer 3 over the same layer 2.
No dumb switches should not actually strip the tag... But it is not the correct way to do it, and there is no actually isolation..
@johnpoz I went ahead and copied over the outbound nat rules I had setup for my earlier PIA interface (where I had setup IP address based VPN routing for my other subnet). I made the necessary changes related to the Interface (VLAN interface instead of PIA interface) and subnet change to 192.168.2.0 instead of 192.168.1.0.
I am still not able to connect to the internet.
Btw, I understand that an unmanaged switch is not the correct approach, but for now this is all I have handy. I will go down the path of using managed switches in the near future.