Different networks

pedro1x · Aug 4, 2020, 5:25 PM

I have my pfsense and using Unifi 3 APs for wifi.
I would like to know what is the best way to create a second SSID for my wifi that I will give to my guest, but anyone on that guest SSID can't access my internal network and access only to Internet.
Thank you.

johnpoz · Aug 4, 2020, 5:30 PM

Create a vlan for this other SSID, and then in unifi assign this vlan ID.. Then create whatever firewall rules you want on the vlan interface in pfsense to control access how you want.

You have vlan capable switch I take it?

Raffi_ · Aug 4, 2020, 6:00 PM

On my Unifi AP AC Lite I was able to setup a second Guest ssid on my unifi without having to setup a seperate VLAN for it. I don't remember the exact settings page, but there was an option to give that WLAN a guest profile or something like that. I would think this can also be done with VLANs as @johnpoz said, then you would have more control over the exact rules in pfSense and you would need a smart switch. But if all you want is a simple wireless guest connection with web access and no access to the other wireless subnets, that feature should be available within the unifi settings. Check the documentation of the specific unifi you have or the unifi forums.

edit, ok so if these unifi's are on the same segment as the LAN, then yes you will have to create a seperate VLAN for them. If they are on a different interface like OPT1, then that may not be needed since you can already create rules to segment OTP1 from LAN and such. Then using the built in Guest profile should be enough. It depends on your setup.

pedro1x · Aug 4, 2020, 6:54 PM

@johnpoz Hi,
I did already tag with a Vlan for my Unifi.
Yes I have a vlan capable switch.
Do I need to create a new interface in pfsense? Can you let me know exactly the steps to follow?
On pfsense I went on Interfaces/Vlan, and I created a vlan, and I used my LAN port as the parent interface.
On interface assignments, I added a new interface with Network Port the vlan I choose.

Next step I guess will be to add 2 rules on firewall: 1 rule that gives that interface access to internet, and 1 rule that blocks all traffic to inside. Right?

pedro1x · Aug 4, 2020, 6:56 PM

@Raffi_ All Unifi APs are on same LAN interface.

JKnott · Aug 4, 2020, 6:57 PM

@pedro1x

You will have to create a VLAN in pfSense for the guest network and create appropriate rules, etc.. You need a matching VLAN on the AP for the 2nd SSID. A managed switch will keep the VLAN off other parts of the network, but that's not essential. You do that by configuring the switch so that the VLAN only goes to the port that the AP is connected to.