VLAN for Guest Wireless



  • Hi I'm hoping someone can help me figure out what I'm doing wrong in regards to my VLAN. I have a network with 1 wireless access point Linksys LAPAC1200, 1 managed D-Link DES-1228 switch, and 1 pfsense box as my router. What I'm trying to do is create a VLAN for guests having their own seperate SSID with a printer on the VLAN for them to use. The pfsense box has 2 ports 1 for WAN and 1 for LAN.

    On the pfsense box I have created a VLAN under the interfaces called guest wireless and set the VLAN tag to 2 and it is assigned the LAN interface. I created a new interface called GuestVLAN and enabled it. I enabled DHCP on that GuestVLAN and assigned it 192.168.1.1 IP address.I set the DHCP serverto hand out 192.168.1.100-200. I also have the DHCP server enabled on the the LAN port handing out 172.20.3.100-200 for my non VLAN network. I have an Outbound NAT rule that NATs 192.168.1.0/24 network traffic to my 172.20.3.0/24 network. That allows me get internet on the devices on my VLAN. In the firewall settings I had to create rules on the GuestVLAN to allow things like port 53 for DNS, port 80 for http, etc... Once I did that then internet worked on devices on the GuestVLAN.

    Next on the DLink switch there is a vlan called default with VID of 1. All ports are set to untagged. I created a VLAN called GuestVLAN and set its VID to 2. I then set the port 1 (the port that goes to my wireless access point) and port 25 (the port that goes to the LAN port on my pfsense box) to tagged in the GuestVLAN on the switch. So port 1 and port 25 on the switch are both in the default VID 1 set as untagged and in the GuestVLAN VID 2 set as tagged. All other ports are in the default VID 1 untagged.

    Finally I created two SSIDs on the access point. One called Guest and one called Home. The one called Home is assigned VLAN ID 1 and the one called Guest is assigned VLAN ID 2. VLAN is enabled, untagged VLAN is enabled and the untagged VLAN is assigned ID 1. Isolation between the SSIDs is enabled but Isolation between the devices on a single SSID is not enabled.

    So I can join my Guest network and I get a 192.168.1.0/24 IP address I can get online and everything works but I can not connect to the wireless printer which is also joined the Guest network and has a 192.168.0/24 IP address. Now I can also connect to Home network and get a 172.20.3.0/24 IP address and I can connect and print to a different wireless printer that is connected to the Home network and gets a 172.20.3.0/24 IP address.

    So why can't I see other computers or printers when I'm on the Guest network but can on the Home network. I'm guessing it has something to do with the fact that the Guest network devices get tagged? But I'm not sure how I would go about creating a seperate VLAN network if I don't tag them? Any help is greatly appreciated.

    Thanks



  • @demoso

    First off VLANs have to match on all devices. I used VLAN 3 on my AP for the 2nd SSID. I also created VLAN 3 in pfSense and configured my switch to pass VLAN 3 on the pfSense and AP ports. The next thing to do is create the appropriate rules. Here's what I did:

    40546ff1-3796-4512-b62e-d80eadc3e9a6-image.png

    These rules allow (1) pinging the guest interface and (2) block everything else on my network, (3) including the WAN interface. The last rule (4) allows full access to the rest of the world.

    You can start from here and adjust to taste. 😉



  • Hi I just wanted to let everyone know I solved the issue. I had to disable the setting isolation between SSIDs which fixed it. Although that doesn't make sense to me especially since there is another setting for isolation between clients on an SSID that is already disabled for some reason disabling the setting for isolation between SSIDs is what fixed it.

    Thanks,



  • @demoso

    ????

    Client separation is a AP issue, not pfsense.


Log in to reply