• Good afternoon all,

    More of a general question to make sure i'm going down the right road and to see if anyone else has similar gear/experience.

    I have a Netgate SG-1100 and an Asus RT-AC68U wireless AP behind it.

    I want to separate out batches of my wireless for various devices to keep them segregated. (Work devices in one vlan, IOT in another, home laptops.....so on and so forth.) I kept thinking vlan tagging was the way to go but the Asus doesn't appear to have anyway to vlan tag in the interface. Some articles suggested open source firmware like Merlin, dd-wrt, or Tomato may be the way to go, but i don't want to hit that road just yet. I'm fairly confident i've setup the vlan and switch port in PFsense correctly to accept a new vlan.

    I also tried throwing up a guest network, but again there doesn't appear to be a way to pass a tag along to pfsense. It doesn't appear to see it any different than my main SSID.

    Any thoughts or advice is greatly appreciated.

    Thanks,
    Moon


  • @Moonbiter Third post in this topic says you need to use something like Tomato or DD-WRT on that Asus to get it to pass VLAN traffic.

    https://www.snbforums.com/threads/does-rt-ac68u-support-802-1q-vlan-2.63401/

    This one talks about using Merlin firmware:
    https://www.reddit.com/r/HomeNetworking/comments/ct2pe1/vlan_for_asus_rtac68u_in_wireless_ap_mode/

    So, maybe you can do this, maybe you can't, they don't say for sure. What would be a better option would be to abandon (or sell used) that Asus consumer gear and get a proper wireless access point that can support VLANs very easily.

    https://www.amazon.com/Ubiquiti-Unifi-Ap-AC-Lite-UAPACLITEUS/dp/B015PR20GY

    Jeff


  • Thanks for the advice Jeff.

    I guess one follow up question. Are there other options i'm not considering for the isolation or is vlans the best path forward?


  • @Moonbiter said in Multiple vlans for wireless:

    Are there other options i'm not considering for the isolation or is vlans the best path forward?

    VLANs are always better, but you've got to have the appropriate hardware. VLANs were meant to, besides many other reasons, to consolidate all the switching gear, so you didn't need to keep separate switches for different subnets on your network. They also isolate your subnet traffic, but we're not talking about that right now.

    Back before smart/managed switches became affordable, to have a simple network with say 2 different subnets, you had to have 2 switches, each running a different subnet. For example, let's say I want to run my internet phones and my computers on different subnets, since they don't need to talk to each other. Two switches needed, and 2 separate interface ports on my router. Now, with VLAN capable switches, there's only 1 switch needed and that can be tagged properly, to carry both networks on the same gear.

    There's lots of other features in managed switches besides VLANs, too.

    So, if you wanted to NOT use VLANs, I hope I explained that clearly. You would need 2 switches, 2 cable runs back to 2 separate network ports on your pfsense box, and 2 different subnets defined in your pfsense software. It's kinda klunky to do it like this these days, but it works. If you're hooking up wireless access points to the different networks, you would then broadcast 2 different wireless SSIDs, accordingly.

    Jeff


  • @Moonbiter said in Multiple vlans for wireless:

    I also tried throwing up a guest network, but again there doesn't appear to be a way to pass a tag along to pfsense. It doesn't appear to see it any different than my main SSID.

    Pfsense definitely supports VLAN tags. Configure a VLAN interface on pfsense and AP with the same tag. Then, if you have a managed switch between them, you will have to configure it to pass the tagged frames.