segment wifi traffic (guest, IoT, trusted)

farmerjohn

I have a basic home network with just 2 nic's for WAN and LAN interface and OPT1 for openvpn on pfsense 2.5.1. I would like to separate some wifi devices on my home network (guest, IoT devices, trusted). Lots of conflicting info on internet on how to do this, e.g., subnetting, or VLAN tagging via capable wireless AP. I currently have an Asus RT-AC66U in 'Access Point' mode for wifi clients. It would be possible (supposedly) to do VLAN tagging on this device via 3rd party firmware. What would be the best method on pfsense to separate wifi traffic?

NollipfSense

@farmerjohn You will need a managed switch, and you'll have to sort ports number out. You can buy used as I have done (eBay). Here's some reading material:

https://docs.netgate.com/pfsense/en/latest/config/factory-defaults.html

https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html

https://docs.netgate.com/pfsense/en/latest/vlan/index.html

https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html

AKEGEC

@farmerjohn a managed switch is crazy expensive right now. Instead save your money to buy a micro pc for your server (Proxmox).
I think Steve ( stephenw10 ) has mention about a cheaper alternative for this, a cheap semi-managed switch from TP-Link switcher like TL-108 or TL-1016 do the works. Hope Steve can give you some advice.

farmerjohn

@nollipfsense
According to this video , I don't need a managed switch to have multiple vlans via wireless AP and pfsense.

johnpoz

@akegec said in segment wifi traffic (guest, IoT, trusted):

a managed switch is crazy expensive right now

Huh? Where? He doesn't need a cisco enterprise full managed switch to do vlan.. I show a netgear 8 port smart switch on amazon for $50, a trendnet for $37 and a tplink (would prob stay away from that brand for vlan support - they have had issues) for $27.. Wouldn't call that crazy expensive ;)

If your AP can do vlans (3rd party firmware on soho wifi routers can enable this sometimes) and you plug your AP directly into pfsense. Then no you don't need another vlan capable switch.

JKnott

@farmerjohn

It's easy enough with a proper AP that supports multiple SSIDs and VLANs. I have a Unifi AC-Lite AP that does that, as does my Cisco switch.

JKnott

@akegec

Yeah, $35 is a lot of money!

BTW, avoid TP-Link, as some models don't properly support VLANs. Same with some of their APs.

JKnott

@farmerjohn said in segment wifi traffic (guest, IoT, trusted):

According to this video , I don't need a managed switch to have multiple vlans via wireless AP and pfsense.

I haven't watched that video, but you don't need a managed switch to support mulitple SSIDs on an AP. However, if you have wired devices on those VLANs, you will need a managed switch, as many devices can't be configured to use VLANs.

Tzvia

I have one of those Netgear GS108Ev3 8 port switches, bought it many years ago, well under 50 bucks if memory isn't way off. Works fine for a home use product. Also have a Netgear GS724Tv4 which is the basically the same thing but with 24 ports. Paid 330 maybe 6 years ago, which again isn't bad if you need that many ports and just need the vlans and aren't looking to study to take Cisco classes. They work just fine in my application, using PFSense to do the routing and firewall between the vlans, with two Unifi WAPs that support multiple SSIDs/VLANs which made the whole setup painless.

farmerjohn

@jknott

if you have wired devices on those VLANs, you will need a managed switch, as many devices can't be configured to use VLANs.

If I have a VLAN capable AP connected to an unmanaged switch with 3 other wired devices (don't need these wired devices to be vlan tagged) and this unmanged switch connects to pfsense, will the AP traffic that is tagged match up with the VLAN's I have defined in pfsense and the 3 wired devices work as before, i.e., just LAN members?

JKnott

@farmerjohn

Yes, I used to do that here. The unmanaged switch will pass the VLAN tagged frames, so that the AP can sort things out. Wired devices that can't be configured to work directly with VLANs will still work on the native LAN and will ignore the tagged frames. Computers can be configured to work directly with VLANs.

johnpoz

While you can do that.. Understand that dumb switch doesn't understand vlans.. So there is no isolation. All the broadcast and multicast traffic from all the vlans as soon as hits switch will go to all the other ports.

While your dumb switch will pass the vlan tags.. Since he doesn't understand them doesn't know that broadcast/multicast traffic from vlan X, is not suppose to go to all the ports.

If your doing it that way because you can not afford say $30-50 switch... You shouldn't be running so many freaking devices in the first place. I mean the electric cost alone must eat up your whole budget ;)

Give up couple $10 coffee's at starbucks and get a switch that actually understands vlans.

JKnott

@johnpoz said in segment wifi traffic (guest, IoT, trusted):

So there is no isolation. All the broadcast and multicast traffic from all the vlans as soon as hits switch will go to all the other ports.

There is some isolation in that the devices won't receive the packets for other VLANs. They will appear at the NIC, where they will be promptly ignored.

farmerjohn

@johnpoz

So there is no isolation. All the broadcast and multicast traffic from all the vlans as soon as hits switch will go to all the other ports.

seems not optimal, but what is the downside to this? will this cause a noticeable hit to network performance or other issues?

johnpoz

The downside is your sending broadcast/multicast to somewhere it doesn't need to go.

While the nic might drop it. You also can join any vlan you want with any device just be tagging. So no security at all.

If your to the point you wanting to segment your network into different vlans, yet not willing to spend the few bucks required to do it correctly - your doing it F'ing Wrong! ;)

If its a stop gap until your smart switch gets delivered, or you want to do it on purpose as say a easy tap into viewing traffic.. Or your using the dumb switch as sort of relay to extend length of a run or something.. Sure ok..

While there may be some scenarios you need/want to do it - overall its a borked way to do it.

There is one correct answer to want to run vlans on a switch - the switch should understand the tags ;) It doesn't need to be some super managed everything under the sun sort of networking magic that can be done sort of switch.. But it should at least understand what the tag is, and how to process them and isolate them correctly.. So that you actually get the L2 isolation that vlans are meant to do..

JKnott

@farmerjohn

It will waste some bandwidth on the wire, but devices will not recognize packets on a VLAN they're not configured for. Those packets will be discarded by the NIC.

JKnott

@johnpoz said in segment wifi traffic (guest, IoT, trusted):

You also can join any vlan you want with any device just be tagging. So no security at all.

Assuming:

a) You have admin rights¹ and
b) Know how to do that

1. Yeah, I know many people run their computers as admin because they don't know better and that's the way it came.

bingo600

@farmerjohn
I totally agree w. @johnpoz here.
Get a cheap managed switch for the job.
As a "bonus" you could use the 6 other ports for other vlans, and treat it as an additional 6 Lan interfaces.

@jknott
Just because you could ... Doesn't mean you should.
And certainly not for saving $50

/Bingo

bingo600

@farmerjohn

I suppose you're thinking about dd-wrt

Hw-Rev A1
https://wiki.dd-wrt.com/wiki/index.php/Asus_RT-AC66U

Hw-Rev B1
https://wiki.dd-wrt.com/wiki/index.php/Asus_RT-AC66U_B1

bingo600

There might be some "Trickery" in connecting the managed switch to the Lan IF , and enable tagging , wo. loosing Lan (that you need for configuring).

I suppose you could keep Lan as untagged.

Maybe one of the others have trued to run untagged & tagged on a pfS IF.
I haven't yet

/Bingo