Pfsense with vlans directly to AP?

yeleek

Hi,
I do not have a managed switch, but I would like to be able to use a AP which supports VLANs/multiple SSIDs.

The goal being to have a 'bad' SSID for gaming consoles etc with UPNP/Moderate NAT enabled and a 'good' SSID for trusted devices.

Currently as my pfsense box has many NICs available i run two physically separate APs for these SSIDs.

My question is:

Is this possible? i.e. to have an AP directly connected to Pfsense and configure multiple VLANs/SSIDs without a managed switch?
If so, are there any recommended APs please? My incoming speed is 350mb and we do stream 4k TV.

Thank you

OpIT GmbH

Yes it should be possible with 1 AP. Not every Netgate Hardware have a Switch Chip. The 2100 have one. Because you cant add VLAN's to a Bridge, you need one with a Switch Chip, if you have more den 1 AP. With the 2100 its possible to tagg/untag VLAN's on all Ports

JKnott

@yeleek

Yes, that will work and I have done that here. While I have a managed switch now, I didn't initially. All the managed switch does now is keep the VLAN off the other switch ports. With an unmanaged switch, the VLAN will be available on all ports, but will generally be ignored by devices not configured to use it.

stephenw10

Yes, you can do that with any pfSense device. You don't need one with a switch chip.

SteveITS

@jknott said in Pfsense with vlans directly to AP?:

All the managed switch does now is keep the VLAN off the other switch ports. With an unmanaged switch, the VLAN will be available on all ports, but will generally be ignored by devices not configured to use it.

Just to piggyback this a bit, if it is the AP/SSID forcing the device onto the VLAN, that device can't get off the VLAN. As opposed to, a wired device (or any device already on a network with an unmanaged switch) can be manually configured to use VLAN 20 or whatever and put itself onto the VLAN.

And, for anyone else finding this, if you find out there is actually a managed switch in the path, in the upstairs closet, that switch will drop the VLAN packets unless it is configured for said VLAN. (um, hypothetically?)

https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html

JKnott

@steveits said in Pfsense with vlans directly to AP?:

Just to piggyback this a bit, if it is the AP/SSID forcing the device onto the VLAN, that device can't get off the VLAN. As opposed to, a wired device (or any device already on a network with an unmanaged switch) can be manually configured to use VLAN 20 or whatever and put itself onto the VLAN.

????

What do you mean by that? PfSense is a router, which can easily route between VLANs. I would assume if you have a managed switch, you'd know enough to configure it or at least ask for help.

I have an access point that supports multiple SSIDs and VLANs. I configured the AP, pfSense and the switch to use the VLAN for my guest WiFi, but originally I didn't have a managed switch.

SteveITS

@jknott Sorry, didn't mean to confuse things. Just trying to discuss separation of VLANs without a managed switch, as @yeleek has. In general.

If an office doesn't have a managed switch, and uses VLANs, I can plug in a PC and tell it to be on any given VLAN number. That's not involving the router at all.

If it is a wireless SSID that is a VLAN (e.g. a guest SSID) then although a wired PC can get onto that VLAN, those wireless devices can't get off the VLAN because it is the AP that is tagging the packets.

johnpoz

@steveits said in Pfsense with vlans directly to AP?:

, I can plug in a PC and tell it to be on any given VLAN number. That's not involving the router at all.

That is a horrible setup.. You can run tags over a dumb switch ok sure - but the switch doesn't understand them, so any broadcast, multicast is going everywhere.. Be it the devices are tagging their own traffic or not.

You don't have to have a 1k cisco full managed enterprise switch to run an office ;) You can pick up a smart 24 port switch for like 200$ or less - why would an office go through all that nonsense of having to configure every machine to tag their own traffic vs buying a capable switch or switches?

SteveITS

@johnpoz I didn't say it was ideal :)

Nor was I suggesting manually configuring each PC actually, the context here was having the AP do it.

johnpoz

@steveits said in Pfsense with vlans directly to AP?:

I didn't say it was ideal :)

hahaha - very true, but yeah I could see some ma and pa shop with exactly that setup..

Bob.Dig

My old and beloved Asus Router is doing it here and still going strong...

JKnott

@johnpoz

Or a home user. However, with the low cost of managed switches these days, why not get one? A few years ago, that wasn't the case. I remember, about 25 years ago, buying an 8 port, 10 Mb hub that was a more expensive than an 8 port, managed, Gb switch today.

yeleek

Thank you all

johnpoz

@jknott honestly I have no idea why anyone would buy a dumb switch these days. You can for sure get a "smart" switch that can do vlans and many other things users don't normally think about for a few dollars at most more..Shoot there are for sure "smart" switches that are cheaper than some dumb switches with the same port density.

While vlans the prob the most likely feature users want. For those few extra dollars you also normally get rate limiting, can set the speed on a interface if for example you don't want gig be 100.. Or easy check what speed an interface come up as. You can view the mac address table and know exactly what device is plugged into what port by mac address.

You can mirror a port for say sniffing, you can see for example errors on an interface. IGMP snooping,

Sure different switches at different price points will have different feature sets.. But quite often a so called "smart" switch in a 8 port gig model might be 40$ vs 35$ etc..

And while you might say to yourself oh I don't need those features today, save yourself a few bucks. What about 6 months from now? I just can not see why anyone that has made the step up from your typical soho wifi router to pfsense would ever buy a dumb switch.. Even if you don't have any use for any of the features today.. More than likely at some point in the near future your going to say, oh damn wish my switch could do that - should of spent the extra few bucks vs now having to get a whole new switch because I want to do xyz.

JKnott

@johnpoz

Sometimes I have to wonder about your reading comprehension. Did you not see where I said "However, with the low cost of managed switches these days, why not get one?"

stephenw10

Pretty sure he was agreeing with you.

JKnott

@stephenw10

@johnpoz and I sometimes have a bit of fun with each other.

BrucexLing

@johnpoz

... You can for sure get a "smart" switch that can do vlans and many other things >

I am aware that you hesitate to recommend the TPLink “easy smart” line of switches, and that’s probably understating your negativity somewhat. I am using the 24 and 8 port versions in a basic home setting but I don’t really understand why these switches fall short in your estimation. Could I please ask where you consider these “easy smart” switches fall short?

stephenw10

Some of the older 'easy smart' switches failed to handle VLANs correctly. You could not remove ports from VLAN1 meaning broadcasts leaked between VLANs. I have one of those.

I also have a newer, much more expensive, TP-Link switch and it works great, no complaints.

I'm not aware of any particular issues with their current low end switches either.