Client isolation

  • As a near-future wISP, I'm contemplating methods of reducing broadcast and other extra traffic, as well as augmenting security to the extent that is feasible.

    One such method would be providing a separate vlan for every customer. My radios will support vlan tagging, so now I'm wondering what types of issues or limitations I might run into on pfsense, which will be acting as the network's gateway, providing possibly dhcp, dns relay, and transparent squid. Other than the extra labour of creating many vlans and firewall rules, am I going to create stability issues, extra RAM or CPU issues or some other hardware crises?

    I'm also considering pfsense's pppoe server. Does it offer any similar functionality, or does it provide strictly authentication service?

  • Is this a wireless card in your pfSense system or an external access point?  If it is a card in the system, there is an option to block access between wireless clients.  Some access points also have some type of option for client isolation.

    For PPPoE, I think you can block access between users with firewall rules.

  • The AP is separate, a Ubiquiti radio. I don't think they support client isolation, but I could be wrong.

Log in to reply