Settings PfSense as visitors wifi perimeterfirewall



  • Hello All,

    We have a need in our work place to set Pfsense as our wifi visitors network perimeter/isolation.
    Since we scatter on 2 floors and there are few access points and meeting rooms i need to set different VLAN on the network and set the pfsense as the routing point for this vlan currently we have one VLAN as the regular VLAN and cooperate firewall for the internet.
    Desired configuration is that  will be permiter isolation for WIFI and visitors GATEWAY.
    My question is how should i set the vlan settings on nic's assuming i have two nics, should both be tagged belong to both vlan's ?   or only one of them.

    Please advice
    Thanks

    ![pfsense isolation.jpg](/public/imported_attachments/1/pfsense isolation.jpg)
    ![pfsense isolation.jpg_thumb](/public/imported_attachments/1/pfsense isolation.jpg_thumb)
    ![pfsense isolation.png](/public/imported_attachments/1/pfsense isolation.png)
    ![pfsense isolation.png_thumb](/public/imported_attachments/1/pfsense isolation.png_thumb)



  • I believe that best practices says to tag both VLANs and do not use the default VLAN.  In this way, only switch ports you assign to a VLAN will be able to connect and would theoretically prevent accidentally leaving ports open/assigned to the default VLAN.  We use a setup just like you describe with only two NICs; one for WAN and the other for our public/private VLANs.  It's very easy to assign the Captive Portal to your second VLAN and set the default gateway as the router IP on that subnet.

    You'll also have to decide on client isolation on the APs if you are interested in keeping each guest's device from talking with other devices tirelessly.  Good luck.



  • mhab…

    When you setup the Vlan this should act like a tunnel then?
    Do any additional rules need to be applied to the Vlan on the pfSense setup?
    Would it be similar to use a rule that blocks access to the regular LAN-vlan? Or?

    Thanks tbaror for showing your vlan setup.

    Regards;

    H.



  • I added a rule to block traffic between the two subnets/vlans (internal corporate LAN and public WiFi Lan)



  • Hi mhab
    Thanks for  you're answer its almost clear to me the configuration but i not 100% quite sure what should be tagged and how interface should be configured
    Please advice
    Cheers

    switch port1= vlan1 =? ,vlan20=?      switch port2= vlan1 =? ,vlan20=?
                 ||                                                 ||
                nic1  vlan1 =? ,vlan20=?                  nic2  vlan1 =? ,vlan20=?
                 ||                                                 ||
            ip address=? ip vlan1 or vlan20           ip address=? ip vlan1 or vlan20



  • Well, the physical interfaces on the switch that you are using need to reference the vlans you're using otherwise it will junk the traffic.  If you had access point one (upper left corner on the diagram) plugged into port 1 on your switch, port 1 would have to be set to understand tagged vlan 1 and 20 (since you're using them as muti-access points). All the other access points will be pretty much configured the same.
    When you get to the firewalls through, since it will be easier not referencing vlan traffic on the interfaces going to the firewall, it will assume all traffic in or out of that interface is meant to be stripped of all headers of vlan. If you had the "corporate" firewall on port 10, all traffic on that port would just be unagged for vlan 1.
    The "perimeter firewall", if it were attached to port 11, would have a similar setup to the internal firewall.  You're looking at having port 11 referenced as untagged for the vlan 20.  That way everything going in and out of the switch will be naturally understood as being meant for vlan 20.

    Easiest way to remember tagged is that all traffic will leave that interface with a vlan header (so if the device doesn't understand vlan headers you won't have any valid traffic for the device to understand) and all traffic coming in on that interface MUST be tagged (otherwise the traffic will get junked by the router/switch device).
    Untagged is easily referenced as, ANY AND ALL TRAFFIC, regardless of where its destination is, will be converted into tagged traffic for that vlan.  If you use a computer and have crappy hardware, but would like to isolate that client on a vlan, you would have all traffic untagged (so the client computer that doesn't understand vlan tags on the computer can keep working like nothing is there).


Locked