One WAN two separate LAN that cannot talk to each other



  • I have an embedded router running pfSense 1.2.3. It has a WAN, a LAN, and an OPT1 port. The WAN port is set to a static ip that I get from my ISP. I am currently not using the OPT1 port. The LAN port is serving DHCP leases to a private subnet (192.168.20.x). I have a WiFI Router on my LAN, Airport Extreme Base Station [AEBS] 5th Gen, that is connected to my LAN on its Internet port. It serves DHCP leases to wireless clients to a password protected network (192.168.21.x) and an open guest network (192.168.22.x). Everything works fine, although the AEBS complains about Double NAT.

    I would like to move the AEBS to the OPT1 port on my router and completely segregate Wfi and LAN devices, so that they cannot possibly talk to each other. If it is possible to keep the AEBS from complaining about Double NAT, that would be great.

    Can someone please walk me through configuring the OPT1 interface and adding necessary firewall rules to accomplish this.

    Thanks



  • Turn off the DHCP on the wireless router and plug the OPT1 cable in to the LAN jack on the router.

    Turn on DHCP in pfSense for OPT1.

    LAN will be able to reach the wireless machines, but not vice versa.



  • Thanks for the quick response.
    I'm sorry I did not make this clear in my original post; I really want the AEBS handling DHCP for Wifi clients because this is the only way to have a guest network available, and I want people to access the network without knowing the passphrase, and at the same time I want people who know the passphrase to be able to take advantage of encrypted radio traffic



  • @jswright61:

    Thanks for the quick response.
    I'm sorry I did not make this clear in my original post; I really want the AEBS handling DHCP for Wifi clients because this is the only way to have a guest network available, and I want people to access the network without knowing the passphrase, and at the same time I want people who know the passphrase to be able to take advantage of encrypted radio traffic

    Then leave the DHCP server on it on.  Set the OPT1 interface to a static ip not in the AEBS DHCP range.  Just know that you won't be able to manage the DHCP setup from pfSense and you probably won't be able to refer to the wireless machines by name.



  • So the cable goes from OPT1 to Wan (Internet) port on the AEBS? The OPT1 interface gets a private IP? Any firewall rules needed. I apologize for lack of knowledge here. I am hoping for step by step instructions.

    thanks

    Scott



  • @jswright61:

    So the cable goes from OPT1 to Wan (Internet) port on the AEBS? The OPT1 interface gets a private IP? Any firewall rules needed. I apologize for lack of knowledge here. I am hoping for step by step instructions.

    thanks

    Scott

    I'm not familiar with the AEBS, so I can't give you instructions for it.  And now that I think about it, you might have to use the WAN port and deal with double NAT, as I'm not sure how it handles the guest network part.


Log in to reply