  • I'm thinking about putting together a pfsense box, partly to expand my knowledge and experience and partly to upgrade from an old WRT54GL running DD-WRT.

    I've settled on a core i3 sandy bridge build with a mini-itx motherboard and case. This means I will have a total of 2 intel gigabit network interfaces. One will be a WAN interface, while the other will be the LAN interface.

    However, my networking experience and knowledge is a bit limited, and I'm not certain if the following network setup is possible. If you can tell me it isn't, I would welcome alternative suggestions.

    I want to be able to do the following:

    1. My private lan consists of my main computer, NAS, xbox and the lan wifi access point.

    2. My guest wifi will be separate from the private lan, but has internet access. However, download speeds are artificially limited and lower priority (to discourage the guest network from hogging the bandwidth of my 6mbps DSL).

    I have a pretty good idea how to limit download speeds on the guest wifi (iptables I believe). What I don't have a clear grasp is whether this is even possible through a switch, despite having only 2 real network interfaces on the pfsense box.

    Any information is greatly appreciated.

    [1] The above switch would be this particular netgear switch
    [2] The wifi ap in question would be an airport extreme in bridge mode.

    The way in which you would restrict the bandwidth of users on the guest wifi is using limiter pipes. To do this easily what you need is a separate interface for your wifi access point. You could probably get something working using more complex firewall rules and using the dhcp server in the airport but it would be open to bypassing and probably cause you a lot of trouble!
    You can get extra interfaces quite easily using VLANs but you need a VLAN capable switch such as this one.
    Using that switch you could have up to 5 LAN interfaces for all sorts of interesting configurations.

    It's not quite clear to me from your diagram what the 'lan' connection on the airport would be used for.


  • What you want to do is setup 802.11q vlan trunking between the switch and pfSense and again between your AP and switch.

    Change switch for GS108T to support management, vlans, etc. Apple AirPort does not support VLAN or multiple BSSID (you only need one AP to run mutiple BSSID unique networks, unique security settings, unique LAN when used with VLAN) but I think all WRT54GL will be new enough to support multiple BSSID. Most likely your choices will be limited to DD-WRT (recommend Broadcom), Cisco/HP/Symbol/etc, ubiquity or other specialty vendors. The only reason I can think to keep Apple Airport is if you want to use the Time Machine backup feature, otherwise it's (IMO) just an overpriced sub-par consumer-grade router, not even a web UI or even CLI, no wall mounting, when all other routers have 5 ports, they have 3.

    For the bandwidth limit you can do it easy with captive portal, just type in the speed limit.

