    I am investigating the possibility of offering internet service to tenants and had a few questions. The initial build would be a small setup to prove the concept. I have seen the posts here about this topic and have pretty much decided on the hardware for the pfsense build given my requirements. It won't be anything fancy at first. It seems to me the best way to offer this is with wifi access points throughout the buildings but I was wondering how security would be worked out and if PFsense is capable of such a task. Could this setup be scaled from a small number of units to a much larger number of units without a lot of difficulty? From what I have been able to find the best way to do this would be with WPA2-Enterprise and RADIUS for authentication, but I'm concerned that tenants might be able to connect to other tenants on the same network. How would this be avoided? I'm just looking for pointers so I can research the topics for myself.

    I'm concerned that tenants might be able to connect to other tenants on the same network. How would this be avoided?

    If pfSense is configured as a WiFi Access Point, there is a configuration option on the WiFi interface page Allow intra-BSS communication. If this option is disabled all traffic from WiFi clients is directed into pfSense where firewall rules can block access to other WiFi clients. I imagine external APs would have similar capability. It would be best to check that carefully before purchase.

  • Thank you for your response. I can see how this would work in a small arrangement like my initial plan, but would this solution scale to larger applications? For example, if there are multiple AP's and multiple switches required to cover an entire area or multiple floors?

  • There are some WiFi Router/Access Points out there that have an "isolation" setting.  Such as the NetGear WNDR4500.

    Enable Wireless Isolation:
    If checked, the wireless client under this SSID can only access internet and it can’t access other wireless clients even under the same SSID, Ethernet clients or this device. Other clients can’t access the wireless client, either.

    So that sounds like it might be something to look into.

    WNDR4500 also provides dual band 2.4 GHz and 5 GHz for both primary and guest WiFi networks.  And also an AP vs. Router mode setting.

