Best strategy for 2 wan 2 lan and 1 vlan?

  • I am not even going to try to avoid the noob sticker  ;D I am learning and I guess I should be ok with that for now!

    I am running the network for a small hotel.

    2 incoming lines WAN1 and WAN2
    2 internal networks LAN1 and LAN2
    4 physical network cards

    LAN1 connected to a dumb switch that connects all Wifi access points (Ubiquiti Unifi).
    LAN2 connected to a dumb switch for the front desk etc. for the hotel.

    Using load balancing from LAN1 to the two WAN's works fine. Guests are happy, the staff is happy. People are connecting with all kinds of devices and it is simply working.

    Now, the manager wants to set up some Wifi IP cameras. I would prefer to add another network card and run all cams on a separate switch. But that is not an option. No way to pull more cables around in the hotel. So I am thinking about setting up a vlan on LAN1 and use that for the cameras. Does this sound like a good idea?

    No need for DHCP - I'll use fixed addresses on the cams.
    I need to set up routing from the vlan to LAN2 so a PC can control the cams. Do I add a rule to the VLAN or to LAN2 - or both?
    How do I prevent the guests from accessing the new vlan? I tried adding a vlan, and got it working to the point where I could ping the address while connected to the wireless network. So the network card, the dumb router and the access points all let this traffic through. At least it is a start  :)

    Don't really want to put up any cams without making sure guests can not reach them!

  • @Oceanwatcher:

    I need to set up routing from the vlan to LAN2 so a PC can control the cams.

    No obvious need for a route.


    How do I prevent the guests from accessing the new vlan?

    On the interface for the guest network (LAN1) add a firewall rule blocking access to the VLAN network.

  • Netgate Administrator

    Can the cameras attach to a VLAN directly? I have no experience with them but I know that VOIP phones, for example, can often do VLAN tagging. If so you could probably do this be simply adding a VLAN interface to pfSense.
    I have never attempted or investigated VLAN tagging over WIFI either.  :-\

    If not then you will have to upgrade your switches to something that can manage the VLAN tagging and probably have separate wifi access points for the cameras. Probably not practical.

    Maybe you can run virtual access points on the Ubiquiti's and do VLAN tagging there. You could probably do this with an access point running OpenWRT for example.


    Edit: Also a quick heads up: Running both standard (non-tagged) and VLAN tagged traffic on a single NIC can sometimes cause problems. It doesn't always happen but watch out for weird behaviour!

  • Netgate Administrator

    I have never used any Ubiquity hardware but a quick look through the manual shows that it seems pretty well thought out and almost specifically designed for your situation.  :)
    It looks as though your can run multiple SSIDs on each AP (virtual APs) and each SSID can be set to use different VLAN IDs and authentication.
    So you need to set your APs to run a parallel wifi network with a different SSID and VLAN tag. Set the authentication on the new network to just the WPA2 so your cameras don't have to deal with login. Setup a new interface in pfSense, as you've already done, with the VLAN tag. Now apply firewall rules as appropriate.

    If you run into the tagged/non-tagged traffic problem you can always set your guest wifi network to use VLAN tagging as well and have two VLAN interfaces on LAN1 such that all traffic becomes tagged.


Log in to reply