Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest network question

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 800 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gnius
      last edited by

      Hi

      For those of you who I'm sure are advanced, this may be a stupid question, but here goes.

      I have:
      1. 2-port box running pfsense (WAN+LAN)
      2. dumb 8-port switch
      3. Asus router running dd-wrt used solely as an access point, with a WPA2 enterprise using freeradius authentication, and WPA2 personal for guests
      4. NAS

      How would I do this:

      1. LAN machines can access each other and the pfsense box and the NAS
      2. control access to LAN machines and NAS of radius-using users, deny use of the pfsense interface to all wifi users
      3. deny the ability for guest wifi users to access the LAN, the NAS, or the pfsense interface

      I am assuming there are multiple ways to do this using firewall rules vs VLANs, etc… but my networking knowledge is not there yet to figure it out on my own, as I simply don't think I know enough terminology to ask the correct question with a google search.

      I'd appreciate some help.
      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        @gnius:

        2. control access to LAN machines and NAS of radius-using users

        What exactly do you mean by that? If you are talking about controlling what is accessible based on login credentials then things get complex.

        The easiest way to this would be to add another NIC to the pfSense box to connect the AP to. You would still probably have to add VLANs between the AP and pfSense box to separate the two wifi user groups onto different interfaces. Since you're running dd-wrt on the AP that should be possible.
        You may be able to it just using what equipment you have depending on how your unmanaged switch handles VLAN tagged packets. If it passes them with tags intact then you could do it two VLANs from the AP to the pfSense box.

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.