Guest network question



  • Hi

    For those of you who I'm sure are advanced, this may be a stupid question, but here goes.

    I have:
    1. 2-port box running pfsense (WAN+LAN)
    2. dumb 8-port switch
    3. Asus router running dd-wrt used solely as an access point, with a WPA2 enterprise using freeradius authentication, and WPA2 personal for guests
    4. NAS

    How would I do this:

    1. LAN machines can access each other and the pfsense box and the NAS
    2. control access to LAN machines and NAS of radius-using users, deny use of the pfsense interface to all wifi users
    3. deny the ability for guest wifi users to access the LAN, the NAS, or the pfsense interface

    I am assuming there are multiple ways to do this using firewall rules vs VLANs, etc… but my networking knowledge is not there yet to figure it out on my own, as I simply don't think I know enough terminology to ask the correct question with a google search.

    I'd appreciate some help.
    Thanks in advance.


  • Netgate Administrator

    @gnius:

    2. control access to LAN machines and NAS of radius-using users

    What exactly do you mean by that? If you are talking about controlling what is accessible based on login credentials then things get complex.

    The easiest way to this would be to add another NIC to the pfSense box to connect the AP to. You would still probably have to add VLANs between the AP and pfSense box to separate the two wifi user groups onto different interfaces. Since you're running dd-wrt on the AP that should be possible.
    You may be able to it just using what equipment you have depending on how your unmanaged switch handles VLAN tagged packets. If it passes them with tags intact then you could do it two VLANs from the AP to the pfSense box.

    Steve