Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireless Guest Network Issue

    Scheduled Pinned Locked Moved Wireless
    7 Posts 2 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CrunchyToast
      last edited by

      Hello there! I have pfSense up and running and everything is working except my guest wifi.

      Here is my setup:
      Modem - pfSense - Switch - Wireless Router (AP mode)

      If anyone connects to my regular network, everything works, but if they connect to the guest wifi they have no internet access. The router I'm using is the Netgear Nighthawk R7000.

      Also, the router itself cannot connect to the internet. I've got to be missing configuration somewhere.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Does the access point put different SSIDs on different VLANs?  If so, you need to have a managed switch and create tagged interfaces on pfSense.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          CrunchyToast
          last edited by

          I actually have 3 different networks broadcasting

          Network 2.4
          Network 5
          Network Guest

          The 5Ghz network and 2.4 work just fine, it's only when connecting to Guest.

          I don't have any vlans setup for anything.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Is this an Apple AirPort?  Apple's access points put the main networks out untagged and the guest networks on VLAN 1003 so you'd need a switch capable of doing the right thing with tagged and untagged traffic on the same port.

            If this were me, (and I use an airport express here at home) I would set the primary VLAN on the port to, say, 1000 and create tagged interfaces on pfSense for vlans 1000 and 1003.

            Here's my switch config.

            Port 1 is to my Mac Mini where I have tagged interfaces set
            Port 21 is pfSense LAN interface, tagged interfaces
            Port 3 is to my MoCA which is how I connect to my access points.  Note untagged VLAN 223 and tagged VLAN 1003.

            ![Screen Shot 2014-02-17 at 12.23.24 AM.png](/public/imported_attachments/1/Screen Shot 2014-02-17 at 12.23.24 AM.png)
            ![Screen Shot 2014-02-17 at 12.23.24 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-17 at 12.23.24 AM.png_thumb)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Sorry.  You said it's a Netgear R7000.  It has to do something to differentiate between the main and guest SSIDS, unless all you want is to get people on the same network without disclosing your main passphrase.  It looks like that's the only benefit in that router's firmware.  It has this setting:

              Allow guest to see each other and access my local network
              . If this check box is selected, anyone who connects to this SSID has access to your local network, not just Internet access.

              Is that checked?  Note that it has to be for wireless clients to be able to see pfSense, since it's providing internet access, not the R7000.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                CrunchyToast
                last edited by

                What's weird is having it in 'Access Mode' disables that option, although it's still checked.

                I might just end up disabling the guest radio as I can use Captive Portal as well.

                Now, the primary feature of the guest network is to not let other devices see the rest of my LAN. Is there any way I can do this with pfSense?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Yes, you can do it with pfSense, but Layer 2 (the access point and switch)  has to present pfSense with two different networks so it can do its work.  They can be VLANs.

                  Maybe you can take it out of AP mode, check the box, and put it back in AP mode.  Or get a real, VLAN-capable access point because pfSense will see them all as one LAN anyway so you're probably wasting your time on that gear since isolation is what you're after.

                  The best deal in vlan-capable APs is probably Ubiquiti (ubnt.com)

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.