Wireless Guest Network Issue

  • Hello there! I have pfSense up and running and everything is working except my guest wifi.

    Here is my setup:
    Modem - pfSense - Switch - Wireless Router (AP mode)

    If anyone connects to my regular network, everything works, but if they connect to the guest wifi they have no internet access. The router I'm using is the Netgear Nighthawk R7000.

    Also, the router itself cannot connect to the internet. I've got to be missing configuration somewhere.

    Thanks in advance.

  • LAYER 8 Netgate

    Does the access point put different SSIDs on different VLANs?  If so, you need to have a managed switch and create tagged interfaces on pfSense.

  • I actually have 3 different networks broadcasting

    Network 2.4
    Network 5
    Network Guest

    The 5Ghz network and 2.4 work just fine, it's only when connecting to Guest.

    I don't have any vlans setup for anything.

  • LAYER 8 Netgate

    Is this an Apple AirPort?  Apple's access points put the main networks out untagged and the guest networks on VLAN 1003 so you'd need a switch capable of doing the right thing with tagged and untagged traffic on the same port.

    If this were me, (and I use an airport express here at home) I would set the primary VLAN on the port to, say, 1000 and create tagged interfaces on pfSense for vlans 1000 and 1003.

    Here's my switch config.

    Port 1 is to my Mac Mini where I have tagged interfaces set
    Port 21 is pfSense LAN interface, tagged interfaces
    Port 3 is to my MoCA which is how I connect to my access points.  Note untagged VLAN 223 and tagged VLAN 1003.

    ![Screen Shot 2014-02-17 at 12.23.24 AM.png](/public/imported_attachments/1/Screen Shot 2014-02-17 at 12.23.24 AM.png)
    ![Screen Shot 2014-02-17 at 12.23.24 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-17 at 12.23.24 AM.png_thumb)

  • LAYER 8 Netgate

    Sorry.  You said it's a Netgear R7000.  It has to do something to differentiate between the main and guest SSIDS, unless all you want is to get people on the same network without disclosing your main passphrase.  It looks like that's the only benefit in that router's firmware.  It has this setting:

    Allow guest to see each other and access my local network
    . If this check box is selected, anyone who connects to this SSID has access to your local network, not just Internet access.

    Is that checked?  Note that it has to be for wireless clients to be able to see pfSense, since it's providing internet access, not the R7000.

  • What's weird is having it in 'Access Mode' disables that option, although it's still checked.

    I might just end up disabling the guest radio as I can use Captive Portal as well.

    Now, the primary feature of the guest network is to not let other devices see the rest of my LAN. Is there any way I can do this with pfSense?

  • LAYER 8 Netgate

    Yes, you can do it with pfSense, but Layer 2 (the access point and switch)  has to present pfSense with two different networks so it can do its work.  They can be VLANs.

    Maybe you can take it out of AP mode, check the box, and put it back in AP mode.  Or get a real, VLAN-capable access point because pfSense will see them all as one LAN anyway so you're probably wasting your time on that gear since isolation is what you're after.

    The best deal in vlan-capable APs is probably Ubiquiti (ubnt.com)

Log in to reply