Dynamic VLANs in PFSense for DHCP Client Isolation



  • Hi,

    I've been searching online and on this forums on how to achieve this.

    We used to have a "GuestGate" (http://www.guestgate.com/) router at our business. It does, what it calls, Layer 3 VLAN Isolation, as well as separates our office LAN from the public LAN, and adds a Captive Portal to the public LAN (which is distributed over 6 APs and 4 24-port switches).

    Unfortunately, the device is not powerful enough to handle our 30 mbps connection with more than 20 clients logged in. We're averaging 30-40 users at any given time. This causes the device to slow down or crash.

    I'm looking to replicate the features of the Guestgate with pfSense, but I have no idea where to start.

    I've installed pfSense on an old computer and installed the FreeRadius2 package. I was able to make a "guest" user and login through the captive portal, but I can't seem to be able to find an option to have it assign a VLAN to each device to separate it from everyone, like the Guestgate router.

    I'm thinking that maybe the DHCP server can assign a VLAN to each device it gives an IP address.

    Since it's for public Internet access, we cannot have 1 password per user/device.

    What do you guys think?



  • I know high end managed switches support dynamic vlans with authentication via 802.1X



  • The current equipment we have are 4 unmanaged 24-switches, 2 managed PoE 8-port switches (which do VLANs per port), and 8 APs.

    The GuestGate works with the current setup by itself with only 1 port being connected to one of the switches.

    I was looking for something that would work similarly.

    The other thing I can think of is to give each client a different subnet.

    The idea is to work with existing hardware since it seems that software might make it work.



  • Are you sure the devices actually end up in different VLANs (vs. just different IP subnets) in your current setup? I don't see how you would be able to actually get isolation with dumb switches.



  • Each device gets a different subnet and IP address. Even when you manually change the IP address to match another device on the network, they cannot "see' each other, even when connected to the same router.

    Even if I only get each device on a different subnet to "isolate" them from each other, that would work too.



  • @tcarcur:

    Each device gets a different subnet and IP address. Even when you manually change the IP address to match another device on the network, they cannot "see' each other, even when connected to the same router.

    So are your dumb switches not really dumb? If they support per-port VLAN assignment, I don't think they'd qualify as dumb; if they don't, I don't see where you think the isolation would happen.



  • What that "feature" of GuestGate does is assign clients different IP subnets, one client per IP subnet. "Layer 3 isolation" they call it. That's a complete joke. Just don't. You should be providing service that actually secures clients from each other, not one that pretends to do so while leaving customers open to many, many kinds of attacks and vulnerable to all of a wide range of layer 2 malware on other guests' computers.

    Managed switches aren't expensive relatively-speaking. Any half-decent AP can provide client isolation on the wireless side. Why anyone would implement a feature like this "Layer 3 isolation" is beyond me, it's mind-blowingly stupid to even suggest that's a worthwhile thing to be doing.

    One VLAN per room for Ethernet with traffic between not permitted by the firewall, and client isolation on wireless is the way to actually provide the kind of security most such establishments do.


  • Banned

    Erm… So, this "client isolation" basically means they produce /30 per client? ROFL.



  • cmb took the words out of my mouth.

    1. Create different VLANs for your Internal LAN and your Public LAN
    2. Create firewall rule so Public VLAN can't access Private LAN
    3. Turn on Client isolation on your Access Point for the SSID (Vlan) you want
    4. Get managed switches that allow you to create tagged vlan ports

    Hopefully your Access Point support VLAN tagging, which you will need too if you have mulitple wireless vlans. If it doesn't see if you can put dd-wrt on it and then you should be good to go.



  • I've turned on Client Isolation on all but 3 APs (they do not support it, already ordered replacements that support it).

    I'm using 2 8-port smart switches that to per port VLAN to isolate some wired clients/APs.

    I'll look into replacing the 24-port unmanaged switches for managed ones.

    Thank you for the suggestions/comments.


  • Rebel Alliance Developer Netgate

    The only way you might be able to get away with a slightly simpler configuration is if your new switches support "private VLANs", the actual name varies by brand/implementation. Basically you define one upstream port (the gateway, pfSense) and define the other ports as client ports, and then the client ports may only talk to the upstream port. It's similar to AP client isolation, but for wired clients.

    Using Separate VLANs is a more secure practice, but also significantly more to manage.


Log in to reply