• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Dynamic VLANs in PFSense for DHCP Client Isolation

Scheduled Pinned Locked Moved General pfSense Questions
11 Posts 7 Posters 5.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T Offline
    tcarcur
    last edited by Apr 11, 2014, 6:22 PM

    Hi,

    I've been searching online and on this forums on how to achieve this.

    We used to have a "GuestGate" (http://www.guestgate.com/) router at our business. It does, what it calls, Layer 3 VLAN Isolation, as well as separates our office LAN from the public LAN, and adds a Captive Portal to the public LAN (which is distributed over 6 APs and 4 24-port switches).

    Unfortunately, the device is not powerful enough to handle our 30 mbps connection with more than 20 clients logged in. We're averaging 30-40 users at any given time. This causes the device to slow down or crash.

    I'm looking to replicate the features of the Guestgate with pfSense, but I have no idea where to start.

    I've installed pfSense on an old computer and installed the FreeRadius2 package. I was able to make a "guest" user and login through the captive portal, but I can't seem to be able to find an option to have it assign a VLAN to each device to separate it from everyone, like the Guestgate router.

    I'm thinking that maybe the DHCP server can assign a VLAN to each device it gives an IP address.

    Since it's for public Internet access, we cannot have 1 password per user/device.

    What do you guys think?

    1 Reply Last reply Reply Quote 0
    • H Offline
      Harvy66
      last edited by Apr 12, 2014, 2:37 AM

      I know high end managed switches support dynamic vlans with authentication via 802.1X

      1 Reply Last reply Reply Quote 0
      • T Offline
        tcarcur
        last edited by Apr 12, 2014, 3:45 PM

        The current equipment we have are 4 unmanaged 24-switches, 2 managed PoE 8-port switches (which do VLANs per port), and 8 APs.

        The GuestGate works with the current setup by itself with only 1 port being connected to one of the switches.

        I was looking for something that would work similarly.

        The other thing I can think of is to give each client a different subnet.

        The idea is to work with existing hardware since it seems that software might make it work.

        1 Reply Last reply Reply Quote 0
        • R Offline
          razzfazz
          last edited by Apr 12, 2014, 8:25 PM

          Are you sure the devices actually end up in different VLANs (vs. just different IP subnets) in your current setup? I don't see how you would be able to actually get isolation with dumb switches.

          1 Reply Last reply Reply Quote 0
          • T Offline
            tcarcur
            last edited by Apr 12, 2014, 10:00 PM

            Each device gets a different subnet and IP address. Even when you manually change the IP address to match another device on the network, they cannot "see' each other, even when connected to the same router.

            Even if I only get each device on a different subnet to "isolate" them from each other, that would work too.

            1 Reply Last reply Reply Quote 0
            • R Offline
              razzfazz
              last edited by Apr 13, 2014, 4:27 AM

              @tcarcur:

              Each device gets a different subnet and IP address. Even when you manually change the IP address to match another device on the network, they cannot "see' each other, even when connected to the same router.

              So are your dumb switches not really dumb? If they support per-port VLAN assignment, I don't think they'd qualify as dumb; if they don't, I don't see where you think the isolation would happen.

              1 Reply Last reply Reply Quote 0
              • C Offline
                cmb
                last edited by Apr 13, 2014, 4:50 AM

                What that "feature" of GuestGate does is assign clients different IP subnets, one client per IP subnet. "Layer 3 isolation" they call it. That's a complete joke. Just don't. You should be providing service that actually secures clients from each other, not one that pretends to do so while leaving customers open to many, many kinds of attacks and vulnerable to all of a wide range of layer 2 malware on other guests' computers.

                Managed switches aren't expensive relatively-speaking. Any half-decent AP can provide client isolation on the wireless side. Why anyone would implement a feature like this "Layer 3 isolation" is beyond me, it's mind-blowingly stupid to even suggest that's a worthwhile thing to be doing.

                One VLAN per room for Ethernet with traffic between not permitted by the firewall, and client isolation on wireless is the way to actually provide the kind of security most such establishments do.

                1 Reply Last reply Reply Quote 0
                • D Offline
                  doktornotor Banned
                  last edited by Apr 13, 2014, 11:52 AM

                  Erm… So, this "client isolation" basically means they produce /30 per client? ROFL.

                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    mikeisfly
                    last edited by Apr 13, 2014, 12:59 PM

                    cmb took the words out of my mouth.

                    1. Create different VLANs for your Internal LAN and your Public LAN
                    2. Create firewall rule so Public VLAN can't access Private LAN
                    3. Turn on Client isolation on your Access Point for the SSID (Vlan) you want
                    4. Get managed switches that allow you to create tagged vlan ports

                    Hopefully your Access Point support VLAN tagging, which you will need too if you have mulitple wireless vlans. If it doesn't see if you can put dd-wrt on it and then you should be good to go.

                    1 Reply Last reply Reply Quote 0
                    • T Offline
                      tcarcur
                      last edited by Apr 14, 2014, 4:42 PM

                      I've turned on Client Isolation on all but 3 APs (they do not support it, already ordered replacements that support it).

                      I'm using 2 8-port smart switches that to per port VLAN to isolate some wired clients/APs.

                      I'll look into replacing the 24-port unmanaged switches for managed ones.

                      Thank you for the suggestions/comments.

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        jimp Rebel Alliance Developer Netgate
                        last edited by Apr 15, 2014, 3:26 PM

                        The only way you might be able to get away with a slightly simpler configuration is if your new switches support "private VLANs", the actual name varies by brand/implementation. Basically you define one upstream port (the gateway, pfSense) and define the other ports as client ports, and then the client ports may only talk to the upstream port. It's similar to AP client isolation, but for wired clients.

                        Using Separate VLANs is a more secure practice, but also significantly more to manage.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received