Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to segment wireless traffic from LAN traffic?

    Scheduled Pinned Locked Moved Wireless
    6 Posts 5 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kiddsupreme
      last edited by

      My apologies up front if this has been answered already (it most certainly has, but I couldn't seem to find anything about it myself). I currently have a PFSense box setup like so:

      Cable Modem <–> PFSense Box <--> Unmanaged switch <--> Internal Network
                                                                            |
                                                                            |-->Wireless AP

      The wireless AP is UniFi AP (from Ubiquiti Networks, 802.11N). Everything is working just as it should. However, I do not feel comfortable with all the wireless traffic bypassing the PFSense box, and was thinking about adding a 3rd Intel NIC to connect the Wireless AP into so it would look more like this:

      Cable Modem <--> PFSense Box <--> Unmanaged switch <--> Internal Network
                                            |
                                            |-->Wireless AP

      My question is would I have any issues that would prop themselves up, versus the setup that I currently have? The only thing that I worry about is being able to access certain internal resources from my wireless devices. Since I would most likely put the Wireless devices on their own separate VLAN (and by extension their own IP address range) would there be something I would need to implement to ensure security (maybe having RADIUS setup on the PFSense box itself, etc?). Any assistance and suggestions you could bring to the table would be welcomed and appreciated. Thanks again in advance.

      1 Reply Last reply Reply Quote 0
      • D
        davros123
        last edited by

        Why would you put the wireless on a separate vlan (not sure that would even work) in that setup)?

        They are on a separate interface and will not be able to talk to each other by default. All you need to do would be set appropriate rules for any traffic you want to be able to cross between wifi <–> lan.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          didn't you ask this same question here https://forum.pfsense.org/index.php?topic=79678.0

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • P
            phasitboon
            last edited by

            I commend you on the subject just to let others know.

            IBCBET

            1 Reply Last reply Reply Quote 0
            • K
              kiddsupreme
              last edited by

              @johnpoz:

              didn't you ask this same question here https://forum.pfsense.org/index.php?topic=79678.0

              You are correct. I was planning on deleting this thread and going off of that other one since I figured more people go to the General Section versus Wireless. But I didn't see an option to delete this thread. For that, you have my apologies. I didn't mean to double post.

              1 Reply Last reply Reply Quote 0
              • P
                Phatsta
                last edited by

                As said, your suggested setup would work as long as you manually add rules that allow traffic between the vlans. For example if you wanted wireless traffic to be able to reach a certain server on a certain IP but nothing else, you'd simply setup a firewall rule that allows traffic from the wireless interface to that IP. It's as simple as that, really.

                You could get another network card for the firewall, or you could exchange the switch for a vlan aware one. Not sure what size of a switch you use, but if it's a small one it might be cheaper.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.