Can I have another subnet for a guest WiFi network?



  • My home network in a nutshell is as follows:

    I'm not even sure if my unmanaged switch is passing through VLAN tags. Now I question if it's even possible. Security isn't a big deal for me but I do want the two virtual networks being broadcasted to be in their own subnet.


  • Netgate

    A quick look at a packet sniffer (wireshark) on the backend of the unmanaged switch can tell you if the tags are passing.  If they are, then yes, it can work.

    As long as you are CERTAIN that bad actors aren't going to be connecting to the switch.

    I would not mix tagged and untagged traffic.  I would tag both VLANs and, if possible, tell Tomato to discard untagged traffic.

    This is really no different than what I do.  I have to use MoCA to distribute different VLANs to APs in my house.  That network is, essentially, an unmanaged hub.  Passes dot1q tags just fine.



  • @Derelict:

    A quick look at a packet sniffer (wireshark) on the backend of the unmanaged switch can tell you if the tags are passing.  If they are, then yes, it can work.

    As long as you are CERTAIN that bad actors aren't going to be connecting to the switch.

    I would not mix tagged and untagged traffic.  I would tag both VLANs and, if possible, tell Tomato to discard untagged traffic.

    This is really no different than what I do.  I have to use MoCA to distribute different VLANs to APs in my house.  That network is, essentially, an unmanaged hub.  Passes dot1q tags just fine.

    Thanks for the reply and you're right about using solely only tagged VLANs. However, this is my own home and I have no concerns about security. I want to be able to just plug a desktop into my switch and access the untagged network.

    I guess the real problem is I don't know how to configure VLANs in Tomato. If somebody could give me a quick tutorial of how this would work that would be great. I've read somewhere that most of the time consumer switches don't drop VLAN tags and only forward packets based on MAC address. So I should be fine on that point unless if somebody wants to verify that (my switch is a TP-Link TL-SG1005D).


  • Netgate

    A Tomato forum would be a much more productive place to ask that question.



  • @Derelict:

    A Tomato forum would be a much more productive place to ask that question.

    You're right and I've created a post there as well. Is there a tutorial you can point me to on checking VLAN tags with Wireshark? I failed to mention a very important point about my setup and that is I'm using VirtualBox in Windows as a host for PfSense. I now realize this could affect VLAN tags.


  • Netgate

    I understand that for all things pfSense, the forum rocks, but you are not having pfSense issues.

    I really don't want to be a dick, but http://lmgtfy.com/?q=what+is+a+vlan



  • @Derelict:

    I understand that for all things pfSense, the forum rocks, but you are not having pfSense issues.

    I really don't want to be a dick, but http://lmgtfy.com/?q=what+is+a+vlan

    Could you elaborate on your method of checking the VLAN at the switch?



  • Update: I have good news and bad news. The good news is that I've determined that my Tomato access point handles VLANs perfectly and my switch does in fact passthrough VLAN tags. I enabled the DHCP server on my Tomato router on a separate bridge and configured VLAN ID 3 to it. I can confirm on my laptop with Realtek's Diagnostic tool that there is in fact a VLAN on VLAN 3 from Tomato.

    Now the bad news is although Tomato works and my switch isn't causing any problems it seems that PfSense is the problem. The VLAN from PfSense simply does not work.

    Could somebody take a look at the following specs and speculate on where the issue may lie?

    Host
    OS: Windows 8.1 Pro
    NIC: 2x Realtek 8111E PCI-E GBE

    Guest
    VM: VirtualBox 4.3.14
    OS: PfSense 2.1.4
    Virtual NIC 1: Intel PRO/1000 MT Desktop 82540EM - Bridged - em0
    Virtual NIC 2: Intel PRO/1000 MT Desktop 82540EM - Bridged - em1

    It seems that VLANs don't work in my setup. Any ideas from here?

    TL;DR: Tomato passes to me VLAN tags. PfSense does not and my setup is virtualized with VirtualBox. I want to get VLANs working on my odd PfSense configuration.



  • 2nd Update:

    I'd like to announce that I've solved the issue. I couldn't get rid of the problem with VLAN tags getting stripped by my NIC (or perhaps it was VirtualBox's fault) but one way to fix this is to download Realtek's Diagnostic Utility (below). Then go to Network and Sharing Center > Change adapter settings > Realtek PCIe GBE Family Adapter (choose the one that's for your LAN!). Disable anything that has the word VirtualBox. Then open the Realtek Diagnostic Utility and create VLAN 1 as well as the additional VLAN you need. Now wait 3 minutes for each VLAN you configure as it installs the drivers into Windows. Now you may notice under Network and Sharing Center > Change adapter settings there are two new adapters called Realtek Virtual Adapter. Each of these are adapters to your VLAN. Open each of them and enable any mention of VirtualBox. Go to VirtualBox and assign each Realtek Virtual Adapter as a network card for your PfSense VM (PfSense shouldn't be running). Start your PfSense VM and configure your two new virtual NICs. Now you have two operable VLANs but they show up as ethernet interfaces in PfSense. That works too.

    http://www.realtek.com/Downloads/downloadsView.aspx?Langid=1&PNid=13&PFid=5&Level=5&Conn=4&DownTypeID=3&GetDown=false

    This solution works but it's limited to how many network adapters VirtualBox can create. I'm eager to help anyone as I know how much pain and suffering I went to figure out this solution on my own. I'm subscribed to this thread and I'll be reading upcoming replies. Anyone who wants to do the same thing can contact me here and I'll see how I can explain it to you.