Setting up vLANs over multiple wds links with pfSense
-
Good evening. I'm fairly new to pfSense, and it has been a while since I have been involved in any advanced networking. However, we recently decided to provide public wifi to the tenants in our rent houses. I've attached an image of my current layout. All of the DD-WRT routers are configured for WDS, the N16 is the only 'host' per say, all of the WRT54G's point directly to the N16. The WRT54G's and the N16 are all configured with WDS as LAN, and not point-to-point. The N16 is more or less just a bridge allowing the WDS clients to access the pfsense box.
Basically, I have a WRT54G access point in each rent house that connects wirelessly to the N16, and consequently to the pfsense box and out to the internet. The pfSense box is the only DHCP host on the network, and it has a few packages installed. The packages are just things like havp, squid, and sarg. I also have captive portal enabled and configured. The pfSense box is also the default gateway for the network.
My primary concern at this point is security. With the current configuration, I have one big network all on the same interface. All of the computers can see the shares of the other computers. I was going to set firewall rules to block the ports for NetBIOS in pfSense, and a few other file sharing ports, but then I read that traffic on the same subnet will not pass through the firewall, because it is all layer 2 traffic. If that's true, I suppose I need to create separate vlans for each rent house.
I've read some information on vlans, and I understand tagged and untagged to an extent, but I'm not exactly clear on how to configure the WRT54G/N16/pfsense devices with different vlans. Do I set a vlan up at each wrt54g/rent house? I figure that if I did it that way, it would interfere with the DHCP assignments from the pfSense box. So then I figured I should probably try to configure them all from the pfSense box, but before I end up killing access for my entire neighborhood, I figured I would get advice from the pro's first.
If you need more info, just say the word. I'm eager to learn. 8)
-
This is probably better directed to a ddwrt forum. Everything you need to change is in ddwrt.