Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Adding External Access Point..Need to separate private & public traffic.

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whitewidow
      last edited by

      At our all of our retail stores we have pfSense firewall appliances and all locations have a ipsec tunnel to out main location.

      At our newest location we are opening we want to add a dedicated access point out in the show room.

      We want 2 SSID's one for private traffic that is on the same subnet as the LAN interface (10.0.10.0/24) so that laptops can communicate down the VPN and access network resources just like whe wired PC's on the switch. DHCP is handed out by pfSense. This is for employees.

      Then the second SSID must be completely restricted from the private traffic and on it own subnet (192.16.0.0/24) with internet access only.  This will be for customers.

      Ive been searching how to set this up but nothing I have read specifically states how to accomplish this. Most say not to use bridging of the LAN interface and to have the 2 SSID's on their own separate subnet but this will break communication down the vpn tunnel I need the employees to have on the private ssid.

      Can anyone help me out on what is the best way to accomplish this?

      Also what features should I look for in the access point besides multiple ssid?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        VLAN tagging of SSIDs and a management VLAN.

        You will also need a managed switch to do this right without bridging pfSense interfaces.  Nothing fancy.  Something like a D-Link DGS-1100-08 will do what you need.

        For firewall rules you probably just want to add a rule on LAN rejecting connections to "OPT1 net".

        On OPT1 you'll probably want to do something like:

        Pass ICMP source OPT1 net dest OPT1 address
        Pass TCP/UDP DNS source OPT1 net dest OPT1 address
        Block any source OPT1 net dest OPT1 address
        Block any source OPT1 net dest LAN net
        Block any source OPT1 net dest WAN address
        Pass any source OPT1 net dest any

        Untitled.png
        Untitled.png_thumb

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • W
          whitewidow
          last edited by

          @Derelict:

          VLAN tagging of SSIDs and a management VLAN.

          You will also need a managed switch to do this right without bridging pfSense interfaces.  Nothing fancy.  Something like a D-Link DGS-1100-08 will do what you need.

          For firewall rules you probably just want to add a rule on LAN rejecting connections to "OPT1 net".

          On OPT1 you'll probably want to do something like:

          Pass ICMP source OPT1 net dest OPT1 address
          Pass TCP/UDP DNS source OPT1 net dest OPT1 address
          Block any source OPT1 net dest OPT1 address
          Block any source OPT1 net dest LAN net
          Block any source OPT1 net dest WAN address
          Pass any source OPT1 net dest any

          Could I use the extra interface and by pass the switch and still accomplish this? I have a unmanaged switch in place and not have the funding for a managed switch.  I do want one vlan to be able to communicate with the lan interface to access network resources

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You don't have $60 ? http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I/

            Bridging the pfSense interfaces will be:

            1. More complicated

            2. Exhibit inferior performance

            Yes, it can be done, but to be frank, I'm not sure I have the patience to spend a bunch of time talking you through doing it wrong so you can avoid spending $60.

            https://doc.pfsense.org/index.php/Interface_Bridges

            Here it is in a nutshell, though:

            Create VLANs 100 and 200 on eth1 (or whatever your available interface is)

            Create a bridge containing LAN and  eth1_vlan100.

            Assign interface LAN to BRIDGE0.

            Assign interface GUEST to eth1_vlan200

            Set your guest IP info and firewall rules on the GUEST interface.

            Your AP should be set to send your internal SSID tagged on VLAN 100 and your guest SSID tagged on VLAN 200.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.