PfSense + 2 Wireless Networks = ???



  • So I need a little help figuring out the routing logic for a network that I'm building.

    I've got a pfSense box, and 4 Linksys WAP54g access points with dd-wrt. The 4 access points will each give off 2 SSIDs. 1 for an internal company LAN, and 1 for the guest wireless network. I have 2 NICs on the pfsense box.

    I'm looking to have the guest wifi users route straight to the internet from pfsense. So it would follow - Guest user > AP > pfSense > Cisco switch with VLANS > Company Cisco 1921 router > Internet

    Similarly with the private wifi users - Employee Device > AP > pfSense > > Cisco switch with VLANS > Company Cisco 1921 router > WAN > Internet

    The guest subnet I wanted to have is 10.0.0.0, with the private WLAN being 192.168.11.0.

    1. Should pfSense be the DHCP server for the APs? Or should dd-wrt provide DHCP for the APs?

    2. How feasible is this with pfSense and only 4 APs?

    3. Should I be using VLANs inside of pfSense for this?

    Thank you.



  • 1. pfSense should do DHCP for all the LANs, then the client devices get the respective pfSense LAN IP as default gateway without having to think.
    2. It is feasible with 4, 40 or 400 APs.
    3. Use VLANs in pfSense - a VLAN trunk port on pfSense to the Cisco VLAN switch. Then the various VLANs on the Cisco switch/APs/wired-devices will be visible as individual interfaces on pfSense and you can allow or block local traffic between each of them, traffic to/from the internet or whatever.



  • @phil.davis:

    1. pfSense should do DHCP for all the LANs, then the client devices get the respective pfSense LAN IP as default gateway without having to think.
    2. It is feasible with 4, 40 or 400 APs.
    3. Use VLANs in pfSense - a VLAN trunk port on pfSense to the Cisco VLAN switch. Then the various VLANs on the Cisco switch/APs/wired-devices will be visible as individual interfaces on pfSense and you can allow or block local traffic between each of them, traffic to/from the internet or whatever.

    Thanks for the reply. I've added two VLANs to pfSense and I've created an additional DHCP pool for them. The main problem now is making pfsense talk to the second SSID access point's IP address.

    I've tried adding routes to both pfSense and DD-WRT to make them see each other but I'm hitting a brick wall.

    The second SSID is on a bridge interface on DD-WRT with the IP of 10.0.0.11, pfSense has virtual interface with the IP address of 10.0.0.1, and an uplink gateway of 192.168.10.1. 192.168.10.1 is the wired LAN router that leads out to the internet.

    A route needs to be made for the guest wifi subnet 10.0.0.0 to go over the gateway of 192.168.11.1 right?

    How can I make that in pfSense?



  • The second SSID is on a bridge interface on DD-WRT with the IP of 10.0.0.11, pfSense has virtual interface with the IP address of 10.0.0.1, and an uplink gateway of 192.168.10.1. 192.168.10.1 is the wired LAN router that leads out to the internet.

    A route needs to be made for the guest wifi subnet 10.0.0.0 to go over the gateway of 192.168.11.1 right?

    You should not need to add any routes.
    When a client connects to guest WiFi SSID, it should be getting DHCP from pfSense only (DDWRT and WiFiAP should have DHCP off), and be given gateway 10.0.0.1 (pfSense). The pfSense virtual interface must have rules to allow traffic from its own subnet to the internet. Then the client packets will be allowed into pfSense and pfSense will route then upstream out WAN.


Log in to reply