Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense + 2 Wireless Networks = ???

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Toasticuss
      last edited by

      So I need a little help figuring out the routing logic for a network that I'm building.

      I've got a pfSense box, and 4 Linksys WAP54g access points with dd-wrt. The 4 access points will each give off 2 SSIDs. 1 for an internal company LAN, and 1 for the guest wireless network. I have 2 NICs on the pfsense box.

      I'm looking to have the guest wifi users route straight to the internet from pfsense. So it would follow - Guest user > AP > pfSense > Cisco switch with VLANS > Company Cisco 1921 router > Internet

      Similarly with the private wifi users - Employee Device > AP > pfSense > > Cisco switch with VLANS > Company Cisco 1921 router > WAN > Internet

      The guest subnet I wanted to have is 10.0.0.0, with the private WLAN being 192.168.11.0.

      1. Should pfSense be the DHCP server for the APs? Or should dd-wrt provide DHCP for the APs?

      2. How feasible is this with pfSense and only 4 APs?

      3. Should I be using VLANs inside of pfSense for this?

      Thank you.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        1. pfSense should do DHCP for all the LANs, then the client devices get the respective pfSense LAN IP as default gateway without having to think.
        2. It is feasible with 4, 40 or 400 APs.
        3. Use VLANs in pfSense - a VLAN trunk port on pfSense to the Cisco VLAN switch. Then the various VLANs on the Cisco switch/APs/wired-devices will be visible as individual interfaces on pfSense and you can allow or block local traffic between each of them, traffic to/from the internet or whatever.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • T
          Toasticuss
          last edited by

          @phil.davis:

          1. pfSense should do DHCP for all the LANs, then the client devices get the respective pfSense LAN IP as default gateway without having to think.
          2. It is feasible with 4, 40 or 400 APs.
          3. Use VLANs in pfSense - a VLAN trunk port on pfSense to the Cisco VLAN switch. Then the various VLANs on the Cisco switch/APs/wired-devices will be visible as individual interfaces on pfSense and you can allow or block local traffic between each of them, traffic to/from the internet or whatever.

          Thanks for the reply. I've added two VLANs to pfSense and I've created an additional DHCP pool for them. The main problem now is making pfsense talk to the second SSID access point's IP address.

          I've tried adding routes to both pfSense and DD-WRT to make them see each other but I'm hitting a brick wall.

          The second SSID is on a bridge interface on DD-WRT with the IP of 10.0.0.11, pfSense has virtual interface with the IP address of 10.0.0.1, and an uplink gateway of 192.168.10.1. 192.168.10.1 is the wired LAN router that leads out to the internet.

          A route needs to be made for the guest wifi subnet 10.0.0.0 to go over the gateway of 192.168.11.1 right?

          How can I make that in pfSense?

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            The second SSID is on a bridge interface on DD-WRT with the IP of 10.0.0.11, pfSense has virtual interface with the IP address of 10.0.0.1, and an uplink gateway of 192.168.10.1. 192.168.10.1 is the wired LAN router that leads out to the internet.

            A route needs to be made for the guest wifi subnet 10.0.0.0 to go over the gateway of 192.168.11.1 right?

            You should not need to add any routes.
            When a client connects to guest WiFi SSID, it should be getting DHCP from pfSense only (DDWRT and WiFiAP should have DHCP off), and be given gateway 10.0.0.1 (pfSense). The pfSense virtual interface must have rules to allow traffic from its own subnet to the internet. Then the client packets will be allowed into pfSense and pfSense will route then upstream out WAN.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.