1 NIC to 3 Zones



  • Sorry if this question has been answered before but I was unable to find how to do this.

    I would like to only use 1 AP, and have pfSense route the traffic through 1 NIC to the appropriate zone, based on 'known device' status.

    Is this possible? And how would I do this? Thanks.

    Zone 1 = Home Network (10.0.0.1)
    'Known Devices Only'
    'DHCP Static Mappings'

    Zone 2 = Guest Network (172.16.0.1)
    Internet Only
    Unknown Devices with DHCP only
    No Access to pfSense Config menu
    No Access to AP Config menu
    No Access to Zone 1 or Zone 3
    Future Captive Portal

    Zone 3 = Work Network (192.168.1.1)
    'Known Devices Only'
    'DHCP Static Mappings'
    Access to Zone 1 Printer
    Future Access to Work VPN

    Here is the equipment I have currently setup

    WatchGuard Firebox x550e (pfSense  2.1.5-RELEASE  (i386))
    4 NICS
    – WAN
    -- LAN -
    -- OPT1 - Not Used
    -- OPT2 - Not USed

    DLink 16 port dumb switch

    TP-Link WR940N (DD-WRT v24-sp2 (06/23/14) std - build 24461)
    Doesn't Support VLan
    Used as AccessPoint


  • Netgate

    You're going to need VLANs to do three SSIDs on different networks with one AP.



  • Thanks for the response.

    I thought VLANS might be the ticket. But was hoping to have only 1 SSID.

    I will give that a try. But will probably be the weekend before I get a chance.

    I've got a few questions (or a lot)

    After thinking about it I might make a few minor changes to the setup by keeping LAN1 dedicated to 1 computer so the Lockout Rules don't accidently get over written, and setup the VLANS on Opt1. Sound reasonable or over paranoid?

    Will the DLink Dumb Switch cause any issues with pf/Unmanged(dlink)/DDWRT or would it be better to have the AP direct connect to the router (pf/ddwrt)?

    I'm kind of new with the VLANS, so bear with me. So something like

    LAN1 interface (sk1) IPV4 10.10.10.1 (to dedicated PC for anti-lockout)
    OPT1 interface (sk2)
    HOME interface (sk2_vlan10) Tag 10 IPv4 10.0.0.1
    GUEST interface (sk2_vlan11) Tag 11 IPv4 172.16.0.1
    WORK interface (sk2_vlan12) Tag 12 IPv4 192.168.1.1

    What would the proper Firewall rules look like for the VLANS?

    I know this isn't a DDWRT Forum, but I'm sure DDWRT/OpenWRT are the preferred firmware on the embedded devices not capable of pfsense, for things like AP's. So here is a bit more information.

    I updated the firmware on the AP to DD-WRT v24-sp2 (11/20/14) std - build 25408

    I noticed an option for VLANS, which I created one

    Setup > Networking > VLAN Tagging

    VLAN0 (None Changeable, If I create more second=VLAN1, third=VLAN2, fourth=VLAN3, I'm guessing this number doesn't effect anything)
    Interface: ath0/ath0.1/ath0.2/ath0.3/br0/eth0/eth1
    Tag Number: (Guessing that would be 10/11/12, depending on the network selected)   
    Prio: 0/1/2/3/4/5/6/7

    I would also create new Virtual Interfaces for the Home (ath0.1) Guest (ath0.2), Work (ath0.3)

    Does this sound correct? What would my PRIO setting be?

    Also If I added a second AP (N-only) I assume I would need to do the same on it but use VLAN 13/14/15?

    Thanks in Advanced.


  • Netgate

    @nonayabusiness:

    Thanks for the response.

    I thought VLANS might be the ticket. But was hoping to have only 1 SSID.

    You can do it with 1 SSID but you have to use dynamic VLANs in the AP with some way to tell the AP what VLAN to put what user on.  Overkill for most home networks.

    So different VLANS == Different SSIDs.

    I will give that a try. But will probably be the weekend before I get a chance.

    I've got a few questions (or a lot)

    After thinking about it I might make a few minor changes to the setup by keeping LAN1 dedicated to 1 computer so the Lockout Rules don't accidently get over written, and setup the VLANS on Opt1. Sound reasonable or over paranoid?

    It makes sense to do your VLAN config from another interface while you're getting everything working.  If you want to keep that interface normal, untagged just in case, that might be valuable.  Same thing applies to having an untagged port on the switch's management VLAN while you tag/untag ports so don't lose contact with the switch.

    Will the DLink Dumb Switch cause any issues with pf/Unmanged(dlink)/DDWRT or would it be better to have the AP direct connect to the router (pf/ddwrt)?

    You're probably going to want to get a managed switch if you want to start tagging VLANs around.  An unmanaged switch might or might not pass VLAN tags.  But you certainly will not be able to put, say, switchport 2 on VLAN 10 and switchport 3 on VLAN 11.

    Doesn't have to break the bank:

    http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I

    I'm kind of new with the VLANS, so bear with me. So something like

    LAN1 interface (sk1) IPV4 10.10.10.1 (to dedicated PC for anti-lockout)
    OPT1 interface (sk2)
    HOME interface (sk2_vlan10) Tag 10 IPv4 10.0.0.1
    GUEST interface (sk2_vlan11) Tag 11 IPv4 172.16.0.1
    WORK interface (sk2_vlan12) Tag 12 IPv4 192.168.1.1

    What would the proper Firewall rules look like for the VLANS?

    Depends on what traffic you want to pass.  VLAN interfaces look just like physical interfaces to the firewall rules in pfSense, so duplicating the default rules on LAN tailored for the interface would be a good place to start.

    I know this isn't a DDWRT Forum, but I'm sure DDWRT/OpenWRT are the preferred firmware on the embedded devices not capable of pfsense, for things like AP's. So here is a bit more information.

    I updated the firmware on the AP to DD-WRT v24-sp2 (11/20/14) std - build 25408

    I noticed an option for VLANS, which I created one

    Setup > Networking > VLAN Tagging

    VLAN0 (None Changeable, If I create more second=VLAN1, third=VLAN2, fourth=VLAN3, I'm guessing this number doesn't effect anything)
    Interface: ath0/ath0.1/ath0.2/ath0.3/br0/eth0/eth1
    Tag Number: (Guessing that would be 10/11/12, depending on the network selected)   
    Prio: 0/1/2/3/4/5/6/7

    I would also create new Virtual Interfaces for the Home (ath0.1) Guest (ath0.2), Work (ath0.3)

    Does this sound correct? What would my PRIO setting be?

    I'd just leave prio at whatever the default is.  Get everything working before you worry about QoS/Traffic Shaping.

    Also If I added a second AP (N-only) I assume I would need to do the same on it but use VLAN 13/14/15?

    If you want separate LANs, yes.  But if you put the same SSID with the same password on the same VLAN on two different APs, your clients will "roam" between them based on which is better at the time.  Some clients are better at "letting go" of the connection they have and changing to a better one.  At any rate, you would just put the SSIDs tagged to the same VLANs on the second AP.