• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Adding Separate Wireless AP

Scheduled Pinned Locked Moved Wireless
17 Posts 3 Posters 5.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    roberts
    last edited by Feb 17, 2015, 7:24 PM

    First, let me explain my set up. I have a pfsense box set up with two interfaces, a single WAN and LAN. The WAN is configured for my ISP and the LAN (192.168.33.x) runs to an unmanaged switch. Using this set up I'm able to access the outside fine.

    So now I'm looking to add a wireless access point using a D-Link wireless router (plugged into the unmanaged switch) that would be on it's own network isolated from 192.168.33.x. How would I go about getting started with this?

    Thanks in advanced!

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Feb 17, 2015, 7:40 PM

      You need another interface or VLANs.  The attached shows how to do two SSIDs but if you just did VLAN 200 it could be untagged to the AP.

      Wi-Fi-VLANs.png
      Wi-Fi-VLANs.png_thumb

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • R
        roberts
        last edited by Feb 17, 2015, 7:46 PM

        You mention tagged VLANs in the diagram. Is this possible in an unmanaged switch?

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Feb 17, 2015, 8:32 PM

          No.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • R
            roberts
            last edited by Feb 17, 2015, 8:35 PM

            Didn't think so.

            So what configuration would be needed on the pfSense side?

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Feb 17, 2015, 8:52 PM Feb 17, 2015, 8:48 PM

              If your LAN is currently on eth0:

              In Interfaces > (assign), VLANs tab create VLANs 100 and 200 on eth0.

              In Interfaces > (assign) change LAN to network port VLAN 100 on eth0.  All of your interface config, LAN rules, etc will follow - they will now just be expecting to be tagged VLAN 100 on the interface.

              Plug eth0 into a switchport with tagged VLAN 100 configured.

              Now your LAN is going to the switch on tagged VLAN 100 and all switch ports untagged on VLAN 100 should work just like they did before on the unmanaged switch.

              Then create a new interface assigned to VLAN 200 on eth0.  Enable it.  Configure it how you like with interface address/subnet, DHCP, Firewall rules, NAT, etc.

              Be sure VLAN 200 is tagged on the switchport going to pfSense eth0.

              Create an untagged switchport on VLAN 200.

              You'll need to set an IP address on the VLAN 200 network in the AP so you can get at it to create the SSID, etc and otherwise manage it.

              Disable the DHCP server in your AP/Router, plug it's LAN into the VLAN 200 switchport.

              That should just about do it.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • J
                jahonix
                last edited by Feb 17, 2015, 9:29 PM

                You could use an additional NIC in your pfSense hardware as well - if it is expandable. Don't use USB NICs!
                Create a second segment, apply rules as needed and probably enable DHCP. Connect it to a second switch or directly to the AP.

                1 Reply Last reply Reply Quote 0
                • R
                  roberts
                  last edited by Feb 18, 2015, 12:52 PM

                  Thanks for the help folks. Just wondering about the configuration on the side of the D-Link router.

                  In the router firmware, I'm given two spots to set IP addresses. One is for the outside internet connection while the other is the management IP. Would I just set the outside connection to DHCP and let it get an IP from pfsense while the management IP would need to be in the range of the 200 VLAN?

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Feb 18, 2015, 5:06 PM

                    If it makes you set something for WAN, set some BS scheme like 10.134.256.5/30.  Don't plug anything into the d-link's WAN port.  Yes, set the LAN's IP scheme to something on VLAN 200 so you can manage it.  It will be up to the D-Link to keep wireless clients from being able to access the management interface, so set a good password on it.

                    https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • R
                      roberts
                      last edited by Apr 15, 2015, 5:34 PM

                      Resurrecting an old thread here, but is there any danger to getting locked out of the web gui by placing the LAN on a VLAN now (as oppose to just on the bge1 interface)?

                      1 Reply Last reply Reply Quote 0
                      • D
                        Derelict LAYER 8 Netgate
                        last edited by Apr 15, 2015, 5:44 PM

                        Of course.

                        You'll need to be able to log into your switch and pfSense.

                        Change pfSense to tagged (create VLAN XXX then assign pfSense LAN to VLAN XXX on bge1).  This will break connectivity from the LAN to pfSense. Then change the switchport going to pfSense LAN to tagged VLAN XXX.  This will restore connectivity.

                        This is why I usually tag to the switch from the start even if there's only one VLAN.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • R
                          roberts
                          last edited by Apr 15, 2015, 5:53 PM

                          OK. So should I set the port on my switch that connects to pfSense (0/6) to a trunk port before or after I set up the new VLAN (which the old LAN will be on)?

                          1 Reply Last reply Reply Quote 0
                          • D
                            Derelict LAYER 8 Netgate
                            last edited by Apr 15, 2015, 10:02 PM

                            It depends on how you're accessing things.  If you are connecting to the switch through pfSense, change the switch first then pfSense.  If you are connecting to pfSense through the switch, change pfSense then the switch.  You work farthest device first then back to you.

                            Have a plan to get on some other way either console or whatever.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • R
                              roberts
                              last edited by Apr 16, 2015, 12:05 PM

                              I'm connecting to the pfSense router through the switch. The only thing I'm not getting is how I would restore connectivity when I change over the LAN from bge1 to the newly created VLAN and what exactly happens that would break connectivity to the web interface.

                              1 Reply Last reply Reply Quote 0
                              • D
                                Derelict LAYER 8 Netgate
                                last edited by Apr 16, 2015, 4:01 PM

                                Because your switchport will be expecting untagged packets for the VLAN on that port and will be receiving tagged packets instead.  Then just change the switchport to tagged to it matches the traffic it's receiving and you'll be back online.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • R
                                  roberts
                                  last edited by Apr 16, 2015, 6:33 PM

                                  OK, so I won't necessarily be locked out of the web gui per say (been reading a lot online about adding firewall rule to still access web gui after adding new vlan), just unable to reach the router while on the switch, correct?

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    Derelict LAYER 8 Netgate
                                    last edited by Apr 16, 2015, 7:12 PM

                                    Yes.  You won't need to change any rules.  You're only changing layer 2.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                      [[user:consent.lead]]
                                      [[user:consent.not_received]]