Adding Separate Wireless AP

roberts · Feb 17, 2015, 7:24 PM

First, let me explain my set up. I have a pfsense box set up with two interfaces, a single WAN and LAN. The WAN is configured for my ISP and the LAN (192.168.33.x) runs to an unmanaged switch. Using this set up I'm able to access the outside fine.

So now I'm looking to add a wireless access point using a D-Link wireless router (plugged into the unmanaged switch) that would be on it's own network isolated from 192.168.33.x. How would I go about getting started with this?

Thanks in advanced!

Derelict · Feb 17, 2015, 7:40 PM

You need another interface or VLANs. The attached shows how to do two SSIDs but if you just did VLAN 200 it could be untagged to the AP.

roberts · Feb 17, 2015, 7:46 PM

You mention tagged VLANs in the diagram. Is this possible in an unmanaged switch?

Derelict · Feb 17, 2015, 8:32 PM

No.

roberts · Feb 17, 2015, 8:35 PM

Didn't think so.

So what configuration would be needed on the pfSense side?

Derelict · Feb 17, 2015, 8:52 PM

If your LAN is currently on eth0:

In Interfaces > (assign), VLANs tab create VLANs 100 and 200 on eth0.

In Interfaces > (assign) change LAN to network port VLAN 100 on eth0. All of your interface config, LAN rules, etc will follow - they will now just be expecting to be tagged VLAN 100 on the interface.

Plug eth0 into a switchport with tagged VLAN 100 configured.

Now your LAN is going to the switch on tagged VLAN 100 and all switch ports untagged on VLAN 100 should work just like they did before on the unmanaged switch.

Then create a new interface assigned to VLAN 200 on eth0. Enable it. Configure it how you like with interface address/subnet, DHCP, Firewall rules, NAT, etc.

Be sure VLAN 200 is tagged on the switchport going to pfSense eth0.

Create an untagged switchport on VLAN 200.

You'll need to set an IP address on the VLAN 200 network in the AP so you can get at it to create the SSID, etc and otherwise manage it.

Disable the DHCP server in your AP/Router, plug it's LAN into the VLAN 200 switchport.

That should just about do it.

jahonix · Feb 17, 2015, 9:29 PM

You could use an additional NIC in your pfSense hardware as well - if it is expandable. Don't use USB NICs!
Create a second segment, apply rules as needed and probably enable DHCP. Connect it to a second switch or directly to the AP.

roberts · Feb 18, 2015, 12:52 PM

Thanks for the help folks. Just wondering about the configuration on the side of the D-Link router.

In the router firmware, I'm given two spots to set IP addresses. One is for the outside internet connection while the other is the management IP. Would I just set the outside connection to DHCP and let it get an IP from pfsense while the management IP would need to be in the range of the 200 VLAN?

Derelict · Feb 18, 2015, 5:06 PM

If it makes you set something for WAN, set some BS scheme like 10.134.256.5/30. Don't plug anything into the d-link's WAN port. Yes, set the LAN's IP scheme to something on VLAN 200 so you can manage it. It will be up to the D-Link to keep wireless clients from being able to access the management interface, so set a good password on it.

https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131

roberts · Apr 15, 2015, 5:34 PM

Resurrecting an old thread here, but is there any danger to getting locked out of the web gui by placing the LAN on a VLAN now (as oppose to just on the bge1 interface)?

Derelict · Apr 15, 2015, 5:44 PM

Of course.

You'll need to be able to log into your switch and pfSense.

Change pfSense to tagged (create VLAN XXX then assign pfSense LAN to VLAN XXX on bge1). This will break connectivity from the LAN to pfSense. Then change the switchport going to pfSense LAN to tagged VLAN XXX. This will restore connectivity.

This is why I usually tag to the switch from the start even if there's only one VLAN.

roberts · Apr 15, 2015, 5:53 PM

OK. So should I set the port on my switch that connects to pfSense (0/6) to a trunk port before or after I set up the new VLAN (which the old LAN will be on)?

Derelict · Apr 15, 2015, 10:02 PM

It depends on how you're accessing things. If you are connecting to the switch through pfSense, change the switch first then pfSense. If you are connecting to pfSense through the switch, change pfSense then the switch. You work farthest device first then back to you.

Have a plan to get on some other way either console or whatever.

roberts · Apr 16, 2015, 12:05 PM

I'm connecting to the pfSense router through the switch. The only thing I'm not getting is how I would restore connectivity when I change over the LAN from bge1 to the newly created VLAN and what exactly happens that would break connectivity to the web interface.

Derelict · Apr 16, 2015, 4:01 PM

Because your switchport will be expecting untagged packets for the VLAN on that port and will be receiving tagged packets instead. Then just change the switchport to tagged to it matches the traffic it's receiving and you'll be back online.

roberts · Apr 16, 2015, 6:33 PM

OK, so I won't necessarily be locked out of the web gui per say (been reading a lot online about adding firewall rule to still access web gui after adding new vlan), just unable to reach the router while on the switch, correct?

Derelict · Apr 16, 2015, 7:12 PM

Yes. You won't need to change any rules. You're only changing layer 2.