Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Adding Separate Wireless AP

    Wireless
    3
    17
    4544
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      roberts last edited by

      First, let me explain my set up. I have a pfsense box set up with two interfaces, a single WAN and LAN. The WAN is configured for my ISP and the LAN (192.168.33.x) runs to an unmanaged switch. Using this set up I'm able to access the outside fine.

      So now I'm looking to add a wireless access point using a D-Link wireless router (plugged into the unmanaged switch) that would be on it's own network isolated from 192.168.33.x. How would I go about getting started with this?

      Thanks in advanced!

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        You need another interface or VLANs.  The attached shows how to do two SSIDs but if you just did VLAN 200 it could be untagged to the AP.


        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • R
          roberts last edited by

          You mention tagged VLANs in the diagram. Is this possible in an unmanaged switch?

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            No.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • R
              roberts last edited by

              Didn't think so.

              So what configuration would be needed on the pfSense side?

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                If your LAN is currently on eth0:

                In Interfaces > (assign), VLANs tab create VLANs 100 and 200 on eth0.

                In Interfaces > (assign) change LAN to network port VLAN 100 on eth0.  All of your interface config, LAN rules, etc will follow - they will now just be expecting to be tagged VLAN 100 on the interface.

                Plug eth0 into a switchport with tagged VLAN 100 configured.

                Now your LAN is going to the switch on tagged VLAN 100 and all switch ports untagged on VLAN 100 should work just like they did before on the unmanaged switch.

                Then create a new interface assigned to VLAN 200 on eth0.  Enable it.  Configure it how you like with interface address/subnet, DHCP, Firewall rules, NAT, etc.

                Be sure VLAN 200 is tagged on the switchport going to pfSense eth0.

                Create an untagged switchport on VLAN 200.

                You'll need to set an IP address on the VLAN 200 network in the AP so you can get at it to create the SSID, etc and otherwise manage it.

                Disable the DHCP server in your AP/Router, plug it's LAN into the VLAN 200 switchport.

                That should just about do it.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • jahonix
                  jahonix last edited by

                  You could use an additional NIC in your pfSense hardware as well - if it is expandable. Don't use USB NICs!
                  Create a second segment, apply rules as needed and probably enable DHCP. Connect it to a second switch or directly to the AP.

                  1 Reply Last reply Reply Quote 0
                  • R
                    roberts last edited by

                    Thanks for the help folks. Just wondering about the configuration on the side of the D-Link router.

                    In the router firmware, I'm given two spots to set IP addresses. One is for the outside internet connection while the other is the management IP. Would I just set the outside connection to DHCP and let it get an IP from pfsense while the management IP would need to be in the range of the 200 VLAN?

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      If it makes you set something for WAN, set some BS scheme like 10.134.256.5/30.  Don't plug anything into the d-link's WAN port.  Yes, set the LAN's IP scheme to something on VLAN 200 so you can manage it.  It will be up to the D-Link to keep wireless clients from being able to access the management interface, so set a good password on it.

                      https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131

                      Chattanooga, Tennessee, USA
                      The pfSense Book is free of charge!
                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • R
                        roberts last edited by

                        Resurrecting an old thread here, but is there any danger to getting locked out of the web gui by placing the LAN on a VLAN now (as oppose to just on the bge1 interface)?

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          Of course.

                          You'll need to be able to log into your switch and pfSense.

                          Change pfSense to tagged (create VLAN XXX then assign pfSense LAN to VLAN XXX on bge1).  This will break connectivity from the LAN to pfSense. Then change the switchport going to pfSense LAN to tagged VLAN XXX.  This will restore connectivity.

                          This is why I usually tag to the switch from the start even if there's only one VLAN.

                          Chattanooga, Tennessee, USA
                          The pfSense Book is free of charge!
                          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • R
                            roberts last edited by

                            OK. So should I set the port on my switch that connects to pfSense (0/6) to a trunk port before or after I set up the new VLAN (which the old LAN will be on)?

                            1 Reply Last reply Reply Quote 0
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              It depends on how you're accessing things.  If you are connecting to the switch through pfSense, change the switch first then pfSense.  If you are connecting to pfSense through the switch, change pfSense then the switch.  You work farthest device first then back to you.

                              Have a plan to get on some other way either console or whatever.

                              Chattanooga, Tennessee, USA
                              The pfSense Book is free of charge!
                              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • R
                                roberts last edited by

                                I'm connecting to the pfSense router through the switch. The only thing I'm not getting is how I would restore connectivity when I change over the LAN from bge1 to the newly created VLAN and what exactly happens that would break connectivity to the web interface.

                                1 Reply Last reply Reply Quote 0
                                • Derelict
                                  Derelict LAYER 8 Netgate last edited by

                                  Because your switchport will be expecting untagged packets for the VLAN on that port and will be receiving tagged packets instead.  Then just change the switchport to tagged to it matches the traffic it's receiving and you'll be back online.

                                  Chattanooga, Tennessee, USA
                                  The pfSense Book is free of charge!
                                  DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    roberts last edited by

                                    OK, so I won't necessarily be locked out of the web gui per say (been reading a lot online about adding firewall rule to still access web gui after adding new vlan), just unable to reach the router while on the switch, correct?

                                    1 Reply Last reply Reply Quote 0
                                    • Derelict
                                      Derelict LAYER 8 Netgate last edited by

                                      Yes.  You won't need to change any rules.  You're only changing layer 2.

                                      Chattanooga, Tennessee, USA
                                      The pfSense Book is free of charge!
                                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post