Adding Separate Wireless AP

roberts

Thanks for the help folks. Just wondering about the configuration on the side of the D-Link router.

In the router firmware, I'm given two spots to set IP addresses. One is for the outside internet connection while the other is the management IP. Would I just set the outside connection to DHCP and let it get an IP from pfsense while the management IP would need to be in the range of the 200 VLAN?

Derelict

If it makes you set something for WAN, set some BS scheme like 10.134.256.5/30.  Don't plug anything into the d-link's WAN port.  Yes, set the LAN's IP scheme to something on VLAN 200 so you can manage it.  It will be up to the D-Link to keep wireless clients from being able to access the management interface, so set a good password on it.

https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131

roberts

Resurrecting an old thread here, but is there any danger to getting locked out of the web gui by placing the LAN on a VLAN now (as oppose to just on the bge1 interface)?

Derelict

Of course.

You'll need to be able to log into your switch and pfSense.

Change pfSense to tagged (create VLAN XXX then assign pfSense LAN to VLAN XXX on bge1).  This will break connectivity from the LAN to pfSense. Then change the switchport going to pfSense LAN to tagged VLAN XXX.  This will restore connectivity.

This is why I usually tag to the switch from the start even if there's only one VLAN.

roberts

OK. So should I set the port on my switch that connects to pfSense (0/6) to a trunk port before or after I set up the new VLAN (which the old LAN will be on)?

Derelict

It depends on how you're accessing things.  If you are connecting to the switch through pfSense, change the switch first then pfSense.  If you are connecting to pfSense through the switch, change pfSense then the switch.  You work farthest device first then back to you.

Have a plan to get on some other way either console or whatever.

roberts

I'm connecting to the pfSense router through the switch. The only thing I'm not getting is how I would restore connectivity when I change over the LAN from bge1 to the newly created VLAN and what exactly happens that would break connectivity to the web interface.

Derelict

Because your switchport will be expecting untagged packets for the VLAN on that port and will be receiving tagged packets instead.  Then just change the switchport to tagged to it matches the traffic it's receiving and you'll be back online.

roberts

OK, so I won't necessarily be locked out of the web gui per say (been reading a lot online about adding firewall rule to still access web gui after adding new vlan), just unable to reach the router while on the switch, correct?

Derelict

Yes.  You won't need to change any rules.  You're only changing layer 2.