Newbie question re guest networks

  • Hi all -

    I am contemplating a pfsense installation for my home/small business network.  Before I take the plunge, I am trying to get a sense of how I will set everything up.  I am relatively inexperienced at all this.

    My plan is to have the pfsense router (in case it matters for this question, let's say it is this one:  I would like to create 2 LANs - 1 private and 1 guest.  I have read about using vlan tagging and a managed switch to create 2 vlans.  But I am wondering whether it might be possible to do this without the managed switch, by using separate access point hardware connected directly (via ethernet) to the pfsense device LAN ports.  Like this:

    cable modem –---  pfsense ----- wireless access point #1 (private network 192.168.10.x)
                                    L------------ wireless access point #2 (guest network 192.168.20.x)

    Is this achievable?  Or do I need to use vlans and a managed switch to make this happen.

    I apologize if this question is very elementary - like I said, I am new to all of this.

  • Banned

    Yes of course. If fact a whole lot easier than messing with VLANs.

  • Is there a tutorial that would guide me through the setting necessary to do this?  I want to make sure there is no "crosstalk" between the 2 LANs.

  • And also, is there a way for me to accomplish this using a single access point (I guess with vlans) without having to use a managed switch (i.e. with the access point connected to the pfsense device via ethernet)?

  • Banned

    Well yes if you get an AP that supports per-SSID VLANs properly…

  • My access point is an R7000 router flashed with Tomato - do you happen to know if this would support per-SSID vlans?

  • Banned

    Never used Tomato… nor that router. Sorry :) I know that with DD-WRT VLANs are only supported on some routers.

  • It was a shot in the dark…

    Can you point me to any pfsense tutorials to get this set up?

    And one more question - is the pfsense router I linked to vlan-aware? (i.e. if the R7000 could support vlan tagging, would the pfsense router know what to do with this without using a switch in between)?

  • Banned

    I don't have any tutorial. Simply set up the firewall rules to block what you want to block. There is no problem with VLANs on pfSense.

  • I appreciate all of your help.  I am close to satisfying myself that I will be able to make a pfsense device work for me with a minimum of fuss.

  • Bump.

    PFSensory, were you able to get the two WLANs up and running? I have essentially the same setup as you, except I have only one WAP (Netgear R7000 running DD-WRT) broadcasting three different SSIDs: (1) 2.4GHz network, (1) 5GHz network, and a "guest" network that I'm trying to get going. My problem is that I can't find good guidance on what needs be done in DD-WRT to make it work. Like you, I'm pretty good with computer hardware but rather new to firewalls. In researching this, I've found that there is a lot of conflicting info out there. Some guides say you need to create VLANs, some say that you don't. Some say use the WAN port for the second VLAN and some say explicitly do NOT use the WAN port. Others are written in the generic "it's so easy just do this" style. Very frustrating.

    If it helps, my pfsense box has four NICs (two currently unoccupied) so I have plenty of overhead. I have another AP I can use if that makes things easier. What I'd like to do with my guest setup is have it isolated from the private LAN. Also, I'd like to configure it so that none of the guest clients can talk to each other. Basically nothing on the guest network is allowed except port 80 and 443 traffic.

    Can anyone recommend a good "dummy proof" guide for accomplishing this?

    Sorry for the long post, but this has been absolutely driving me up a wall….

Log in to reply