Can i set up my WLAN Network with this picture ?



  • Hello Guys!

    I plan to set up a wireless network with using the pfsense in our company . I have make a picture . Can someone tell me whether the drawing is correct ? Does anyone have a suggestion for improvement ?

    Here is the Picture:

    The Green line : Our Company SSID
    The Red line: Gast SSID
    The Blue line: Our Ethernet Network

    Thank you!


  • Banned

    The picture does not work.



  • sry. I have it now appended.



  • Strange.
    Having a 3 NIC pfSense that could ans should do everything (isolated guest captive portal, DHCP server, DNS server, firewall, etc) we see lately the most incredible VLAN structures ….
    One of the least known secrets about networking is : KEEP IT SIMPLE - NO MATTER WHAT.



  • I've to admit that I even don't clearly understand the purpose, although I've some idea  ;)
    Better than implementation drawing, some written explanation about goal and features would help.

    I guess goal is to implement:

    • captive portal for WLAN guest providing isolated access to internet (I mean isolated from LAN and other networks)
    • access to internet for LAN user
    • regarding intern WLAN users, this is not clear to me yet. Dedicated VLAN, then… ?

  • LAYER 8 Netgate

    I don't understand why you are putting Intern WLAN through pfSense at all.  Why not just drop the WLAN onto VLAN 1 to begin with? (all the reasons not to use VLAN 1 in a managed switch environment suppressed)



  • @Derelict:

    I don't understand why you are putting Intern WLAN through pfSense at all.  Why not just drop the WLAN onto VLAN 1 to begin with? (all the reasons not to use VLAN 1 in a managed switch environment suppressed)

    i put it not direct in VLAN 1 because i will only give access to listen MAC Adresses in our Company Network. At the Moment the Intern WLAN is in VLAN 1 but is only scret with a "WPA2 Passwort" and we would scret with Password an MAC. Guest is only secret with Capative Portal.

    @chris4916:

    I've to admit that I even don't clearly understand the purpose, although I've some idea  ;)
    Better than implementation drawing, some written explanation about goal and features would help.

    I guess goal is to implement:

    • captive portal for WLAN guest providing isolated access to internet (I mean isolated from LAN and other networks)
    • access to internet for LAN user
    • regarding intern WLAN users, this is not clear to me yet. Dedicated VLAN, then… ?

    yes you are right. My english is not so good because this i have make a picture.

    • captive portal for WLAN guest providing isolated access to internet (I mean isolated from LAN and other networks)
    • access to internet for LAN user
      yes correct and the WLAN User from the "Intern Wlan" get the IP from the "DHCP Server" in VLAN 1 because the Notebooks are in our Domäne.

  • Banned

    Way to complicated.

    Ditch the FW infront of pfSense.

    WWW -> pfSense -> VLAN's -> WLAN

    EOS.


  • LAYER 8 Netgate

    @xTobiasx:

    i put it not direct in VLAN 1 because i will only give access to listen MAC Adresses in our Company Network. At the Moment the Intern WLAN is in VLAN 1 but is only scret with a "WPA2 Passwort" and we would scret with Password an MAC. Guest is only secret with Capative Portal.

    But that is a function of your AP (or, maybe, your switch), not pfSense.  pfSense is needlessly in the way just to take the traffic from VLAN 5 and put it on VLAN 1 on the same switch.  You could just put the traffic out of the AP onto VLAN 1 and be done.

    MAC addresses are so easily-spoofed and they're transmitted in-the-clear regardless of wireless security protocol in use so any security that filtering on them appears to provide is just an illusion and not worth the hassle.  It will do nothing to keep someone who knows the passphrase off your network.



  • Okay, i make it so. I control the Intern Wlan with a Radius Server.



  • LAYER 8 Netgate

    I would not use VLAN 1 (I'd use all untagged ports on, say VLAN 2 through 4094) but that looks much better if replacing the existing firewall with pfSense is not an option and you just want to use captive portal.


Log in to reply