  • Hello,

    my current Situation:

    Private Interface (can access all) -
    Guest Interface (can't access the private net) -
    Wan Interface (dhcp)

    Currently there is a switch for the Private NET and another for the GUEST Interface.
    Now I need to send the Private and the Guest NET to the Access Point, because one of all WIFI Access Points needs to send out both networks.

    So my goal is to send the GUEST NET trough VLAN 1 (Default) and the Private NET trough VLAN 101 on PORT A.
    On Port B I need to send only the Private Net (the same net what is above the vlan 101).

    But How can I configure that?
    I found out

    • Adding the Same Interface on multiple Ports as VLAN doesn't seems work
    • I can create a VLAN, create new Interface (net and configure the firewall that I can access the private net. But then I'm on a different subnet and I'd like to be really IN the network, not only create a second one what routes in the private net.

    Can someone help me?

  • Where is pfSense in all of this?  Does all of your equipment support VLANs?

  • @tim.mcmanus:

    I've only the ALIX as Router & Firewall.
    From the ALIX Port 1 is the WAN, what is connected to the WAN Router, LAN is connected to PORT 2 and used as internal network - GUEST is connected to Port 3.

    No - currently the switches does not support VLANS, and the other WLAN Access Points also not.
    But the new one does.

    So I thought to work with this workaround.

    The best I think would be to buy managed switches what does that VLAN Tagging. And these switches then sends out the Items with / without VLAN ID.
    But for now I'd like to create this trunk with VLAN ID 1 and VLAN 100 as described above.


  • If the WiFi access point has 2 physical ethernet connectors and can do 2 separate SSIDs that go to the separate ethernet connectors then all would be easy - connecting to both switches to be in both LANs but traffic segregated by SSID.
    But I guess the WiFi AP does tagged VLANs. In that case you have to have some device that can have multiple physical ports and do tagged VLANs on some port/s and untagged on others - a VLAN (smart) switch. Just 1 smart switch would be enough. If you do not need many ports on each of your LANs then you might be able to even get rid of your existing LAN switches.
    On the smart switch define 2 VLANS (say 10 and 20). Tag them on the port going to the WiFi device. Make other untagged ports, some in VLAN 10, some in VLAN 20, to connect LAN and Guest devices. 1 untagged port in each VLAN will go to pfSense LAN and OPT1. Or you can do VLANs on pfSense also and make a tagged trunk port with VLAN 10 and 20 going up to pfSense.

    Even easier - buy a second WiFi device and dedicate 1 to each subnet :)

