Can this be done?

Panja

I'm redesigning my home network and building a pfSense box. I would like to know if the thing I have in mind can be done…

The pfSense box has 2 network ports, so 1 for WAN and 1 for LAN.
The pfSense box is located on the first floor.
The LAN interface will be connected to a unmanaged switch on the 1st floor.
The switch on the first floor is connected to 2 computers and to the unmanaged switch on the second floor.
The switch on the second floor is connected to 2 computers as well. Also a wireless router, set as AP (access point), is connected to this switch.

I would like to run a captive portal on pfSense.
Can this be done with this kind of setup?
Also is it possible to give it, it's own VLAN?

Eventually I would like the network to be setup as this:
CABLE --> 192.168.1.x
WIFI (private) --> 192.168.1.x
WIFI (guest) --> 192.168.2.x (cannot access sources on 192.168.1.x)
WIFI (captive portal) --> 192.168.3.x (cannot access sources on 192.168.1.x)

NickM

I have a few questions before i can give you some answers:

• do you want the floor 1 and floor 2 to be in different vlans?
• do you have switches with layer 3?

Panja

Floor 1 and floor 2 need to be in the same vlan.

Switch on floor 1 = TP-Link TL-SG1005D (old version)
Switch on floor 2 = TP-Link TL-SG108

NickM

There is a small issue with what you want.

Although pfsense is capable of VLAN trunking on the LAN interface, your switches can't if they are not layer3. In order for your topology to work you would need switches that  can have ports configured with trunking protocol in order for your traffic to be routed towards  the specific vlan you want and be able to have vlans configured, i am guessing your switches do not have such options.

Panja

I guess your reply makes sense! Unfortunately…
The switches I have are both unmanaged/dumb switches and you cannot setup anything on them.

Would it than be possible to just have the WIFI guest network with a captive portal and block access to the internal network?
Or is that done by VLAN's as well?

Or I could flash DD-WRT on to my wifi ap/router and use VLAN's?

Derelict

They don't need to be Layer 3 switches.  They need to be managed, supporting 802.1q VLANs.

You cannot block devices from communicating with other devices on the same subnet/segment. Such traffic never goes through the router so it can't be firewalled.

I don't understand the problem.  Switches are not expensive.

Guest

The pfSense box has 2 network ports, so 1 for WAN and 1 for LAN.

Would you tell us more about this pfSense box?

I would like to run a captive portal on pfSense.

This could be no problem because pfSense is capable to offer a well Captive Portal.

Can this be done with this kind of setup?

Perhaps, if you are the lucky one, and your dump unmanaged switches are looping through
the VLAN tags it would perhaps going. But earlier or later you will be running in more
or less trouble if something in the network is then changing or is coming on top then.

Also is it possible to give it, it's own VLAN?

This could be done but not directly on the switches because they are dump and unmanaged.
If you are the lucky one they could be able to loop through the VLAN tags and then you be able
to set up a VLAN between the WiFi AP and the pfSense, but this is in my poor opinion, standing
on really wobbly or wonky ground! Not sable as in normally conditions. If this are very cheap ones
and they are not looping through the VLAN tag you can´t do it because it will not work.

your switches can't if they are not layer3.

Supporting and routing are absolutely two different things!

• For routing the VLANs it selfs you will need a Layer3 Switch
• For supporting VLANs and the pfSense is routing the VLANs you will only need a Layer2 Switch

Would it than be possible to just have the WIFI guest network with a captive portal and
block access to the internal network?

Please read the explanations above about your switches.

Or is that done by VLAN's as well?

You should have to set up the following things as I see it right:

• VLAN1 for administrative VLAN for the admin with all devices inside.
• VLAN10 for the 1st floor
• VLAN20 for the 2nd floor
• VLAN30 for WLAN SSID - private (internal network & Internet)
• VLAN40 for WLAN SSID - guest (Internet only)

Buying a small variant of the Cisco SG series likes the SG300-10 (Layer3)
for the 1st floor and a Cisco SG200-10 (Layer2) for the 2nd floor.

Or I could flash DD-WRT on to my wifi ap/router and use VLAN's?

Would be a also a really good choice to flash this WLAN router with OpenWRT or
DD-WRT, with an viewing eye to the VLAN and the other given features, options and functions.

Your old switches can be sold by you or let them be outside until you will hug up some more LAN ports.

Panja

Thanks for the answers guys! Appreciated.

I will use an Zotac ZBOX ID91 as dedicated pfSense box.
It has an i3 4130T processor, 8GB ddr3 ram and a 120GB ssd.

The wifi router I have now is a Linksys/Cisco EA2700. (but will maybe be replaced by a new/better one).
As far as I can see there is a DD-WRT version for it. OpenWRT is not supported I guess.

Also will have a look at the managed switches.

Derelict

This is generally what you need to do.

Panja

Would it be possible with this network setup: (assuming DD-WRT does the VLAN's)

Derelict

If you have no concern or care in the world about reliability, do that.  Otherwise get some switches and do it right.

Panja

Do you mean DD-WRT is not stable/reliable? Or the Linksys EA2700?

It is still a home setup. Replacing my switched for managed switches will cost around 200 euro at least?
I'm planning on buying a new wifi router/ap as well…

Derelict

I'm just saying making your AP a single point of failure for your whole network is stupid.  Again, if you don't care, go for it.

doktornotor

Also note, the VLAN support in DD-WRT is model-specific.

Guest

Do you mean DD-WRT is not stable/reliable? Or the Linksys EA2700?

For sure DD-WRT & OpenWRT will be both stable and reliable and also routers from other vendors
would be matching also fine! Buffalo, Netgear, TP-Link and some of them came with pre installed
DD-WRT or OpenWRT firmware so you must not flash it alone.

is still a home setup.

There are also switches out there that can be done all things for less money, but but routing
must be done then at the pfSense it selfs.

• Netgear GS105Ev2
• Netgear GS108Ev2
• Netgear GS108Tv3
• TP-Link TL-SG105E

Buy two of them and then replace the both you own, the TP-Link ones are able to get for cheap
as ~25 € each and are capable of VLANs.

Replacing my switched for managed switches will cost around 200 euro at least?

One Cisco SG300-10 for ~180 € and one TP-Link TL-SG105E on top for ~25 € will do the job and
routes the entire LAN by it selfs!

I'm planning on buying a new wifi router/ap as well…

Get a cheap used one with GB LAN Ports and if ac is not really urgent
for you it will do the job also fine.