Seperate wireless guest network



  • I have a pfSense box running with a build in wifi card.
    I created a wifi network, bridged it with my LAN. All is working fine.
    This is my "personal" wifi network, which should be connected to my LAN.

    Now I want to create a guest wifi network, for obviously guests. ;)
    This network must be seperated from the LAN, it must only have internet access.

    What is the best way to accomplish this?
    Do I just create a virtual wifi ap, different subnet, assign DHCP and block access to the LAN interface?
    Or is it better to use VLAN's?



  • I'm assuming you just want a second WPA secured wifi network for guest internet access, but you can also use the captive portal function on pfsense if you would rather your guests all have to authenticate with username/password or voucher codes.

    For the first option (2nd network purely with internet access), you are correct, and you shouldn't need VLANs at all.  The only time you will use VLANs for this is if you want to run an external access point, in which case you would seperate the traffic into VLANs and the AP would do all the SSID -> VLAN association.

    If you're doing it all on a pfsense box with internal wifi card, then the basic process is:

    1.  create a clone wireless interface. 
    ( INTERFACES -> ASSIGN -> WIRELESS )

    2.  Set up your WPA security, ip address on the new interface.
    Use a different subnet to your LAN segment, (e.g. LAN = 192.168.1.0/24, guest= 192.168.2.0/24).

    3.  Enable DHCP on the new guest interface.

    4.  Create firewall rules on new interface to block all traffic from the guest interface to the router's admin ports, and also to the LAN subnet  (so guests can't mess with the router or any of your internal clients)

    5.  Below those rules, create an "allow all" rule (to grant them internet access).

    After that, you should have 2 wireless networks being presented from your pfsense box, LAN and guest.  Anyone joining the guest SSID will get an ip on the new subnet, and only have access to the internet.  This lets you use a complex WPA key for your own internal LAN clients for security, and an easy to remember key for guests that's not as secure, but will only allow web access if compromised.



  • Thanks, I'll have a look into this!



  • @iso70x:

    4.  Create firewall rules on new interface to block all traffic from the guest interface to the router's admin ports, and also to the LAN subnet  (so guests can't mess with the router or any of your internal clients)

    I configured the wireless guest network and setup the rules.
    Everything is working but I'm wondering are rule 1 + 2 redundant?
    If I block all traffic to the lan subnet (192.168.2.0 /24) do I still need to block traffic to the pfSense box (192.168.2.1)?



  • @Panja:

    I configured the wireless guest network and setup the rules.
    Everything is working but I'm wondering are rule 1 + 2 redundant?
    If I block all traffic to the lan subnet (192.168.2.0 /24) do I still need to block traffic to the pfSense box (192.168.2.1)?

    1.  You can use the built in alias called "This firewall (self)" instead of putting in the ip address as the destination.  Using this will block connections to any ip the pfsense box itself is on.  This is a good idea, as when you are running multiple subnets, your pfsense will usually have a different ip for each interface.  Rather than worry about putting in the different ips, you can just use "This firewall (self)".  Remember that your pfsense box will have a second ip on your guest network, so blocking it's LAN ip alone will not prevent them from connecting to it's guest ip.  This is why you need a specific rule outside of the "block to lan" rule.

    2.  You may only want to block admin access to the router, but allow connections to other ports (e.g. DNS, UPNP/NAT-PMP etc).  I allow my guests to use UPNP which helps with certain applications like skype.  I have an alias called "RouterAdmin" that includes ports 22, 23, 80, and 443.  You can also include vpn ports if you don't want to expose the openvpn daemon to the guest network.

    Then you can create a rule to block admin access, and another rule to block access to the LAN, before a final "Allow all" rule.  It will look something like this (ignore the vpn rule unless you have also set up an openvpn server on there).

    e.g.:



  • Thanks! Useful info. Cheers



  • I have changed my guest network firewall rules according to your (iso70x) rule set and it's working great! :D
    Made an alias for port 80, 443 and 22 and named it pfSense_admin.



  • @Panja:

    I have changed my guest network firewall rules according to your (iso70x) rule set and it's working great! :D
    Made an alias for port 80, 443 and 22 and named it pfSense_admin.

    Great, glad you got it working.  :)


Log in to reply