Configuration Help - Adding 2nd subnet to existing setup
We currently have pfSense v2.1 with 2 NIC cards (1 for WAN, 1 for LAN). System works fine. People connect to 1 of 2 access points in the facility and have access to all the network resources. We use the DHCP in pfSense for ease of user connection configuration with facility equipment given static IP addresses.
Now we have the need to add a second LAN setup that will be for guest use because the facility will be opened up to various local groups for meetings.
Our current LAN is 192.168.2.x/24 with the DHCP pool @ 101 - 150, with static mapping of known users @ 151 - 199.
I would like to change the DHCP pool to 192.168.1.x/24 for guests, and have known users mapped to 192.168.2.x (100 - 199) so they have access to network printers. The guests will not have access to the network equipment on 192.168.2.x
The majority of people that connect to our network also use their devices at other locations so setting them to a static IP is not an option (not a full time IT department for support).
The hope is that we do not need additional access points (with different SSID/passwords), and by adding the second subnet that by default connects to the guest network (192.168.1.x) will work…then I can map users as needed to static IP address on the 192.168.2.x subnet.
Trial and error poking around has frustrated me.
Why do you need to static map for your guest network? So you can let them print to stuff on your lan? Just get their mac and setup a reservation so they always get same IP when on your network..
What AP do you have now? Do they support vlans? What switch(es) do you have now - do they support vlans?
If they do not then you would want/need another nic for pfsense and then another AP for the guest.. Or need to replace your stuff with AP that have vlan support and switch that does as well. Then you can run your guest wifi on its own vlan, etc.
Also 2.1 is no longer a supported version.. You really should update..
No- the guests will be DHCP on the 192.168.1.x subnet, while known users will get static reservations on the 192.168.2.x subnet. Guests will not have any access to printers and such on the 192.168.2.x subnet.
The 192.168.1.x will just have internet access.
APs are Linksys & Netgear switches that do not support vlans.
Was not aware that 2.1 was no longer supported - will look into upgrading.
If your just wanting another network segment on pfsense for this guest network, sure any AP will work with any switch that does not even even support vlans as long as you have another interface in pfsense to connect it too.
You need to separate 192.168.1.0/24 from 192.168.2.0/24 either physically or virtually (VLAN).
Putting two different layer 3 networks on one layer 2 segment gives you no security at all and is a very clear example of ghetto networking.
Your best option is probably to get a managed switch and a couple APs capable of Multiple-SSID/VLAN tagging. See Ubiquiti Unifi (Or Ruckus, Aruba, Cisco, Xclaim, etc.) Maybe DDWRT or OpenWRT.
Thanks for your replies.
So after reviewing your help and suggestions, the plan has been revised a bit….Add a 3rd NIC to the box which will be set up for the 1952.168.1.x subnet, replace current AP's with AP's that have dual SSIDs (one for the 1.x and the other for the 2.x subnets).
One question...is pfSense able to do 2 DHCP servers (one for each subnet) or do I let the AP provide the DHCP for the second subnet?
s pfSense able to do 2 DHCP servers (one for each subnet) or do I let the AP provide the DHCP for the second subnet?
Yes. pfSense can do one DHCP server per interface.
How are you going to connect the APs to two physical ports? What you want to do is usually accomplished with VLANs and managed switches.