Wired client isolation

  • Bit of a question here after reading through some of the forums regarding this. We run support for a multi building condo unit. Currently using GuestGate MKII devices in each of the buildings but they are not holding up well. I would like to configure one pfsense box at the head of the network to provide client isolation without a captive portal. My alternatives would require extensive VLAN rules and tagging that I can't really justify for what we get a month from that place. Any help would be appreciated.


  • LAYER 8 Global Moderator

    How do you think pfsense is going to provide client isolation??  Will each of these building be on a different network connected to an interface in pfsense?

  • No sadly where the internet comes in is in one building the cabling goes to another building then from there is starred out to the remaining two. We provide one wired port into each condo unit and it is the owners responsibility to use the cooper wiring panel to install a home grade router to activate the remaining data ports and their own wifi. My other brainstorming options involve the use of one vlan per unit and tying the vlans back to the pfsense and out. That is a lot to manage for the small service contract they are on.

  • How many total units are we talking about, across how many different buildings?

    I have a couple of similar setups for rented office space buildings that provide internet to each office.

    If you can get a reasonable VLAN switch in place to distribute the connections to each unit, this is not a horribly difficult setup.
    For me it it was a matter of understanding what I needed for rules on the first 3 or four units and then picking a set of naming conventions that would extend for all.

    I found it easiest to get the initial rules working and then manually update a config.xml for the bulk install.
    One install covers 40+ offices that has been solid for 5+ years with fairly minimum maintenance required.

    Compared to the original setup (one router per office, 35 separate units!) this has been a clean simple installation.

  • LAYER 8 Global Moderator

    Well you can get as fancy or as basic as you want.  You could put a managed/smart switch where your internet comes in, and then let them do what they want at their location be it another router/firewall or just a switch depending on how you setup your hub location.

    Are you handing them public IP space, 1 or a routed network?  Or you could do nat and give them whatever network you want to give them be it a transit to your hub router/firewall/L3 switch or etc..

    How many locations do you have would determine the size of switch you need at the hub, etc.  How many ports at the locations would determine the size needed there if you wanted to deploy it as a managed solution, etc.

  • We inherited a few old HP switches and have a newer Dell switch on site its a total of 4 buildings and id say 60 units. Because not all the data drops are centrally wired and we dont provide wireless for chromecast roku and all the funner residential devices we urge tennants to get their own home based router and set up their own private network. I have pulled the panel off and discovered the occasional 5 port switch however.

  • johnpz - I just don't want the owners to have the ability to browse the network outside of their private lan they set up with their own routers. We have 4 of the MKII's in each building now but it seems they need to be restarted frequently as they will just lock up randomly. Obviously security is a priority and secondly the ability to keep costs in labor and hardware down is also needed.

  • If the switches are VLAN capable HP's, they should fit the bill.
    Do you happen to know the models?

    Even if everything is not directly home run, a VLAN setup is still the best option to retain simplicity and isolation IMHO.

    You trunk connections between buildings that don't homerun and send everything back to your pfSense in the "control closet" (wherever that is) for those that do.

    You're probably not going to be able to supply Gigabit speed internet to 60 units without a wack of bucks, but divying up a 100Mbps connection is definitely doable.

  • That is how i brainstormed it working in my head on the drive in this AM, playing with VLANs. Was hoping could have all three fast right and cheap.

  • Heh…. you should know by now, you only get two out of the three - sorry can't change the laws of the Universe (yet).

  • LAYER 8 Global Moderator

    Well pfsense and 1 simple rule with all your connections as vlans prevents them from talking to each other if that is what you want..  Or you could do that same thing with a L3 switch and ACL(s)

    This is really basic stuff here.. Does not matter if your locations nat or don't nat if you give them 1 IP or a /16 to work with, etc.

    A very cheap switch can do this, comes down to how many ports you need..  How many client condo's do you have?

Log in to reply