Guest network with single LAN/AP

  • I am in the process of buying a new machine to handle pfsense. My current setup is WAN->Modem->pfSense->1 AP(1 ssid)->Users. With the new setup, I would like to have a network setup for when quests and family visit since I would prefer them not to interact with my servers, etc (WAN->Modem->pfSense->1 AP(2+ ssid's)). With that in mind, if my pfsense box only has 2 nics (1 WAN, 1 internal), is this possible if I am using DD-wrt as my AP and having pfsense handle all routing, etc.

    Or would it be preferred to simply get a machine with more nics?

    Thanks for any and all guidance!

  • The short answer is yes, but it depends on your equipment.  Do you care about logging?  Do you have L3 managed switch?  Does your AP support vlans?  If you have a managed switch and an AP that supports vlans, it's pretty straight forward.  If your AP doesn't support vlans, it can still be done, but then your switch would need to support ACL's.

    If you're going with all consumer-grade equipment and sticking with 2 interfaces, it can still be done, but the design is crude and it involves configuring the software firewall on every server.

    Otherwise, you're looking at adding a 3rd interface and a 2nd AP.

  • All my devices are currently using wifi so I do not have a switch but do plan on picking up one once I begin running drops to every room in the house. My ap is running DD-wrt so I can use vlans at that side but I am not sure how it is translated back to pfsense. If all devices are running off the AP, will vlans be respected from AP back to pfsense?


  • You can do it without a managed/smart switch. (I remember in the past pfsense didn't like tagged and untagged traffic on the same interface, so you may have to put your current/lan ssid on its own vlan. But I'm not sure if this is still the case.)
    Assuming you don't need to do this, you can just create a new Guest SSID on the AP with a specific vlan number and then create a vlan interface on pfsense with the parent interface where the ap is plugged in. After a reboot, the remainder become standard interface/firewall rules setup.
    But you might have to look into reconfiguring the current lan interface to also be on a seperate tagged vlan if things don't work as mentioned above.

  • LAYER 8 Netgate

    Many devices don't like tagged and untagged traffic on the same interface. The real problem with it is different devices handle it differently.

    With pfSense it's pretty easy.

    em0 = untagged
    em0_vlan9 = tagged VLAN 9.

  • Ok. I think this answers my question in that it may work but once I pickup a smart switch, it certainly will work. I may go ahead and pick up the switch now then.

    Thanks for all the help guys.

  • LAYER 8 Global Moderator

    What doesn't like tagged and untagged on the same interface??  The untagged traffic would just be the native vlan on that interface.. This is really common setup, what hardware does not support this?

    As Derelict mentions, you have traffic that is untagged going to em0, and then you put a vlan on that that is tagged..

    I can not think of a switch that doesn't allow for a untagged vlan and tagged vlan on an interface.. Now where you would have problems is running more than 1 untagged on same interface that is a big no no..

    To be honest if you have no need for switch ports..  Ie all your devices are wireless, and your AP supports vlans assigned to ssid then your all set to create a guest vlan.  All you have to do is add this vlan to the interface in pfsense your AP is connected too, and have your AP tag the ssid that your guest..  Then create whatever rules you want in pfsense for this new network.

  • LAYER 8 Netgate

    The real issue is getting your untagged traffic off VLAN1. Or at least only using VLAN1 for trusted traffic. Some switches treat VLAN1 as special. Some can only be managed on VLAN1.

    And if you are going to do that, you might as well just tag it.

    Tagged and untagged traffic on trunk ports can be problematic as well. Many people try to "tag" VLAN1. That's an oxymoron.

    It's messy so why do it?

Log in to reply