Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest network with single LAN/AP

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 5 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      I am in the process of buying a new machine to handle pfsense. My current setup is WAN->Modem->pfSense->1 AP(1 ssid)->Users. With the new setup, I would like to have a network setup for when quests and family visit since I would prefer them not to interact with my servers, etc (WAN->Modem->pfSense->1 AP(2+ ssid's)). With that in mind, if my pfsense box only has 2 nics (1 WAN, 1 internal), is this possible if I am using DD-wrt as my AP and having pfsense handle all routing, etc.

      Or would it be preferred to simply get a machine with more nics?

      Thanks for any and all guidance!

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        The short answer is yes, but it depends on your equipment.  Do you care about logging?  Do you have L3 managed switch?  Does your AP support vlans?  If you have a managed switch and an AP that supports vlans, it's pretty straight forward.  If your AP doesn't support vlans, it can still be done, but then your switch would need to support ACL's.

        If you're going with all consumer-grade equipment and sticking with 2 interfaces, it can still be done, but the design is crude and it involves configuring the software firewall on every server.

        Otherwise, you're looking at adding a 3rd interface and a 2nd AP.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          All my devices are currently using wifi so I do not have a switch but do plan on picking up one once I begin running drops to every room in the house. My ap is running DD-wrt so I can use vlans at that side but I am not sure how it is translated back to pfsense. If all devices are running off the AP, will vlans be respected from AP back to pfsense?

          Thanks

          1 Reply Last reply Reply Quote 0
          • T
            thermo
            last edited by

            You can do it without a managed/smart switch. (I remember in the past pfsense didn't like tagged and untagged traffic on the same interface, so you may have to put your current/lan ssid on its own vlan. But I'm not sure if this is still the case.)
            Assuming you don't need to do this, you can just create a new Guest SSID on the AP with a specific vlan number and then create a vlan interface on pfsense with the parent interface where the ap is plugged in. After a reboot, the remainder become standard interface/firewall rules setup.
            But you might have to look into reconfiguring the current lan interface to also be on a seperate tagged vlan if things don't work as mentioned above.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Many devices don't like tagged and untagged traffic on the same interface. The real problem with it is different devices handle it differently.

              With pfSense it's pretty easy.

              em0 = untagged
              em0_vlan9 = tagged VLAN 9.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                Ok. I think this answers my question in that it may work but once I pickup a smart switch, it certainly will work. I may go ahead and pick up the switch now then.

                Thanks for all the help guys.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  What doesn't like tagged and untagged on the same interface??  The untagged traffic would just be the native vlan on that interface.. This is really common setup, what hardware does not support this?

                  As Derelict mentions, you have traffic that is untagged going to em0, and then you put a vlan on that that is tagged..

                  I can not think of a switch that doesn't allow for a untagged vlan and tagged vlan on an interface.. Now where you would have problems is running more than 1 untagged on same interface that is a big no no..

                  To be honest if you have no need for switch ports..  Ie all your devices are wireless, and your AP supports vlans assigned to ssid then your all set to create a guest vlan.  All you have to do is add this vlan to the interface in pfsense your AP is connected too, and have your AP tag the ssid that your guest..  Then create whatever rules you want in pfsense for this new network.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    The real issue is getting your untagged traffic off VLAN1. Or at least only using VLAN1 for trusted traffic. Some switches treat VLAN1 as special. Some can only be managed on VLAN1.

                    And if you are going to do that, you might as well just tag it.

                    Tagged and untagged traffic on trunk ports can be problematic as well. Many people try to "tag" VLAN1. That's an oxymoron.

                    It's messy so why do it?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.