PfSense VLAN for Guest Network

[jacob_samd]

In reference this video, 

https://www.youtube.com/watch?v=DL4vMLgBrYI&t=722s

 

Has anyone had success making this work. I can get my devices to connect for a short period from time to time but most of the time it will not dish out an ip address. Any suggestions? I run PfSense on a box and then have everything through unmanaged switches to my devices and unifi Access Points I have tried using a managed switch with vlan capabilities but I want to be able to broadcast a home and guest network off the same access points to cover my entire house without having seperate AP's for guest network. 

Thanks,

[Kalm_Traveler]

Do those Unify APs support multiple SSIDs at once?

 

Also, you set up a separate VLAN with its own IP range in pfsense?

 

and on the APs, you have that separate SSID VLAN tagged to match the separate VLAN in pfsense?

[jacob_samd]

I think so, yes, and yes. I’ll have to check that out. I believe I have the same as the ones in the video.

 

***Edit

I have the same as the ones in the video...

[Kalm_Traveler]

3 hours ago, jacob_samd said:

I think so, yes, and yes. I’ll have to check that out. I believe I have the same as the ones in the video.

 

***Edit

I have the same as the ones in the video...

if I'm understanding the video correctly, it sounds like as long as you have the guest interface configured correctly in pfSense and the guest wifi assigned to the appropriate VLAN on the unify AP it should work.

 

I've just been getting my own pfsense + separate guest wifi set up over the weekend but I went with a managed switch and separate cheap wireless N wifi router/ap for the guest just for more granular control and ease of configuration. Trying to compare oranges to apples here, with my setup, on the managed switch I have all the ports except the one for the guest wifi as untagged for VLAN 1 and that port is not part of the group, then for VLAN 2 I have that port untagged and the port going to pfsense tagged. 

On pfsense the interface for VLAN 2 (guest wifi), firewall rules are basically the same as LAN except that I explicitly block anything from LAN 2 interface to LAN so that the guest network can't talk to my main network. The reverse is allowed though so that I can easily manage that guest wifi AP from my main network if need be.

 

Taking that into consideration with what you're doing - since the AP  you have can assign VLAN IDs, I would expect that given a functional interface config on fpsense and the VLAN assigned for your guest wifi AP on the AP itself, it should all work. Have you tried rebooting pfsense? I had to do that last night to get the DHCP assignment working correctly for VLAN 2.

[jacob_samd]

7 hours ago, Kalm_Traveler1 said:

if I'm understanding the video correctly, it sounds like as long as you have the guest interface configured correctly in pfSense and the guest wifi assigned to the appropriate VLAN on the unify AP it should work.

 

I've just been getting my own pfsense + separate guest wifi set up over the weekend but I went with a managed switch and separate cheap wireless N wifi router/ap for the guest just for more granular control and ease of configuration. Trying to compare oranges to apples here, with my setup, on the managed switch I have all the ports except the one for the guest wifi as untagged for VLAN 1 and that port is not part of the group, then for VLAN 2 I have that port untagged and the port going to pfsense tagged. 

On pfsense the interface for VLAN 2 (guest wifi), firewall rules are basically the same as LAN except that I explicitly block anything from LAN 2 interface to LAN so that the guest network can't talk to my main network. The reverse is allowed though so that I can easily manage that guest wifi AP from my main network if need be.

 

Taking that into consideration with what you're doing - since the AP  you have can assign VLAN IDs, I would expect that given a functional interface config on fpsense and the VLAN assigned for your guest wifi AP on the AP itself, it should all work. Have you tried rebooting pfsense? I had to do that last night to get the DHCP assignment working correctly for VLAN 2.

The thing I do not understand is how he got it to work. I have a seperate VLAN in PfSense for the wireless network and from time to time it will work. But randomly it will stop and just not work at all. It is showing the network wirelessly and it accepts users but will not give out an ip address. It is just weird. I may have to go the route of getting a cheap ap for guest network only...

[Kalm_Traveler]

18 minutes ago, jacob_samd said:

The thing I do not understand is how he got it to work. I have a seperate VLAN in PfSense for the wireless network and from time to time it will work. But randomly it will stop and just not work at all. It is showing the network wirelessly and it accepts users but will not give out an ip address. It is just weird. I may have to go the route of getting a cheap ap for guest network only...

That's sort of why I ended up saying screw it and getting a managed switch + cheap N wifi router for my setup. 

 

I'm not very confident in my networking skills even after getting a CompTIA certification last year, but had no real trouble setting mine up this way. The only thing that I messed up was the VLAN config for ports on that managed switch... took me a few hours to figure out that if I want to be able to hit the guest wifi AP from my main VLAN I needed to set the 'shared' port as untagged on VLAN 1, and tagged on VLAN 2.

[jacob_samd]

On 12/16/2019 at 7:45 PM, Kalm_Traveler1 said:

That's sort of why I ended up saying screw it and getting a managed switch + cheap N wifi router for my setup. 

 

I'm not very confident in my networking skills even after getting a CompTIA certification last year, but had no real trouble setting mine up this way. The only thing that I messed up was the VLAN config for ports on that managed switch... took me a few hours to figure out that if I want to be able to hit the guest wifi AP from my main VLAN I needed to set the 'shared' port as untagged on VLAN 1, and tagged on VLAN 2.

So, I think I got it figured out. My PfSense box is in the basement. The network goes out to an 8 port switch..it was unmanaged. I thought about trying to connect the AP directly to me ethernet out port and when I did that my guest network started working. So i put a managed switch downstairs and was messing around with ports on it and realized my guest network was working and the managed switch had no settings touched on it. With a managed switch there and no settings my access points are working flawlessly in all areas so far...mind you I only got this to work about an hour ago. I will probably make a video on it and explain it better but for now I think this is going to work. My guess is the unmanaged switches just had no idea about my Vlans even though the managed switch did not have to be told about my PfSense Vlan.

[Kalm_Traveler]

10 hours ago, jacob_samd said:

So, I think I got it figured out. My PfSense box is in the basement. The network goes out to an 8 port switch..it was unmanaged. I thought about trying to connect the AP directly to me ethernet out port and when I did that my guest network started working. So i put a managed switch downstairs and was messing around with ports on it and realized my guest network was working and the managed switch had no settings touched on it. With a managed switch there and no settings my access points are working flawlessly in all areas so far...mind you I only got this to work about an hour ago. I will probably make a video on it and explain it better but for now I think this is going to work. My guess is the unmanaged switches just had no idea about my Vlans even though the managed switch did not have to be told about my PfSense Vlan.

sounds reasonable. I don't think any unmanaged (dumb) switch can read VLAN tags so they essentially don't exist on those switches

[Alex Atkin UK]

18 hours ago, Kalm_Traveler1 said:

sounds reasonable. I don't think any unmanaged (dumb) switch can read VLAN tags so they essentially don't exist on those switches

They can't read them but AFAIK they should still pass the traffic without touching the tags.  Probably just got unlucky with a model that doesn't.

[jacob_samd]

3 hours ago, Alex Atkin UK said:

They can't read them but AFAIK they should still pass the traffic without touching the tags.  Probably just got unlucky with a model that doesn't.

Well to be fair I bought some netgear ones for cheap on black friday a few years back. I think I paid about $5 a piece...lol

[Kalm_Traveler]

5 hours ago, Alex Atkin UK said:

They can't read them but AFAIK they should still pass the traffic without touching the tags.  Probably just got unlucky with a model that doesn't.

ah maybe I misunderstood - I thought he was saying that the guest network was not separated (working as intended) which I as attributing to the dumb switch since it will send all traffic across itself without any segregation from VLANs.