Guest network access point with VLAN

HearToLearn

Occasional Visitor
Hi all,

Trying to improve my networking skills with switching to pfsense for my router, I'm learning a lot but theres one problem I cannot resolve. I want to setup at least one guest WiFi AP isolated from the rest of the network. I did find an excellent post from @gpz1100 with a bash shell script to exactly that, but upon investigation it seems robocfg executable is no more? Would anyone know if theres an alternative or possible workaround?


Code:
pfsense 
          > Asus AX88 AP mode 
                        > (trusted) eth devices
                        > (trusted) wl devices
                        > (isolated) wl devices guest network
                        > (mesh) Asus AX92

Cheers!
 
Last edited:

HearToLearn

Occasional Visitor
Edit: Got my AX88 working with the following script. Need to mess around with it a bit more. But I have three VLANs, trusted, guests (minimal access eg. tv) and IoT totally isolated using pfsense VLAN firewall rules (need to investigate nvram ap isolate rule).

Big shout out to @LeandroBR !

Not working atm; Also going to look into optimising this to use the suggested alternative IP link (http://www.snbforums.com/threads/rt-86u-vlanctl-ethctl-usage-puzzle.54375/post-652666).

The router must be plugged into the WAN port.

1. Enable JFFS custom scripts and configs in Administration > System

2. Setup wifi guests (2.4 + 5Ghz Guest) + (2.4Ghz IoT)

3. $ nano /jffs/scripts/services-start

4. copy code
Code:
#!/bin/sh

# With this script I'm going to use eth0 (physical port 3) to be my
# Trunk port to another router Asus RT-AC68U, so that I can split my
# Wi-Fi networks (Main Network, Guest Network and IoT Network).
# Configure file resolv.conf to make it to use the router itself as DNS Server, instead ONT. It's important if you are using DNSCrypt.

echo "VLAN-support: start"

echo "**** initialise VLAN ****"

echo "nameserver 127.0.0.1" > /tmp/resolv.conf

# Remove the interface eth0 from br0 (to use it as trunk with 802.1Q Tags). This interface can't be inside any bridge.
brctl delif br0 eth0

# Creating VLAN 100 and the Input / Output rules (main network)
vlanctl --mcast --if-create eth0 100
vlanctl --if eth0 --rx --tags 1 --filter-vid 100 0 --pop-tag --set-rxif eth0.v100 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v100 --push-tag --set-vid 100 0 --rule-append
ifconfig eth0.v100 up

# Creating VLAN 200 and the Input / Output rules (guest network)
vlanctl --mcast --if-create eth0 200
vlanctl --if eth0 --rx --tags 1 --filter-vid 200 0 --pop-tag --set-rxif eth0.v200 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v200 --push-tag --set-vid 200 0 --rule-append
ifconfig eth0.v200 up

# Creating VLAN 300 and the Input / Output rules (IoT network)
vlanctl --mcast --if-create eth0 300
vlanctl --if eth0 --rx --tags 1 --filter-vid 300 0 --pop-tag --set-rxif eth0.v300 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v300 --push-tag --set-vid 300 0 --rule-append
ifconfig eth0.v300 up

# This is a very important step, otherwithse (if keep in ONT mode), the broadcasts received in 1 VLAN will be spread to others and your DHCP will become crazy.
vlanctl --if eth0 --set-if-mode-rg

# This command is not in the help page of vlanctl, but I found the tx table is ACCEPT by default, so, I changed to DROP. I think if not rule matches, then the packet will be blocked.
vlanctl --if eth0 --tx --tags 0 --default-miss-drop

# Organize the bridges, in my case, I have an additional WiFi 2,4/5Ghz for guests and only one 2,4Ghz for IoT (no need 5Ghz for IoT, at least for me).
brctl stp br0 on
brctl addbr br1
brctl addbr br2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl addif br0 eth0.v100
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 eth0.v200
brctl addif br2 wl0.2
brctl addif br2 eth0.v300

# Define IPs for new bridges
ifconfig br1 192.168.20.1 netmask 255.255.255.0 up
ifconfig br2 192.168.30.1 netmask 255.255.255.0 up

# Adjust NVRAM config
nvram set lan_ifnames="eth1 eth0.v100 eth3 eth4 eth5 eth6"
nvram set br0_ifnames="eth1 eth0.v100 eth3 eth4 eth5 eth6"
nvram set br1_ifname=br1
nvram set br1_ifnames="eth0.v200 wl0.1 wl1.1"
nvram set lan1_ifname=br1
nvram set lan1_ifnames="eth0.v200 wl0.1 wl1.1"
nvram set br2_ifname=br2
nvram set br2_ifnames="eth0.v300 wl0.2"
nvram set lan2_ifname=br2
nvram set lan2_ifnames="eth0.v300 wl0.2"
nvram set wl0.2_ap_isolate="1"
nvram commit

# eapd restart (when change NVRAM, it's necessary)
killall eapd
eapd

# So, the last step, if you want to communicate between LAN interfaces (1 to 4), you must disable HW Switching (this will increase the CPU usage, but my tests showed you can reach 1Gbps with no problem).
ethswctl -c hw-switching -o disable

echo "VLAN-support: finished"

5. $ chmod a+rx /jffs/scripts/*

6. $ reboot
 
Last edited:

Paul Smedley

Occasional Visitor
Thanks! I'm looking to do something similar at my holiday house, where I'll be running a Firewalla Purple as the router, with an AX58U in AP mode, and an AX56U connected via mesh. I'd like the SSID the guests use to have WAN access, but no intranet access. Hopefully I can adapt what you've done to my setup!
 

Paul Smedley

Occasional Visitor
Question: in the script you have the remark:

Code:
# With this script I'm going to use eth0 (physical port 3) to be my
# Trunk port to another router Asus RT-AC68U, so that I can split my
# Wi-Fi networks (Main Network, Guest Network and IoT Network).
How did you determin that eth0 was physical port 3?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top