guest network overlay

[CraziFuzzy]

So I'm wanting to build a guest network in my home that provides internet access but that is it. Not a real need for ultra high security, just different subnets would be enough. The problem is the few write ups I've seen for this utilize VAP configurations on wireless routers. That's fine, but for me. My router (pfsense) is not the same as my access points (wrt54g w/dd-wrt). I need to figure out the best way to use the VAP on the access points and direct known MACs to one interface on the router, and unknowns to another.

Any thoughts?

 

[coxhaus]

I would think you would need a wireless which supports VLANs, a separate VLAN for your guess network or run a separate AP for your guest network. Separate networks can coexist on the same physical switch.

 

[CraziFuzzy]

I would think you would need a wireless which supports VLANs, a separate VLAN for your guess network or run a separate AP for your guest network. Separate networks can coexist on the same physical switch.

And that would be fine, as pfsense, and DD-WRT both have no issues handling VLAN tagging - unfortunately, i'm not sure what my unmanaged switch will do with the tags. It's a shame, as really all that would be required would be some 'relaxed' requirements on the DHCP server in pfsense (to allow giving out IP's in two different subnets), and the ability to have 2 listening routers on pfsense) to route internet traffic from either subnet. (Actually, it looks like my current switch, a Netgear JFS524 may pass the tags untouched, so that very well might work - which means now I have to learn how to set up the tagging on each end).

 

[CraziFuzzy]

Did some more playing around, but i'm definitely in over my head on this. I was able to create the virtual SSID in DD-WRT, and my phone can see it and attempt to connect to it. It, however, doesn't get assigned an IP. I have a VLAN set up for it on the pfsense, but it doens't seem to be making it there to even look for it - the vlan interface on pfsense is showing 0 incoming packets - not sure how/if I'll be able to get that all sorted.

 

[coxhaus]

You might want to try a laptop first and manually assign an IP address. This will tell you whether the networking is working. Is your VLAN running across a trunked cable or is the VLAN on a separate port back to the pfsense?

PS
Just to start you might want to assign the guest SSID to the VLAN on a different port on the wireless router and connect the guest VLAN port to the pfsense guest VLAN port. See if pfsense sees it now.

 

[CraziFuzzy]

You might want to try a laptop first and manually assign an IP address. This will tell you whether the networking is working. Is your VLAN running across a trunked cable or is the VLAN on a separate port back to the pfsense?

PS
Just to start you might want to assign the guest SSID to the VLAN on a different port on the wireless router and connect the guest VLAN port to the pfsense guest VLAN port. See if pfsense sees it now.

I was attempting to use a tagged vlan, so it could reside on the same cable. My wireless access points are not located anywhere near my router, so running a separate feed for the guest lan would not be possible - if I was to do that, i'd just pick up a different router and locate it centrally for the guest LAN and keep it completely separate.

 

[coxhaus]

I was just thinking you might want to move one of the AP close to test pfsense without the rest of the network in the picture. If it works then start expanding out by adding the rest of the network in.

A tagged VLAN can run on a trunk or by itself on a separate port. You will need to setup the trunk port to run multiple tagged VLANs.

 

[coxhaus]

I just looked up your Netgear JFS524 and it does not look like it will support tagged VLANs. Why do you think it will pass tagged VLAN traffic? It may end up truncating the VLAN tags.

 

[CraziFuzzy]

I thought I had read that somewhere in NetGear's site. I would imagine most cheap switches don't waste the time to strip out anything after the MAC addresses.

Sent from my DROID RAZR using Tapatalk

 

[CraziFuzzy]

You know, I may have figured or a better way to deal worth this without vlans. I could create an openvpn server in pfsense, and have the guest bridge on the access points connected to it. This will encapsulate all the guest traffic in the vpn stream, and get it routed to the router separately, regardless of what lies in the path.

Sent from my DROID RAZR using Tapatalk

 

[coxhaus]

Let us know how it works out.

 

[Dreamslacker]

Did some more playing around, but i'm definitely in over my head on this. I was able to create the virtual SSID in DD-WRT, and my phone can see it and attempt to connect to it. It, however, doesn't get assigned an IP. I have a VLAN set up for it on the pfsense, but it doens't seem to be making it there to even look for it - the vlan interface on pfsense is showing 0 incoming packets - not sure how/if I'll be able to get that all sorted.

By default, pfSense will not assign the NAT rules or DHCP server on newly added interfaces.

You'll need to go to Services -> DHCP server -> Guest VLAN interface and enable the DHCP server.

Then go to Firewall -> NAT -> Outbound.
Switch from Automatic Outbound NAT to Manual Outbound NAT.
Clone the "Auto created rule for LAN to WAN" Rule but amend the source subnet to the subnet you created for the Guest VLAN interface.

To prevent guests from reaching the LAN subnet, head over to the Firewall -> Rules page. Click on the Guest VLAN interface tab.
Amend the default rule so that the destination is:
Check "Not", Type: "Network", Address: Lan subnet address & CIDR.

Go to the LAN interface tab and do the same for the default rule except that you enter the Guest VLAN subnet information instead.

 

[CraziFuzzy]

By default, pfSense will not assign the NAT rules or DHCP server on newly added interfaces.

You'll need to go to Services -> DHCP server -> Guest VLAN interface and enable the DHCP server.

Then go to Firewall -> NAT -> Outbound.
Switch from Automatic Outbound NAT to Manual Outbound NAT.
Clone the "Auto created rule for LAN to WAN" Rule but amend the source subnet to the subnet you created for the Guest VLAN interface.

To prevent guests from reaching the LAN subnet, head over to the Firewall -> Rules page. Click on the Guest VLAN interface tab.
Amend the default rule so that the destination is:
Check "Not", Type: "Network", Address: Lan subnet address & CIDR.

Go to the LAN interface tab and do the same for the default rule except that you enter the Guest VLAN subnet information instead.

Thanks for the pointers. I had set up the DHCP on the guest interface, but the problem was the packets simply never got to the pfsense machine. The VPN route seems cleaner at this point, than trying to wedge vlan where it doesn't really belong, just need to sort out the vpn connection on the dd-wrt end (for some reason it was not working using the built-in openvpn UI).

 

[Dreamslacker]

Sounds like your switch doesn't pass VLAN tagged packets through unmolested. If you really want to try out a VLAN setup, you can do a direct cabled connection from pfSense to the router.

On a side note, VPN encryption can (and will) bog down your router, especially the WRT. You might want to setup an unencrypted tunnel using L2TP if the only purpose is to help you divert traffic.

I'm not sure what features DD-WRT offers these days (the last I played with that was Thibor when the 54GS was the router of choice) but a better method might be to use non-NAT routing. Giving your guest network a separate routed subnet with pfSense as the gateway and setting up firewall rules on the WRT to block connections to the main LAN except to the pfSense gateway IP should work fine.
Just need to setup a static route entry in pfSense to direct all traffic to the guest subnet via the WRT 'WAN' IP as the next-hop gateway.