Guest Networks while using a PFSense Box

[Eric Lieb]

I am switching from using my AX86S as a router to just a wireless AP and have ordered a mini pc to run PFSense on. Is there anyway to still have the AX86S do a client isolation guest network or do I need to get another router and manage that as a VLAN that is independent?

 

[Adooni]

I am doing this but with OPNsense and Asus AC68U as AP wi-fi. At AP I can use wi-fi guest network with client isolation no issue. Is this sufficient for you https://www.asus.com/support/FAQ/1044821/

 

[ColinTaylor]

As the FAQ linked to in the previous posts says, if the Asus is configured in AP mode and connected to your new router by Ethernet guest isolation won't work. There are ways around this by using scripts to create VLANs (there are posts on the forum describing this).

 

[KevinPPOE]

Hello! I ran into a similar situation and wanted to give some guidance, as I don't see this talked about on the internet... hope it helps those with GoogleFu.

ASUS Guest network isn't useful when you need to share the same physical network between wireless guests and wired clients on the same AP. Guest mode is best when the WAN port of the router can be used for internet, such that guests get internet but no LAN. Having multiple Asus routers in AP mode on flat network with no VLans... I needed a way to separate newly added Wifi devices and some work equipment.

Idea:
- Use special pfSense DHCP option to segregate new (wifi) clients from the rest of the network

Solution:
- Set PFSense LAN interface to 192.168.1.1 with subnet mask 255.255.254.0 _and_ add Virtual IP alias 192.168.0.1/24
- Pfsense DHCP server has an optional field "Additional BOOTP/DHCP Options" per the included IANA URL, option 1 is "Subnet Mask", set type to "IP address or host" and use value "255.255.255.0" -- this syntax wasn't well documented.
- Set DHCP pool to 192.168.0.100-192.168.0.110 - "Guest Range"
- Set DNS servers to 192.168.1.1 and 192.168.0.1
-- new clients get subnet mask /24 and will not be able to talk directly to 192.168.1.x clients.
- Set firewall rule to block 192.168.0.x <-> 192.168.1.x.
-- What about some special devices that need to talk to devices in both ranges?
--- Add firewall exception for the trusted bridge machine OR add IP alias to the machine so it has both 0.x and 1.x IP
- Newly connected Wifi devices are now "isolated" for easy firewall rule management
- IOT devices are mostly hard-wired with static IP in 0.x range

Con:
- As you add new devices to the network, you must add them to DHCP static reservation, under 192.168.1.x "Trusted machines" or 192.168.0.x (and override gateway to 0.1) or set static IP, but thats good for identity management on your network anyways...

Conclusion:
Yes, a bad actor could still overcome the basic subnet restriction, but its a layer of protection against casual snooping or bad software running on friends PC who comes to visit.. or to isolate zealous work security software from scanning network clients/public shares

Any thoughts on this method?