What's new

wanted: vlan for AC56U in AP-Mode

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I had, but it made no difference, now a dumb switch is between and my machine is connected to it.
 
Right, problem is, it is the same parent interface. Otherwise I would just run the Asus on an interface with no IPv6 at all, but I only have one connection here.
If you have a spare interface on your pfSense you could use that dedicated to your IoT.

If you don't how are you daisy chaining the switches? To make VLANs work you should connect the Asus WAN port to the pfSense and your other switch to the Asus LAN 1.

EDIT: I reread your post and it sounds like you only have one interface you can use on the pfSense. So if you want your IoT devices to be on their own VLANs you can only do it like above.
 
My testing before was flawed I think now: I retested with just the asus and no other dumb switches in between and now everything looks good. So the problems must have come from the dumb switches, with only IPv4 there were no problems, interesting.

I have several interfaces on the pfSense but only one connection to "my" room and I have to expand further from here.

Anyways, seems solved, thank you guys!
 
Good to hear that Bob.
Lets see if this is still the case tomorrow. ;)

Now things get more complicated but I have to cope with that. for instance another interface means another subnet. I could bridge them but pfSense is sometimes really ugly, I better don't touch "LAN" on pfSense, but I getting really off-topic now.
 
Lets see if this is still the case tomorrow. ;)

Now things get more complicated but I have to cope with that. for instance another interface means another subnet. I could bridge them but pfSense is sometimes really ugly, I better don't touch "LAN" on pfSense, but I getting really off-topic now.
It should ;)

Maybe you could dump the dumb switches and get a managed switch, they're selling for cheap these days, for example the Netgear GS105Ev2.

If you want to use a dedicated interface for IoT on the pfSense you wouldn't need to bridge it with your main LAN, just like it isn't bridged now on the single interface you're using. You'd reuse the same subnet you're using for your IoT's now. The traffic between subnets would be routed by the pfSense in the same way just on a different physical interface vs. a subinterface of the same parent interface.
 
Last edited:
@grifo I know, problem is the wiring here at my home, I have daisy chained the rooms in my apartment, no central point. And also I am using one "line" for a 10G direct connection, so I am really cheeping out on my networking equipment, but I like it this way, very environmental friendly. :cool:
 
I've just looked on Amazon Germany (your country by looking at your profile) and the 8 ports version of the Netgear is only 33 euros, I'd get one in a heartbeat, it's at 49.99 euros on my local Amazon, though it comes down sometimes with offers.
 
@grifo I now have plugged one dumb switch in the asus in the "no vlan port" and it seems to work fine. Also I have a quad-Port NIC in my virtual (who guessed?) pfSense. And like I said, no central network point, so a managed switch probably wouldn't help much. Also the Asus has to be in the center of the apartment.
 
Problem came back right now, which is almost 24 hours later... I now will left out the dumb switch even after the asus for testing. :confused:
 
Sry for the false alarm, had nothing to do with the asus, it looks like Suricata on pfSense was blocking my machine, although it never should do this in the first place.
 
Last edited:
@grifo Hope you are good and still around here sometimes.
Because of the fragattack and that there are no fixes for my asus, I managed to put itself in a portbased vlan on my switch for separation and stuff. Everything still works as before. Would it be possible to do that via scripts also? And even if it would, probably it is not a good idea anyways? Just curios.

Also I finally switched to https for the webinterface, even if it is only local.
 
Last edited:
Hi Bob. WiFi attacks need physical proximity to the AP so you have to assess what level of risk exists where the AP is located. Do you live in an isolated house in the countryside or in a city flat and if the latter do you have neighbours within the range of your AP potentially able to attack your network, even if just for fun? While for normal consumers, WiFi attacks from the street (other than taking advantage of an open network) are unlikely as they aren't worth the effort in most cases.

If you think the risk exists, separating your network with VLANs will help you only up to a certain extent as the attacker could still target the devices on the same VLAN as the WiFi network, for example your IoT devices which could be weak on security.

In that case and if there is no fix for your router the best thing to do is to buy something new, there are plenty of good options these days. If you just need an AP, since you're using PfSense as your router, it's best to get a dedicated AP with VLAN support out of the box. Search the forum for hints on what to get. Your risk assessment will also tell you if you need one ASAP or can wait until say Black Friday.

Not sure what you meant by doing that via scripts. So you have a Netgear managed switch now, right? Then you should use the 802.1Q VLAN configuration mode on the switch, not the Port-Based mode. Then on the Asus you can keep the same script you had when it was connected directly to the PfSense.
 
Hi @grifo
I am living in a dense city, dozens of Wifis all around me.
On my Zyxel Switch I am using PVID for the Port the Asus is connected. I thought about the idea of using OpenVPN for the clients on Wifi but it would only be possible for some devices, not IoT.
Also I don't know about the urgency of it all, probably not that practical that fragattack.

But if you have a hint what to buy next, WiFi and some lan-ports and VLAN, please let me know per pm.
 
OK, then the risk exists, I'd get something new by Black Friday at the very latest or earlier depending on budget.

You need a managed switch that supports 802.1Q VLANs and a WiFi Access Point.

Does your Zyxel switch support 802.1Q VLANs? Else I would get an 8 ports Netgear switch like the GS108E.

For the WiFi AP, the TP-Link EAP225 has had good reviews and is popular on this forum. TP-Link also have newer AX APs like the EAP620 HD that may be worth the extra money for the longer support you'd get as well as for the newer hardware.
 
Does your Zyxel switch support 802.1Q VLANs? .
Yes it does. But the real beauty of an router doing VLANs, like the asus did thanks to you, is that you have another VLAN-Switch and VLAN-Access-Point on one device. And I need this in "my" room, the Zyxel is elsewhere next to pfSense.
That is why I would prefer a router, maybe with OpenWRT, because Asus still doesn't do VLAN.
 
OK, then go for one of the routers with the best OpenWRT support, I don't know what to suggest as I've never looked into that. Yes unfortunately Asus doesn't support custom VLANs and with the newer routers it is more difficult to do that with scripts than it was with the older routers and at this point it wouldn't make sense to buy a second hand older Asus router just for that.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top