Here's a very simple explanation of VLANs: A packet being "tagged" for a
specific VLAN means that the packet's Ethernet header information contains
a number (between 1 and 4094 inclusive) that identifies the VLAN for which
that packet is intended. The intent of this mechanism is to allow a single
Ethernet cable to contain packets that belong to multiple "Virtual LANs".
Properly handling this traffic requires the equipment on both sides of the
link to be capable of handling the VLAN tag.
DD-WRT and pfSense are both capable of handling VLAN-tagged traffic
(though, as mentioned previously, some hardware on which DD-WRT runs can
have issues sometimes).
The way that you currently have your Wireless network set up, there is no
way for pfSense to know which clients on the Wireless are sending which
traffic because the Wireless Router is translating all of the traffic to
appear to be coming from its IP address (192.168.2.3 in your example).
Assuming you followed that guide to create wl0.1 connected to VLAN 15 and
wl0.2 connected to VLAN 5, here is what you would need to do to set up the
VLANs on the pfSense side:
1. Go to "Interfaces" -> "Assignments"
2. Go the the "VLANs" tab
3. Click "Add"
4. Set the settings for your first VLAN:
1. For "Parent Interface", choose the LAN port that the Wireless
router is connected to.
2. For "VLAN Tag", choose 5
3. Leave "VLAN Priority: unchanged
4. Set a description if you want.
5. Click "Save"
5. Repeat the previous step, choosing "VLAN Tag" 15 this time.
6. Go back to "Interfaces" -> "Assignments"
7. Under "Available Network Ports", you should see the two VLANs that
you created. Select each one from the list and click "Add"
8. You should now see two "OPTx" interfaces on the list. Configure each
of these as a LAN interface by selecting them from the "Interfaces"
dropdown. (Since you said you already have multiple LANs, you should be
familiar with this process.)
9. Configure firewall rules between the different interfaces as
necessary.
That should be enough to get you started.
Moshe
--
Moshe Katz
-- ***@ymkatz.net
-- +1(301)867-3732 <(301)%20867-3732>
Post by AntonioInteresting! Does this mean that by disabling the WAN port on the DD-WRT
device and getting it to act as switch, then the pfSense router device
actually sees multiple network domains on the same LAN port? I guess this
is probably due to the fact that I don't understand VLANs ...
Currently, I have LAN port on pfSense device set to 192.168.2.2 and WAN
port on DD-WRT set on 192.168.2.3. The wireless network is set on
192.168.3.X.
From what I understand from your guide, it would seem that you have
created virtual wireless networks (wl0.1, wll0.2) in STEP 2, then you
activate VLAN 5 and 15 and assign them to the WLAN port, then you create
the bridges which tells DD-WRT to assign wl0.1 to VLAN 15 via bridge 1 and
wl0.2 to VLAN 5 via bridge 2. Correct? This seems to be quite powerfull but
I guess the art is actually happening on the router (pfSense) where you
have to craft the firewall rules correctly or the there could be problems.
Is this where jmitchel's answer can help?
Thanks for your help both, much appreciated.
Antonio
--
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
The most reliable way to do it is to set up two VLANs for your wireless,
with your Home network on one of them and your Guest network on the other,
and to configure the firewall rules in pfSense for the LAN-LAN traffic.
DD-WRT officially supports VLAN tagging (802.1q), but it only works on
some hardware. On other hardware, you need to use "Port-based" VLANs, which
would probably require an additional LAN port to be configured on your
pfSense.
Here are instructions for "Port-based" VLAN configuration, with an example
that uses three networks: https://community.sp
iceworks.com/how_to/32549-ddwrt-multiple-ssids-with-vlans
NOTE: I do not currently have hardware that is running DD-WRT at home, so
I am writing this from memory (and from links to resources I have used in
the past).
Also, note that you don't need to use the separate 2.4Ghz and 5Ghz radios
in order to do this. Most hardware supports running multiple SSIDs (a.k.a.
WiFi network names) on a single band, so you could have both of your WiFi
networks on both bands - 5Ghz for performance and 2.4Ghz for longer range.
Most modern dual-band devices will automatically pick the best oft eh two
signals.
--
Moshe Katz
-- +1(301)867-3732 <(301)%20867-3732>
Post by AntonioHi pfSense experts,
I was hoping you could help me with a config questions. I have pfSense
configured as main routed for my network. The WAN is connected to DSL
modem, one LAN on a ethernet switch and another LAN port on a Netgear
R8000 with dd-wrt installed. One of the cool features of the R8000 is
that it has two seperate wireless networks: 2.4GHz and 5GHz.
I wanted to use one for guest and only allow access to internet while
the other for permitted users (family members) that would also have
access to the local network. How am I going to achieve this on pfSense
though? is it a matter of closing access to local network for all IPs
coming from the AP except those I want to permit (family devices) or is
there a simpler way of doing this i.e. VLANs?
I look forward to your reponse.
Thank you
--
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold