Hey Guys,
I have a functioning PFSENSE router set up with snort and squid cache. I have 4 Ethernet NICS each creating their own subnet for traffic isolation. What I am asking is if I was to add a Wireless NIC to my setup would I be able to turn my router into a WIFI router?
Also if anyone has a better way of isolating traffic ( I run a computer buisness and a virus on a customers machine cannot talk to my local subnet etc) other than my current NIC and subnet setup.
I have previously used PFsense as a WLAN AP, even with multiple SSIDs. Sadly my new Pfsense motherboard/wlan combo does not seem to get along so I´m currently using an external AP.
Have a look here for some instructions: https://marcus-e.se/2016/07/21/diy-pfsense-firewallrouter-part-3-wireless-access-point/
Thanks mate,
what about my traffic isolation do you think using a seperate nic for each seperate subnet is the best option?
ALSO :) the reason I had an issue is because I haven't plugged the WIFI NIC in yet which is why I didn't see the WIFI options haha
Sorry for my ignorance
You can setup everything with nics but you can only hold so many nics in one chassis. You need to use vlans and firewall rules to isolate a network for expansion in the future.
Using separate NICs should be fine as long as you don't need as many subnets, I currently have three NICs in mine, one is going to WAN and the other two to my switch which I've setup VLANs to isolate the traffic.
In my opinion VLANs are a better option than multiple NICs as you can add as many subnets as you want on the fly (I think my switch has a hard limit of 32 VLANs though)
In the picture below DMZ, ISOWIFI, GUEST, IOT, and ISOLAN are all VLAN interfaces and are going to one of the two NICs I've connected to the switch. Also WiFi is also technically a VLAN but its untagged and connects to my AP through the switch.
what are you using in your DMZ?
Mostly just my server which is running services that I need to access outside of my local network.
So you do this and harden the server as opposed to port forwarding?
Not at the moment, I still port forward but I use it to keep my server separate from the local network.
1: Putting a wireless device in pfSense is fraught with issues. There have been tons of posts about it here, and on pfSense forums.
2: VLAN tagging is what you want to do. You can have multiple VLANs (even bridged to your other subnets) on a single interface.
3: Something like a Ubuquiti Unifi wireless access point system will totally accomplish everything you want. Separate WiFi/SSID per VLAN, etc. And yes, pfSense will do all the routing you could possibly want.
Beat me to it. Just connect an AP into the PFSense router instead of making it wireless. Always use designated devices for their designated duties.
VLAN tagging is your best bet if you have a managed switch capable of tagging your traffic correctly. It'll greatly de-complicate your network.
Sorry again for my ignorance - VLANs have always confused me. My current setup is four nics WAN, INTERNAL, WORKSHOP and AP. Each have their own subnets for traffic isolation. I have also created rules in my firewall to stop WORKSHOP and INTERNAL communicating because as I have said previously Customer gear is on Workshop subnet my gear is on internal subnet. The backbone of my workshop network is an unmanaged switch along with another unmanged switch on the internal side. I just use DHCP for addressing on both nics.
Really appreciate the help guys. Networking and I don't agree all the time haha
Well No time like the present to start learning them and using them. Ask what we questions you need and we will try an answer them.
:) Okay well VLANs how do I get the devices on the other end to find and use the subnets that I want them too... This is why I am using several NICs. I need traffic isolation between WORKSHOP and INTERNAL but i don't really care about the rest talking to eachother. Would make my printer setups easier haha
You will need one managed switch. You setup vlans on PFsense and then go into managed switch and designate which ports are assigned to which vlans. Then you plug those devices into the ports that you want on that vlan.
Each vlan will be its own subnet and have its own DHCP server.
Setup some firewall rules of what you want to have access to Internet or other vlans. Also setup rules for what can't access Internet at or other vlans
It's called tagging. You would setup your pfsense and managed switches to tag certain ports and associate those tags to certain DHCP subnets. On the endpoints you untag those on the managed switch and the endpoint gets the correctly associated DHCP address.
Then you setup firewall rules and routing tables for who can access what.
Okay so I just need a managed switch big enough to handle my different subnet requirements? IE if I only want to be using about 4 subnets a managed switch with four ports and pfsense with 2 NICs would be fine? Am i getting that right?
How do each VLANs have their own DHCP do i set it up in pfsense?
I imagine using VLANs will make it much easier for me to hide my NAS from other internal devices etc
You can actually run all your VLAN tags through 1 cable, each NIC port can have multiple tags on the firewall/switch. So what you want to do is create arbitrary VLAN numbers for each VLAN i.e.
Shop 1
Wireless 10
House 100
Banana Phone 110 etc. The number is the VLAN tag number and you add DHCP pools to that VLAN tag numeber. So if you want VLAN tag 1 to be 10.100.10.1/28 and VLAN tag 10 to be 172.1.50.12/24 you can do that. Then you tag your NIC connecting to the managed switch to all your VLAN tag numbers.
On your managed switch you setup your VLAN tags in there the same way you did on the firewall with the same numbers, then tag the port from the firewall with all of the VLANs. Then you untag whatever port connects to an AP/Computer.
So if port 1 connects to the firewall with VLAN 1/10/100/110 you tag all of those numbers. If port 2 is your banana phone you untag VLAN numer 110. If your house is on port 3 you untag that to VLAN 100.
You tag between switches as well btw. Tagging carries VLAN data. You untag the endpoints because they don't care about VLAN data, they just want a a connection. There are exceptions, but that's typically how it's done.
Yes you could do that but if you wanted to run multiple devices in each vlan you would need at least a dum switch connected at each port of the managed switch. You can get a 24 port to link for around 120-150.
