How to set up private network with pfsense?

J

JimS

Senior Member
Quite a long time ago I went from an off the shelf router to a mini pc running pfsense (Thanks for the help with that Pete! :) ) I connected the router to the LAN for wifi. That works fine for my use but I would like to have an isolated network for guests. I can set up a guest network in the router but it gets routed through the LAN so doesn't really isolate it, just gives it a different IP subnet. Not a bit concern but wondering how I could easily add a secure guest network. I could set up a spare router and set up it's IP in pfsense to only have WAN access. Any other suggestions? I think I know the very basics of networks but not any advanced topics like vlans, etc.
 
Do you have a managed switch that will do vlans?
If so, you just add a vlan to the LAN in pfSense.
Set the switchport that connects to the LAN as a trunk, also trunk the port going to the AP.
The native (untagged) vlan will be the existing LAN, and you would tag the new vlan on the trunks.
Very easy to do once you get a grip on it, it probably sounds complicated but it's not.
One suggestion I would say is get rid of vlan1 for the LAN. Use anything else. ie My favorite car is an Oldsmobile 442 so my LAN is vlan442.
Not necessary but it will make life easier in the future as you go to make more changes.

You can find youtube videos or we can walk you through it here.
 
I do have a managed switch but I have never fooled with the management part - just using it as a switch. DLink DGS1600-16. Will have to check it's capabilities. It looks like the Asus router can do vlans. Will need to watch some videos on vlan setup. If you have any suggestions for good ones that would be great but I can of course search.
 
Did a little reading. Think I need to set the switch ports for pfsense and the router to trunk. Then it can deal with multiple vlans for both the main network and the guest wifi and pfsense will know which is which to block local network to guests.
 
vlans seem like it would be good but there are some concerns with placing different levels of security on the same switch. I currently have my cameras on an isolated network to keep them from phoning home. I put an extra network card in the zoneminder PC for the cameras. Now that I have a managed switch I could do that with a vlan but that would put both local lan and cameras on the same switch (but different vlans). Maybe I should keep those separate especially since I am just getting into vlans and might misconfigure something? I also have the guest network. That one would be harder to do without vlans. With vlans I could set the router being used as access point to two vlans - one for the regular lan and one for the guest network. Send that through the switch to the pfsense box.
 
It looks like vlan is not available on my router (Asus RT-AC68U) without loading Merlin or other software. I'm inclined to just use another old router for the guest network. I would still need to combine them to a trunk in the switch for the connection to the pfsense box.
 
Keep in mind why vlans were created.
If you have a 24 port switch but you're only using 6 ports. Then you need to add another network that needs another 6 ports, buying another switch isn't very cost effective since your current switch has 18 spare ports on it.
Enter vlans. You can segregate 6 of those spare ports to a separate vlan and they will be physically isolated from the original 6 ports.
Essentially vlans take your existing switch and make it into 2 (or more) logical switches because each vlan is it's own broadcast domain.
So your concern with different security on a single switch is moot, firstly because the security would be handled by the router, not the switch, and because you have basically added a second switch by using the vlan. They just both happen to be on the same physical hardware.
 
Frunple said:
Keep in mind why vlans were created.
If you have a 24 port switch but you're only using 6 ports. Then you need to add another network that needs another 6 ports, buying another switch isn't very cost effective since your current switch has 18 spare ports on it.
Enter vlans. You can segregate 6 of those spare ports to a separate vlan and they will be physically isolated from the original 6 ports.
Essentially vlans take your existing switch and make it into 2 (or more) logical switches because each vlan is it's own broadcast domain.
So your concern with different security on a single switch is moot, firstly because the security would be handled by the router, not the switch, and because you have basically added a second switch by using the vlan. They just both happen to be on the same physical hardware.
Click to expand...
My comments were based on what I read here (which seems like it should have some authority):
https://docs.netgate.com/pfsense/en/latest/vlan/security.html
Doing what you say would be handy. I got the bigger switch because I had several smaller switches. Using the 16 port switch for a couple different vlans would probably accommodate them all.
 
JimS said:
My comments were based on what I read here (which seems like it should have some authority):
https://docs.netgate.com/pfsense/en/latest/vlan/security.html
Click to expand...

Well the first paragraph of that section of the document pretty much sums it up. "VLANs are not inherently insecure, but misconfiguration can leave a network vulnerable. There have also been past security problems in switch vendor implementations of VLANs."

In other words, you need to make sure your firewall rules are designed and implemented in such a way to prevent unwanted access to your VLANs. For example, "allow all" rules are common when it is a simple network on a single LAN segment. In fact, your LAN firewall rule might consist of just one entry that is an "allow all" rule. However the use of "allow all" rules is a terrible idea when you want to segment your network with VLANs.

As far as network switches having security issues with VLANs, it certainly can happen. But as long as your stick with business grade network switches (personally I buy my switches used from online IT resellers for a lot less than the consumer grade crap that is out there) and routinely update their firmware, you will be fine. These types of vulnerabilities are rare and tend to be quickly discovered and fixed in business grade network equipment. On the other hand, consumer grade network equipment is rarely patched by the manufacture, even when severe security flaws are found.
 
Last edited:
I came from a Cisco only world (Airline) using initially Cisco commercial switches at home to now using TP-Link managed switches with PFSense many years ago. Now also using a TP-Link L2/L3 (Jetstream) managed switch. The oldest switches are still being updated.

That said I have not had any issues with TP-Link managed switches. I have read about issues with their routers.

Another suggestion would be to add a NIC port to @JimS 's current PFSense router and connect that port to an AP removing the creation of VLAN's.

The Advantech AIMC-2000 has a miniPCiE slot where you can add a Gb card ($13) on Ebay or add a USB Gb device.
 
Last edited:
You must log in or register to reply here.

Similar threads

J
Need VPN for foreign travel
Replies
4
Views
593
JimS
J
J
OpenVPN cloud account and pfsense
Replies
2
Views
946
JimS
J
J
how to set up ubuntu 20.04 for dual NICs
Replies
3
Views
492
pete_c
pete_c
J
How to monitor quality of internet connection?
2 3
Replies
36
Views
2K
pete_c
pete_c
G
Went to download changes to OPII program, and when it started downloading, there was a network error with the controller.
2
Replies
21
Views
1K
gym4im
G
Back
Top