Menu
What's new
By:
Filters Better Search

Guest network with VLAN -did i do it right?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ddaenen1

ddaenen1

Very Senior Member
So i have been thinking for quite some time to set up isolated guest wifi to avoid any access to all devices on my home network.

What i wanted to achieve was simple:

1. Dedicated guest SSID with own PW
2. No access from the guest wifi to any of the devices/systems on the LAN
3. Bandwidth limitation for guests (nice to have and not a priority)

For that, i made sure my purchases in the past that all my switches were VLAN capable (check) and i would have a router supporting that (check)

After some trials on AP-level that gave me only point one, i actually gave up for some time. After more and more reading, i actually started wondering if this is not too complicated for a home LAN.

Today, i changed my mind again and decided to go for it, understanding the concept of a VLAN but no clue how to configure it in the various devices.

Here is what i did:

Step 1: set up a dedicated VLAN (10) in the AP's and set up a dedicated guest SSID configured with this VLAN 10.
Step 2: configured the port of the AP in my switch as "trunk" and the port of the router to "trunk"
Step 3: created VLAN 10 in the switch, added VLAN10 to the respective trunk ports together with the default VLAN

Tried to connect to the guest SSID, it connects, no IP assigned, no internet access - time for pfSense config:

Step 4: Create VLAN10 in the router and assigned it to my LAN port.
Step 5: enabled the Guest interface with gateway 192.168.10.1
Step 6: created a IPv4 DHCP server with range 192.168.10.x to 192.168.10.xxx

Tried to connect to the guest SSID, it connects, 192.168.10.xxx IP assigned, no internet access

Step 7: create firewall rule to allow guest to access WAN.

Connected to the guest SSID, it connects, 192.168.10.xxx IP assigned, and internet access (Yay!)
Checked if i had access to my LAN devices (bummer - i have access to my servers, pfsense and all)
Some more reading up, adding 2 firewall rules, one to block access to pfsense, and one to block access to all RFC1918 networks on the GUEST interface

TADA! all works as i wanted to. Still need to look into bandwidth limiting but that is not a priority right now.

Am i happy? Yes and no. For some reason, i am unsure if i got it completely right by the book and have the impression i made it more complicated than it needs to be.

Here are my questions or the experts:

1. Is what i did above really all necessary in order to created an isolated and secure wifi connection for guests?
2. Do i really need a separate DHCP server on a different subnet?
3. I configured 2 trunked ports (one on the AP side, one on the router side) but did not tag the ports for either default or VLAN10 - is that correct?

Thanks in advance for any comments and insights.
 
Last edited:
You can create a Limiter in order to limit the bandwidth for guest VLAN.
Then you must create a firewall rule in order to assign this limiter to the VLAN.
You may also schedule which times of the day this limiter should be applied.
And yes you need a separate DHCP server for the new guest interface.
 
VLAN config is the way to go to truly segregate your network, and it's good for a number of reasons. However, most Wifi configs now allow for configuration of GUEST networks as a separate SSID, and you can simply tick a checkbox to block anything on the guest network from getting to any device on the internal LAN. It essentially accomplishes the same thing, without all of the VLAN configuration. Before I went to a VLAN config on my OPNsense router/firewall, I had always configured IoT devices to connect to a guest network over Wifi (with no access to LAN). The nice thing about VLANs is you can monitor each VLAN and set up firewall rules to restrict access more granularly.
 
During some testing today after i had configured the other AP's, i found out i did have some issues with DNS on the guest VLAN. I am unsure if it is Unbound or pfBlockerNG but blocking all RFC1918 killed internet access for the guest VLAN. To overcome this, i created an alias with 192.168.1.0/24 and created a rule to block all access on VLAN10 to this alias. This now seems to be working well. I will do some more testing on internet access and LAN restriction before i will change the password on my home wifi to force guests to connect to the guest wifi going forward.
 
I got the limiter configured and up and running now. I opted for 25Mbps download and 5 Mbps uploaded per connected guest device. Not sure if this is adequate but some articles appears to be pointing in that direction. I have to say though - this whole process made me appreciate pfSense even more :)
 
ForkWNY said:
However, most Wifi configs now allow for configuration of GUEST networks as a separate SSID, and you can simply tick a checkbox to block anything on the guest network from getting to any device on the internal LAN. It essentially accomplishes the same thing, without all of the VLAN configuration.
Click to expand...
My WAP's also support guest wifi with channel isolation but that only isolates the devices on the AP from each other. It does not restrict access to the LAN. I tried it. Doesn't work.
 
ddaenen1 said:
So i have been thinking for quite some time to set up isolated guest wifi to avoid any access to all devices on my home network.

What i wanted to achieve was simple:

1. Dedicated guest SSID with own PW
2. No access from the guest wifi to any of the devices/systems on the LAN
3. Bandwidth limitation for guests (nice to have and not a priority)

For that, i made sure my purchases in the past that all my switches were VLAN capable (check) and i would have a router supporting that (check)

After some trials on AP-level that gave me only point one, i actually gave up for some time. After more and more reading, i actually started wondering if this is not too complicated for a home LAN.

Today, i changed my mind again and decided to go for it, understanding the concept of a VLAN but no clue how to configure it in the various devices.

Here is what i did:

Step 1: set up a dedicated VLAN (10) in the AP's and set up a dedicated guest SSID configured with this VLAN 10.
Step 2: configured the port of the AP in my switch as "trunk" and the port of the router to "trunk"
Step 3: created VLAN 10 in the switch, added VLAN10 to the respective trunk ports together with the default VLAN

Tried to connect to the guest SSID, it connects, no IP assigned, no internet access - time for pfSense config:

Step 4: Create VLAN10 in the router and assigned it to my LAN port.
Step 5: enabled the Guest interface with gateway 192.168.10.1
Step 6: created a IPv4 DHCP server with range 192.168.10.x to 192.168.10.xxx

Tried to connect to the guest SSID, it connects, 192.168.10.xxx IP assigned, no internet access

Step 7: create firewall rule to allow guest to access WAN.

Connected to the guest SSID, it connects, 192.168.10.xxx IP assigned, and internet access (Yay!)
Checked if i had access to my LAN devices (bummer - i have access to my servers, pfsense and all)
Some more reading up, adding 2 firewall rules, one to block access to pfsense, and one to block access to all RFC1918 networks on the GUEST interface

TADA! all works as i wanted to. Still need to look into bandwidth limiting but that is not a priority right now.

Am i happy? Yes and no. For some reason, i am unsure if i got it completely right by the book and have the impression i made it more complicated than it needs to be.

Here are my questions or the experts:

1. Is what i did above really all necessary in order to created an isolated and secure wifi connection for guests?
2. Do i really need a separate DHCP server on a different subnet?
3. I configured 2 trunked ports (one on the AP side, one on the router side) but did not tag the ports for either default or VLAN10 - is that correct?

Thanks in advance for any comments and insights.
Click to expand...
This is a while back so I assume you have it working. I was busy back at the first of the year. I think you want an additional scope on the current DHCP server instead of another DHCP server.

Yes, you want a trunk port on your wireless AP. It is how you pass multiple VLANs to it. You setup an SSID for each VLAN you want to have wireless access on. This works with your Cisco WAPs. This is the basics for a multiple wireless access point setup. You set all AP units up the same way. Then you control access to the VLANs by your L3 switch ACLs or your firewall depending on network.

I assumed you assigned a network to each VLAN. I don't want to think about VLANs without network addressing.
 
Last edited:
coxhaus said:
This is a while back so I assume you have it working. I was busy back at the first of the year. I think you want an additional scope on the current DHCP server instead of another DHCP server.

Yes, you want a trunk port on your wireless AP. It is how you pass multiple VLANs to it. You setup an SSID for each VLAN you want to have wireless access on. This works with your Cisco WAPs. This is the basics for a multiple wireless access point setup. You set all AP units up the same way. Then you control access to the VLANs by your L3 switch ACLs or your firewall depending on network.

I assumed you assigned a network to each VLAN. I don't want to think about VLANs without network addressing.
Click to expand...
Yes, all works very well. I do think i need to open up the pipes for the "public" network a bit as i noticed last week when i had 3 visitors that maybe a total budget of 25 mbps down and 5mbps up is not enough if you have multiple visitors connected to the public wifi.

I am not sure what you mean with "assigned a network for each VLAN". I have seperate rules for the "public" network in the firewall. One to allow acces to the internet and one to block all access to my main LAN.
 
What I mean is in your Cisco wireless software setup you can assign a VLAN to each SSID. As far as security for the VLANs you do that with what device handles the VLAN security. I use my L3 switch not my pfsense firewall but either will work. I just don't want to send all VLAN traffic through my pfsense firewall and then back to my switch. It is much simpler to just control the VLAN traffic in the switch.

I use a VLAN for my guest network. I am not sure how you have your network setup. If you use a guest VLAN when you assign rules to the VLAN every device inherits guest properties so if a device connects to the guest SSID the rules are all setup for the guest VLAN as far as limits and LAN access. There is a DHCP scope for the guest VLAN. So it does not matter whether you have 1 guest or 100 guests the rules still apply. Guests have network limits based on the VLAN.

PS
I use intervlan routing on my L3 switch and then I use ACLs to limit guest access to the main LAN.
 
Last edited:
You must log in or register to reply here.

Similar threads

Y
Are all ASUS routers on the 3.0.0.6.102 codebase guaranteed to support VLAN Management & Guest Network Pro?
Replies
10
Views
285
YRTFS
Y
R
Disable Intranet access for a LAN port (not the WiFi Guest network)?
Replies
8
Views
291
Tech9
Tech9
M
Connecting to device in Guest or IOT VLAN from intranet (using Guest Pro on 3.0.0.6 firmware)?
Replies
7
Views
572
tiddlywink
T
Q
Guest VLAN Connectivity Issues with RT-AX88U Pro + ExpertWiFi EBA63 + USW Enterprise Switch
Replies
2
Views
647
quick.bell2704
Q
N
ET12 All Guest/IoT Devices go to main router
Replies
1
Views
542
nonnot
N
Similar threads
Thread starter Title Forum Replies Date
O Easymesh home network facing connectivity issues! Routers 0
T Home Network Ethernet Wiring Routers 10
L Assistance Needed for Network Configuration: Removing ISP Router Routers 8
O Network Overloaded with NAS + wifi? Is is possible? Routers 2
J Invalid credentials error when trying to open network samba drive on Windows 11 Routers 14
ddaenen1 Do i need an IoT VLAN Routers 33
J Allowing Remote Desktop Connection between VLAN's Routers 23

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 839 (members: 29, guests: 810)
Top