pfsense, possible to use old asus as APs?

[rawk stoan]

I am planning out a bit of a home network revision to separate out groups of clients, IoT, guests, etc. To subdivide the network I assume setting up VLANs is the way to go, so I am planning to set up a pfsense router by repurposing a old PC. This would then allow me to set up VLANs in some way to achieve the client network separation.

Currently, I have one main router (asus ac86u) and a couple of routers as APs (asus n56u). This allows me to get wide wifi coverage across my house and into the garage.

So my questions are related to whether or not I can achieve the same wifi coverage with the new pfsense/VLAN setup using the old asus routers as my wifi APs. I am trying to keep costs down for now which is why I'd like to keep the old routers initially.

I know my asus routers don't natively handle VLANs, but is there some open source firmware that can change that? Maybe dynamic VLAN is a better setup for this old equipment? I am struggling to understand how the VLAN works conceptually. If VLANs are based on ports, does that imply that each wifi AP can only handle one of the subnet/networks, limiting the range of where different clients can gain a wifi signal? Would the dynamic VLAN setup solve this since the authentication is done at the server (RADIUS?) rather than using VLAN tagging?

Any suggestions are appreciated, I am really new to this and it's taking some time to wrap my head around this.

 

[Tech9]

I am struggling to understand how the VLAN works conceptually.

The subject is very large and the configuration is close to impossible to explain in a forum. I would suggest looking at guides like the ones below and adapting parts to your setup and needs. There is no two pfSense firewalls set in exactly the same way. About home routers with VLAN support - you have to look around because the eventually possible options are model specific.

Setup VLAN on pfSense for Home Network | 1 Easy guide

An easy guide on how to setup VLAN on pfSense with step by step pictures. Which help to segregate your LAN network for your home which may be mixed with IoT.

www.linuxsysadmins.com

How To Setup VLANs With pfsense & UniFI 2022 - Lawrence Technology Services

Lawrence SystemsMon, April 4, 2022 5:24pmURL:Embed:Configuring pfsense Firewall Rules For Home https://youtu.be/bjr0rm93uVA 2020 Getting started with pfsense 2.4 Tutorial: Network […]

lawrencesystems.com

 

[Christos]

pfSense requires x86 cpu.

 

[rawk stoan]

Thank you for your replies, tech9 and Christos.
I will look at the links provided. With respect to the cpu, my plan is to use a PC that has an i7 in it. From what I've read so far it seems to be sufficient for pfsense.

I guess my concern is whether my planned setup can generally work. I recognize everyone has slightly different needs and the possible outcomes can be very different when it comes to physical devices and network configurations.

But is it possible to use old asus routers as wifi APs with a psense router so that I can subdivide the network for different client types? Or is the hardware too old that not even a software/firmware update can help utilize them?

Thanks again for your replies!

 

[Christos]

my plan is to use a PC that has an i7 in it

Most important is to use a network card with Intel chip, as pfSense is based on freeBSD that works best with intel Network cards.
There are PCI cards with 2 and 4 ethernet slots.

 

[rawk stoan]

Yes, so my plan is to have a PC i7 with pfsense running on it, add a i350 4port card, plus a managed switch with 8 ports. I figured this would get me started with a network that would give me the control to subdivide the network, have better control and monitor network activity of different client types, and maybe play around with port forwarding.

I guess you will always be limited by the weakest link, which is why I was asking specifically about the APs. It seems my hardware plan will get me there, but the wifi APs could limit what I want to achieve, given their age.

Maybe a firmware update for the asus routers would help? Maybe a firmware update and dynamic VLAN?
I can't seem to find any posts discussing a similar setup.

 

[ddaenen1]

i used to have two R7000's and one RT-AC88U configured as an access point behind a switch that connected to pfsense. This ran pretty well for quite some time. The only issue i had once in a while was that my laptop on one AP couldn't see my wifi printer connected to another AP. Eventually i replaced them with Cisco AP's that have POE+ which simplified everything as they did not need separate power supply and can be configured all at once using Single Point Setup

 

[rawk stoan]

Thank you, ddaenen1. I am still planning this out and accumulating hardware. The goal is to have multiple networks accessible at each AP and I am not sure the Asus equipment I have can do that. I may just have to get other APs, even if not new equipment, that can handle multiple SSID/subnets.

 

[Tech9]

even if not new equipment

EAP225v3 starts from $60, new.

 

[rawk stoan]

Yes, I am considering those, and they are likely what I'll go with.
Do you think if they were not mounted on a ceiling and instead placed on a desktop or shelf that it would affect their signal strength/coverage?

 

[Tech9]

You have to experiment, but most lower cost APs have omni-directional antennas.

EAP225v3:

 

[Christos]

I'm using an Aruba InstantOn access point with my pfsense box.
It offers separate vlans for each SSID and the option to do NAT on each SSID and all wifi clients use a single IP address (if you need something like that for some reason).

 

[ddaenen1]

Thank you, ddaenen1. I am still planning this out and accumulating hardware. The goal is to have multiple networks accessible at each AP and I am not sure the Asus equipment I have can do that. I may just have to get other APs, even if not new equipment, that can handle multiple SSID/subnets.

I cannot recall if the ASUS could do that. Pretty sure they didn't do VLAN's allthough not 100% sure. I don't think the subnet is relevant on an AP level. I look at a VLAN as a tunnel and wherever that tunnel leads from the AP to the router is what it will process. I have only configured the VLAN and the SSID in the AP. The subnet only in the router.

 

[Tech9]

I cannot recall if the ASUS could do that.

Model specific and custom scripts only. Easier on older ARMv7 platform, harder on HND platform. Proper AP with native VLAN support is better.

 

[rawk stoan]

Ddaenen1, I can see the tunnel analogy and it is what I was trying to wrap my head around. If my routers can only handle one SSID then each router will only have one VLAN. Therefore, different client types would need to be within range of the individual router(s) that have their accessible VLAN/SSID.

Christos, yes I think the Aruba functionality described sounds similar to what I'd like to get to. All client types can access their network regardless of their location and which AP they attempt to access. I assume the EAP225 APs that Tech9 suggested are able to do that since their spec sheet says they can have up to 16(?) SSIDs between 2.4g and 5g.

Do aruba APs need some kind of client service agreement? I ask because I almost bought cisco APs and realized you can't do much without a service agreement. Do you know if Sophos APs are like that, requiring a service agreement/ongoing paid license with Sophos to use their devices?

Thank you for your comments.

 

[Tech9]

it is what I was trying to wrap my head around

You need to learn what VLAN is and how it works first.

 

[ddaenen1]

Do aruba APs need some kind of client service agreement? I ask because I almost bought cisco APs and realized you can't do much without a service agreement. Do you know if Sophos APs are like that, requiring a service agreement/ongoing paid license with Sophos to use their devices?

Thank you for your comments.

The WAP571 that i use do not need anything and can be linked to simplify configuration. I have been looking for some time at the Cisco CBW150AX as they are similar, e.g. no licensing and configurable through the webinterface but until now, i haven't found enough reasons to dump the WAP571. They are rockstable and do everything they need to. I have looked at other brands too but since i switched over to Cisco for the AP's and also the switch, all my problems went away and never came back. Enough reason for me as i do a lot of home office and need a reliable connection.

 

[Christos]

Do aruba APs need some kind of client service agreement?

The Aruba InstantOn line does not require a subscription and the management is cloud based (you don't need to have a controller running in your network). However, they are very limited in settings you can tweak and play with.
If you just want to separate your network, instead of vlan you can use the guest network that is available in every access point.

 

[rawk stoan]

Sorry, this is bit off topic from my original question...
The NIC I will add to my PC/router is a 4 port adapter. So this gives me 5 ports, given the original ethernet port on the PC.
What is the normal practice when configuring the ports? Would all five be used for the router set up?
The original port is an intel I217, and it's called an ethernet "connection", and the new I350 card is called an ethernet "server adapter".
Would they create some kind of conflict with one another? Should remove/disconnect the original port?

 

[Christos]

In pfsense you can use all 5 ports since they have Intel chips. You can assign any interface (WAN, LAN, VLAN) to any port. No reason to disable the original (embedded) port.