VLAN Guest WIFI isolation, AP Mode

[cammelspit]

Hey guys, I am in need of some help here. I am in a situation where I have a large number of rommates/guests connected to my WIFI. I am using an ASUS AC5300 as my access point. DHCP and everything is handled my a pfSense instance running on my unRaid server. Here is my problem. When I set the ASUS to AP mode, there is no form of isolation so all the roommates can access my shares, which is unacceptable. Is is also unacceptable to have me with no access to my server from my phone or other wifi devices as I kind of need access to my server and shares. I can't use router mode because that will be double NAT and it would keep me from being able to access my server, I can't use AP mode because no VLan isolation takes place so I can use my pfSense to manage everything.

Now I did some digging and it seems like there is a way to get Merlin to VLAN tag anything coming from the guest SSID as it uses internal ports for this. My issue is that there is obviously no GUI to do this and I just am not experienced enough to know how to get it working by command line. Now, I have SSHd into the thing before but it's just far beyond me. I can't really afford an AP that does this sort of thing already, would probably perform worse and would render the $300+ I spent on this thing. Plus, buying a second AP is also not really an option either as I know the hardware can do what I want and I would like to minimize my expenses. I mean, I JUST got the unRaid server set up in the last weekend and that was not a cheap proposition.

Really, why isn't this sort of thing exposed in the GUI, I mean, this is something I can see a LOT of people really being able to benefit from. If anyone has done this, PLEASE if you can help me get this working. I am still rather newbish here but I am learning. You guys are kind of my last resort here.

Thanks in advance to any super smart people who can lend a hand here. I would be eternally grateful.

 

[netwrks]

Don't set the ASUS to AP mode. Leave it in router mode. Disable DHCP, assign the ASUS an IP address from the pfsense, and connect to your network on one of the ASUS LAN ports instead of the WAN port. Used to do this with other consumer routers. You may have to disable some other setting on the ASUS to get it to work, but it should. Make sure you have the manual handy.

 

[kfp]

Disable DHCP, NAT, and the firewall.

Edit: This won’t work if guest wifi does not have access to intranet.

 

[cammelspit]

Without DHCP on the ASUS, I don't get an IP address when connecting to the guest network. So, unfortunately, this doesn't do me any good. I want the guest network to be isolated from my LAN not blocked entirely. Any other thoughts?

 

[kfp]

Without DHCP on the ASUS, I don't get an IP address when connecting to the guest network. So, unfortunately, this doesn't do me any good. I want the guest network to be isolated from my LAN not blocked entirely. Any other thoughts?

You’re right, my reply wasn’t well thought out. Obviously the right way to do it is VLANs but unfortunately robocfg is rather undocumented and Broadcom haven’t released new tools for VLAN management, that’s why Merlin is reluctant to include a GUI for VLAN setup in the firmware. Most people know this would be a very useful feature.

Without buying new devices there are only two choices: 1) using CLI and robocfg (there are several guides in the forum although I’m not sure if anything has changed since their posting, and Asus also use VLANs for things so be prepared to fix it in the future if conflicts arise) 2) double NAT and use the Asus in router mode with DHCP and NAT on

 

[john9527]

If you have another physical interface on your pfsense instance, you could connect the AP to that and assign it it's own subnet. Then write appropriate pfsense rules to block/allow what you want.

 

[cammelspit]

If you have another physical interface on your pfsense instance, you could connect the AP to that and assign it it's own subnet. Then write appropriate pfsense rules to block/allow what you want.

Well, this is exactly what I had it set to previously, on a bare metal machine before I installed my brandy new unraid server and transferred pfSense to a VM with a passed through 4 port NIC. Thing is, the roommates aren't the only people connecting to the Asus. I would like to be able to connect my own devices, my brother his, my wife and our son as well. The issue comes up in that pfSense does not act like a switch, it is a router. So no broadcast stuff will be able to get through. For me personally, I can remember the IP addresses of my SMB server and the WebUI for all my server components but my family can't. Plus, when routing from one interface on pfSense to another interface you introduce both latencies and you hit the pfSense instance much harder than it should be hit because you are using CPU cycles to route the traffic instead of just passing it on like a switch does. I tried this before on my old setup and it was unbearable for my use cases. I appreciate the recommendation and all but it just isn't as easy as it may seem.

You’re right, my reply wasn’t well thought out. Obviously the right way to do it is VLANs but unfortunately robocfg is rather undocumented and Broadcom haven’t released new tools for VLAN management, that’s why Merlin is reluctant to include a GUI for VLAN setup in the firmware. Most people know this would be a very useful feature.

Without buying new devices there are only two choices: 1) using CLI and robocfg (there are several guides in the forum although I’m not sure if anything has changed since their posting, and Asus also use VLANs for things so be prepared to fix it in the future if conflicts arise) 2) double NAT and use the Asus in router mode with DHCP and NAT on

Ok, I get it, it sucks hard and i hate it but I do understand what you say. I wish we could at least get some kind of beta implementation in the GUI though

Anyways, there are other problems with leaving the Asus in router mode too and double NATing. I'm not going to be so pedantic as to complain about lost efficiency and such with it, even though that is a thing.

1. I have no way to control the roommates subnet like I want through pfSense for traffic shaping and this is a required feature.
2. I can't block the Asus DHCP from the main LAN which would essentially jumble up my painstakingly precise and 100% necessary static ARP assignments.

I was looking through those guides and such on how to do it and a friend of mine and myself have spent some time digging into it, seeing if we could set it up in such a way as to do what we want. Frankly, it's kind of a mess. Now I know my way around a network or two but usually, you have a manual with syntax and proper descriptions of the command if you have to config from the console. Really, I am not an expert here and a lot of it is kind of over my head. I was hoping someone with a recent version of Merlin that has set this up can give me some specific insights on how to proceed. I figured out how to add scripts and I tested a logger "hello world" script and it worked I just don't know enough about it to know precisely how to build a script to do what I want, at least not without some sort of working example.

I hope I am making sense here guys. I am rather put off by this whole thing. Frankly, I haven't seen anyone come up with some sort of truly workable solution except to say it's possible. I guess if you aren't able to know what to do yourself out the gate then you won't ever be able to do it... and that sucks... I am just hoping someone who has done it can get on here and maybe help me out a bit. I will keep trying though, I haven't totally given up yet.