1
I am using an OpenWRT powered WLAN router as an access point for my network. Everything on the network id run through a PFSense box so that I can have full control from there. I would like to have a Guest WiFi network of which the users only have internet access and cannot communicate to any other clients on the network. My router fully supports running a second AP with a different SSID and it can also be set up as a separate interface. What complicates my setup is that I want to run all DHCP for my entire LAN through the PFSense box, this is normally quite simple, I just bridge th LAN and WLAN adapters on the router and that works but then the PFSense box has no way of distinguishing users on the private network from those on the guest network. What I would like to do is bridge all clients on the private network directly with the PFSense box but translate the addresses of all the guests clients to a reserved IP that PFSense can recognize and manage accordingly. This would mean DHCP and NAT on the guest WIFI network whilst bridging the private one. How would I go about doing this?
PS. I have no desire to run DHCP for the guests users through PFSense that should preferably be done on the wireless router.
Sorry but I don't really have much experience with VLANs but will this work for isolation even if the WiFi router that hosts both private and guest access points only has one Ethernet interface to the PFSense box? Also, I would like the traffic from guests completely isolated from the private traffic. Also, PFSense does not need to be able to identify individual guests, it just needs to know guests packets. – Gerharddc – 2014-10-31T09:16:45.897
Yes, that’s what VLAN is all about: Supporting multiple separated networks over the same Ethernet link. Complete isolation is not possible without a dedicated physical link. – Daniel B – 2014-10-31T09:25:38.320
Ok but will there be any way for guest WiFi devices to intercept private device's packets and if so, will they at least be prevented from communication with devices on the other subnet? – Gerharddc – 2014-10-31T10:12:32.710
No, there won’t. I already clearly stated that in my answer: “The guest clients cannot escape from their containment”. – Daniel B – 2014-10-31T10:19:53.630
Ok I'll check it out – Gerharddc – 2014-10-31T10:34:12.973