Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Can OPNsense isolate a guest WiFi network on a networked WiFi AP?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Can OPNsense isolate a guest WiFi network on a networked WiFi AP? (Read 4020 times)
TesticulatedLumpkins
Newbie
Posts: 2
Karma: 0
Can OPNsense isolate a guest WiFi network on a networked WiFi AP?
«
on:
February 10, 2021, 03:49:58 pm »
I want to separate my IOT devices from the rest of the devices on my network. I don't entirely trust these cheap lightbulbs. The router is in AP mode, but doesn't seem to isolate the wireless networks from one another.
Apologies if this is a silly or obvious question. I'm new to this. I searched for 'AP' but it returned every word with 'ap' in, and the WiFI articles are all for physically attached wifi adaptors.
My network is currently like this:
Guest WiFi─Router in AP mode──Ethernet──OPNsense──Internet
Main WiFi ─┘
First I tried to use vLANS but learned they were unsuitable. I considered firewall rules, but then realised any device could give itself a different IP address to get access it otherwise should not.
Logged
Patrick M. Hausen
Hero Member
Posts: 6798
Karma: 571
Re: Can OPNsense isolate a guest WiFi network on a networked WiFi AP?
«
Reply #1 on:
February 10, 2021, 04:12:47 pm »
You need to have a separate guest network, then OPNsense can implement a different policy. So e.g.
get another access point and connect it to a separate interface of your OPNsense
some APs like some Unifi models have two Ethernet ports and can run two different WiFi networks connected to each
some APs can do the same with VLANs and a trunk port to your OPNsense
So it all depends on what your wireless hardware is capable of.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Hilbert
Newbie
Posts: 3
Karma: 0
Re: Can OPNsense isolate a guest WiFi network on a networked WiFi AP?
«
Reply #2 on:
February 10, 2021, 04:27:25 pm »
If your router-in-ap mode supports VLANs and you can attach an SSID to a VLAN then there is no problem separating them, otherwise you're probably screwed :-(
That is what I have done in my home:
- Ubiqity AP's with SSID attached to VLANS;
- created separate interfaces in opnsense coupled to those VLANS;
- added firewall rules on those interfaces
normal wifi: no vlan -> [LAN interface in opnsene]
guest wifi: vlan id 50 -> [GUEST interface in opnsene]
iot wifi: vlan id 60 -> [IOT interface in opnsene]
Each has its own ip addresses and dhcp server, all handled by opnsense.
Logged
TesticulatedLumpkins
Newbie
Posts: 2
Karma: 0
Re: Can OPNsense isolate a guest WiFi network on a networked WiFi AP?
«
Reply #3 on:
February 10, 2021, 04:33:44 pm »
I have a rooted AC68U. So it might be possible to route the guest clients through a different ethernet port... but I'd still need an extra ethernet port on my firewall.
An extra AP seems like overkill, but if that's the only reasonable way to do it...
I could take my wifi AP out of AP mode, in that mode it does have vlan support...but then I'm sure it would add a lot of overhead that I don't want.
Logged
Patrick M. Hausen
Hero Member
Posts: 6798
Karma: 571
Re: Can OPNsense isolate a guest WiFi network on a networked WiFi AP?
«
Reply #4 on:
February 10, 2021, 04:49:45 pm »
So in "AP mode" does it run DHCP and does it NAT? In that case you get less overhead when you take it into bridged mode. You can then configure DHCP and NAT on your OPNsense.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Can OPNsense isolate a guest WiFi network on a networked WiFi AP?