Separate Wifi SSIDs via VLAN & Wifi AP recommendations

[Asperamanca]

I would like to rebuild my network around an OPNsense-based Firewall, and I have one configuration questions. The topic has been discussed in several threads, but the answers there were mostly focused on specific configuration issues. My question is more about understanding the basic concepts.

What I need:
-) OPNsense Firewall connected to existing internet router
-) A switch connected to the firewall for cable LAN
-) An internal Wifi and a guest Wifi.
Internal Wifi has full network access, but is protected both by password and MAC address whitelisting.
Guest Wifi has internet access, and nothing else.

From what I understand so far, I can achieve this using only a single Wifi access point, provided this AP supports VLANs. Is this correct?

If so, will it work with any vendor's VLAN implementation, or are there differences to watch out for?

Do you have such a configuration running, and if so, which access point vendor do you use?

[Mks]

Hi,

I've a similar setup up and running since years (personal non-business use).
I'm using TP-Link Omada Controller and APs and SmartManaged Switches (with PoE).

VLANs (802.1Q) is a standardized protocol, so any Vendor which implements the standard should work.

br

[Asperamanca]

Does this mean that I have to assign two VLANs to the port which connects to the AP, then configure the AP to use each VLAN with the correct SSID (internal/guest)?

[Mks]

Does this mean that I have to assign two VLANs to the port which connects to the AP, then configure the AP to use each VLAN with the correct SSID (internal/guest)?

Yes right, the port must be configured as trunk and you assign the VLAN ID to the different SSIDs on the AP.

There are several ways to perform the VLAN assignment (with Radius) but his is how I've implemented it.

br

[marjohn56]

I use the same TP access points, but my Omada server is run as a service on one of my servers.  The other option you have is to choose an access point that allows guest access and isolates the LAN from the guest, i.e. only allows traffic to the gateway, there are plenty around if you look. If you are only using a single WAP that may be a simpler option.

[Mks]

choose an access point that allows guest access and isolates the LAN from the guest, i.e. only allows traffic to the gateway, there are plenty around if you look.

Good hint. This will be the easiest solution.
The more flexibel one (e.g VLANs for IoT, Kids, ..., Firewall rules, ...) is VLAN based. But if you just need one guest WIFI the solution from marjohn56 is sufficient.

br

[Asperamanca]

I have been researching possible configuration (and availability and pricing...), and although my questions stray a little from OPNsense topics in the narrow sense, I would really value your input:

Since I want to keep my Wifi AP for a while, I aim for Wifi-5 (ac) at least, and I would like to have WPA3. The only (halfway) affordable solutions I can find are Cisco access points which run on PoE. Only one Wifi router I found has both WPA3 and VLAN, and it's ridiculously expensive.

Now the OPNsense-based firewall aren't going to have PoE ports. So I found a suitable switch (unmanaged) which has some PoE ports, and enough ports in total. I would connect the Wifi AP on a PoE port, and my other devices on the remaining ports.
However, what does this mean for the VLAN configuration? It would mean that I have to configure the port on the firewall which connects to the whole switch as "trunk" (as Mks posted, although I'm not familiar with the term).

Does this have unintended consequences for the ports connected to computers and other devices where I can't do a VLAN configuration?

[tong2x]

what I have is
opnsense server
ubiquiti managed switch
and ubiquiti ap (ACLR and ACPRO)
ubiquiti controller (could be installed in a existing PC, or buy there controller device)

simple setup, the ubiquiti ap is capable of assigning vlan id to siid. then opnsense will just catch that.
you just need a manage switch(ubiquiti or not) so the vlan tags will not be lost (unmanaged switch may remove the vlan tags).

[Asperamanca]

Well, none of the Ubiquiti APs has WPA3. If I relax this requirement, I suddenly get lots more options.
But thank you for pointing out the possible issues with VLAN tags. Maybe a PoE injector could do the trick (I hope it just wires the network signal to the port, and adds the wires for PoE)

[Mks]

I aim for Wifi-5 (ac) at least, and I would like to have WPA3.

My recommendation. If you go for controller based solutions (central controller which provision APs) like from TP-Link Omada or Ubiquity, buy now cheap WPA2 APs and replace them once WPA3 is cheaper. WIFI 5,6 + WPA3 is still quite new and the APs are expensive.

So I found a suitable switch (unmanaged) which has some PoE ports, and enough ports in total. I would connect the Wifi AP on a PoE port, and my other devices on the remaining ports.

If you want to use VLANs, the switch must support it. There are a lot of SOHO switches available with PoE and VLAN. You could also use PoE Injectors, but then you need a power plug at each AP.

However, what does this mean for the VLAN configuration? It would mean that I have to configure the port on the firewall which connects to the whole switch as "trunk" (as Mks posted, although I'm not familiar with the term).

The VLAN IDs must be transferred to the switch, this is done via the trunk.
On the switch you configure the VLAN assignment to the ports. As you want to have multiple VLANs on the AP the connection to the AP must also be configured as trunk. On the AP controller you define the VLAN to SSID assignment.

br

[marjohn56]

 ;)  You don't have to have a power point by the AP with POE injectors, they just need to be in the line to the AP somewhere.
One other thing that needs to be remembered here, once you have one  managed switch, anywhere else on the wired network will also require managed switches, unless you can set the vlan ID on each endpoint, not all NICs support that.

[Asperamanca]

I'm not a fan of buying hardware today that I know I'll throw out in two or three years, even if it's the most economical thing to do. So I'd rather find a Wifi solution that I can live with for the coming 5-10 years.

I currently have one Wifi router, and I get some spotty coverage in some rooms. So I think I can either use two AP or one AP and one Repeater. Since Wifi coverage goes down in a pretty linear fashion as I increase distance to the router, I think that 1 AP + 1 Repeater should do the trick.

It turned out that APs with Wifi-5 + VLAN + WPA2 capability are almost as expensive as the next level (business APs with 10 year warranty and Wifi-5 + VLAN + WPA3). Since I intend to go for quality, that sounds good to me.

So my plan is the following:

• Deciso 3-port Firewall running OPNsense
• Wifi-AP with PoE injector connected directly to firewall ("trunk" port)
• Wifi-Repeater to improve coverage
• Unmanaged switch connected directly to firewall ("internal VLAN" port, so all devices connected to it belong to the internal VLAN)

;)  You don't have to have a power point by the AP with POE injectors, they just need to be in the line to the AP somewhere.

I don't think I fully understand this statement. What do you consider a "power point" in this context?

One other thing that needs to be remembered here, once you have one  managed switch, anywhere else on the wired network will also require managed switches, unless you can set the vlan ID on each endpoint, not all NICs support that.

Will this spell trouble in the above configuration? If I designate the whole (unmanaged) switch to a certain VLAN, won't the firewall be able to treat any incoming and outgoing traffic on that port accordingly?

[marjohn56]

I meant you do not need to have a power 'socket' for the POE injector near the WAP, the POE injector just can be anywhere convenient.

Not too sure about your idea of using a trunk port carrying both VLANs and a single port carrying one of the VLANs. Opnsense is a firewall/router, not a managed switch, I also don't think you'll be able to get Opnsense to work with both VLANs on one port and only one of VLANs on another. You are better off using a managed switch after Opnsense. Take the trunk carrying both VLANs into the switch - another port on the switch needs to be configured as a trunk and you connect that to the WAP. Then one of the other ports on the  switch is defined as your primary vlan ( not guest ) , use that to connect to all your physical devices. The advantage of that is that you can easily expand your system then. managed 8 port switches are cheap. A DLink DGS 1100-08 would suffice, that's what I used when I first started with VLANs.

[Asperamanca]

Yes, managed switches are not that much more expensive. I guess I just hoped for one less device I had to configure...

However, the idea with the PoE injector falls apart in two places:
1) I can't find a PoE injector where the documentation mentions VLAN tags to be maintained
2) I can't find the required voltage in the documentation of the Wifi AP, so I can't use a passive PoE injector with fixed voltage

It seems that every time I feel I got the configuration right, I learn something new...
Back to the drawing table.

[Asperamanca]

Ok, more research. Trouble is, 8 ports just isn't enough.

So I can use one managed 4 port PoE switch, and one manage 8 port non-PoE switch. Still more devices to configure, but I hope this combination will do the trick.