Can OPNsense isolate a guest WiFi network on a networked WiFi AP?

Started by TesticulatedLumpkins, February 10, 2021, 03:49:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 10, 2021, 03:49:58 PM
I want to separate my IOT devices from the rest of the devices on my network. I don't entirely trust these cheap lightbulbs. The router is in AP mode, but doesn't seem to isolate the wireless networks from one another.

Apologies if this is a silly or obvious question. I'm new to this. I searched for 'AP' but it returned every word with 'ap' in, and the WiFI articles are all for physically attached wifi adaptors.

My network is currently like this:

Guest WiFi─Router in AP mode──Ethernet──OPNsense──Internet
Main WiFi  ─┘

First I tried to use vLANS but learned they were unsuitable. I considered firewall rules, but then realised any device could give itself a different IP address to get access it otherwise should not.
February 10, 2021, 04:12:47 PM #1
You need to have a separate guest network, then OPNsense can implement a different policy. So e.g.

  • get another access point and connect it to a separate interface of your OPNsense
  • some APs like some Unifi models have two Ethernet ports and can run two different WiFi networks connected to each
  • some APs can do the same with VLANs and a trunk port to your OPNsense

So it all depends on what your wireless hardware is capable of.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 10, 2021, 04:27:25 PM #2
If your router-in-ap mode supports VLANs and you can attach an SSID to a VLAN then there is no problem separating them, otherwise you're probably screwed :-(

That is what I have done in my home:
- Ubiqity AP's with SSID attached to VLANS;
- created separate interfaces in opnsense coupled to those VLANS;
- added firewall rules on those interfaces

normal wifi: no vlan  -> [LAN interface in opnsene]
guest wifi: vlan id 50 -> [GUEST interface in opnsene]
iot wifi: vlan id 60 -> [IOT interface in opnsene]

Each has its own ip addresses and dhcp server, all handled by opnsense.
February 10, 2021, 04:33:44 PM #3
I have a rooted AC68U. So it might be possible to route the guest clients through a different ethernet port... but I'd still need an extra ethernet port on my firewall.

An extra AP seems like overkill, but if that's the only reasonable way to do it...

I could take my wifi AP out of AP mode, in that mode it does have vlan support...but then I'm sure it would add a lot of overhead that I don't want.
February 10, 2021, 04:49:45 PM #4
So in "AP mode" does it run DHCP and does it NAT? In that case you get less overhead when you take it into bridged mode. You can then configure DHCP and NAT on your OPNsense.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions