I have come to really appreciate pfSense firewall as you can tell by these posts:
However, this past weekend I have grown to appreciate it even more. At The New School we implemented segmented switching using 6 VLANs. A VLAN, or Virtual Local Area Network, allows the same switch to carry multiple broadcast domains. Without getting into too much detail a broadcast domain allows devices plugged into the same switch to have different IP addresses. For instance 10.0.0.1 and 192.168.1.1 could both be plugged into the same switch and traffic would pass without ever running into each other. This technology has been around for a long time, but it is particularly useful at The New School where there are many devices on the network, but not all of them need to have the same access to resources.
Using the Ubiquiti UniFi wireless access points we are able to distribute these VLANs wirelessly over different SSID (wireless network name). This means Guests, Students, and Staff all have their own wireless network with specific resources on the same physical hardware. Big cost savings.
There are occasions where a device on one VLAN may need access to a device on another VLAN (file shares, printing to name a couple). In this situation a router is needed. A router can ‘route’ traffic from one domain to another. This is what your home router does since your Local Area Network is a different domain than that of your Internet Service Provider.
Since pfSense supports VLANs we applied the same VLAN structure to it as we did the switches. A single port can carry multiple VLANs (through VLAN tagging at the switch and within pfSense), thus we are able to connect all New School VLANs to the pfSense firewall with one Cat5e cable. pfSense then treats each VLAN as a separate interface. As such, it can provide DCHP, DNS, Firewall Rules, gateway routing, etc… to each VLAN. At a primitive level, this allows each VLAN to access the internet. In the case of inter-vlan resource sharing (VLAN routing) it allows us to control the routing using each interfaces’ firewall. This is nice because the pfSense web based configuration is easy to understand and yet very powerful.
We have the ability to allow entire domains or specific IP addresses to talk across VLANs. We can also get very granular and allow only specific ports and protocols if we prefer (say TCP port 80 for to internal web server accessible from one IP address on the Student network).
I wanted to configure vlans in pfsense I have not managed to do it cheap if you can help me
Do you have a specific question or problem? I would be glad to help.
Great walkthrough, thanks !
I’d like to ask the same as Aimar’s question, VLANs are supported right.. Only QinQ… Does the access point have to support Vlans as well in order for PFSense to use them?
Second: If I use Radius Authentication, for 802.1x clients, Can they log in with their own credentials or is it just a security feature that registers one global login for all users in the Radius server ?
And this Radius server, does it have to be the one integrated with PFSense or can one use an existing one ( ACS ) ?
Can I give my 802.1x clients privileges to others regarding the bandwidth?
Third: Depends on your answer to my second question, is it feasable to use a guest vlan for non 802.1x clients, thus connecting with a single login/password… ? This would require having assigned users to vlans prior to accessing the authentication page right…. ? Is there no other way to do it?
Forth: Can I block streaming in PFSence ?
Fifth: is it preferable to use it on a virtuale Linux machine or is a Windows server just fine?
Last: How can I simulate its good functioning before installing it on the actual network? Just use a bunch of Virtual machines…?
I’m soo sorry for this gigantic list of questions, I really hope you could answer me :).
Many of your questions would probably be better answered from pfSense.org However, I’ll take a stab at it:
1 – VLANs are supported, yes. An access point you intend to have multiple SSIDs on would also need to support VLANs. However, pfSense could still use them even if your AP doesn’t (but there would be no reason).
2 – Each use would have their own unique username/password. No you can use other radius servers or use the freeRadius package within pfSense. Regarding bandwidth. I am unsure about giving specific users more or less bandwidth
3 – I am not sure what you mean. If you have an AP with a guest SSID (linked to a ‘guest’ vlan) then you can put whatever password you want on the SSID. Users wanting more ‘privileges’ would simply connect to a ‘Private’ SSID (linked to a ‘private’ vlan)
4 – Yes, you can use Qos to block/filter about anything you want. Search for ‘skear pfsense’ for more information
5 – Linux and Windows would be fine hosts for a virtual pfSense install. As would ESXi4.1 from VMware
6 – If you have an old x86 computer laying around drop 2 NIC cards in it and go to town. pfSense doesn’t require much horsepower (depending on packages installed).
I really appreciate your answers 🙂 Thanks many.
What I meant by my third question is, are you a guest because you log on with a specific Login or do you log on with a specific login because you are a guest ?
In other words, can PFSense be the one to assign the user to a Vlan depending on his status ( 802.1x or not) or is it done deal at the very moment one connects to the AP ?
I hope I’m making some sense !
You were really of great help, thanks again.
This is known as Dynaic VLAN assignment. While it is possible with pfSense (from what I understand) I can’t understand how it would be implemented in a wireless setting.
An enterprise AP can have multiple SSIDs each with their own subnets, if vlans are used. However, to force the client to ‘jump’ from one vlan to another you would have to someone force them to switch which SSID they are connected to. I am not aware of a way to do this. So for wireless deployements, the SSID the client connects to determines which vlan they are on. Then, based on pfSense, the user can be authenticated (or not) and allowed access. Now, with the addition of a sophisticated wireless lan controller this would be possible.
In a wired situation you would need to have a switch capable of dynamic vlan assignement as well. This switch would would change which vlan a port belongs to based on the authentication of that client (802.1x).
All this is to say that Yes, it is possible and supported by pfSense. However, your budget just went WAY up.
Thank you, that was very clear ! 🙂