We help IT Professionals succeed at work.

Should I separate one network port for wireless using the pfSense router or the switch

80 Views
Last Modified: 2020-06-17
I have modem to pfSense router/firewall(Netgate SG-2440 v2.3.4) to a Cisco SG-200-26 Smart switch. This supplies network configuration and IP addresses to the clients via DHCP on the pfSense.

One port on the switch connects to a Cisco wireless router. I would like to insure that this is isolated from the rest of the network.
Comment
Watch Question

Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
Hi Bert2005 

is your Cisco wireless router connected to internet , i mean the same connection in the pfsense , or it has own internet connection .

also can you tell me what is the function of your cisco wireless router , is it to extend your local network ? is your wireless user get ip address from the dhcp which is configure in your pfsense or different subnet .

i have concern why your wireless connected to the switch not the firewall ? i think if you connect your wireless router to the pfsesne that will be better and  simply isolate users using firewalls policies .


Author

Commented:
I am a little confused.
I thought the router needed to be between the modem and the switch for a few reasons. I thought the switch was just to allow multiple endpoints (clients, printers) to have access.

Making this a little confusing is the fact that I normally use the server for active directory, domain controller and DHCP. It does do the first two. I have two VMs. An RDS that the clients remote to. And, the Essentials VM for AC and DC.

The wireless router gives out IP addresses to patients for their cell phones, etc. It gives out a different subnet, but it is still connected to the LAN network. Probably not a good idea.

Maybe I should split the modem cable into one for the network to the pfSense and one to a separate router with a configuration that could go to the Cisco wireless. It would then not be able to access the network.
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
The wireless router gives out IP addresses to patients for their cell phones, etc. It gives out a different subnet, but it is still connected to the LAN network. Probably not a good idea 

it is better to connect your wireless router to firewall directly with different subnet than your local network ( guest network )
and this is wireless network ( guest ) only have policy to access the internet only
that will give good control over your network also to protect your local network , also if you need to do traffic shaping over your internet connection , let say you have internet connection with speed 100Mbps , for example you can reserve only 20Mbps for wireless users ( guest ) and 80Mbps for you local network that will increase network efficiency
another point you can do application control & web filter for your local network and permit everything for guest ..and so many benefits this design give you more flexibility for managing your network  

Maybe I should split the modem cable into one for the network to the pfSense and one to a separate router with a configuration that could go to the Cisco wireless. It would then not be able to access the network 
why you need wireless users to access your local network , as i understand it is only for guest , if you want to access network it should be doable , just you need to configure policies between your local network and guest network and i don't recommend this solution  

Author

Commented:
Thanks for the input on the guest network. What I was saying was you can split the subnets by using a small switch after the modem.

Modem >> switch >> Router >> Switch >> LAN
                      |
                   router >> punch down block patch panel >> wireless router >> guest network

This setup was used often prior to VLANs, etc. I know it seems weird, but it works

I know. Then why am I asking. Just trying to get rid of the extra router and switch.

But, you are correct. The patients (guests) will not have any access to the main network.  

Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
yes it should be doable and depends on your modem , you have two options

1-   is your modem have ability to use  two different subnet on the same port  ( sub interface ) ? if yes this the solution number 1
2- if your have two ports for lan and you can use different subnet on each port , let say LAN Port 1 : 192.168.1.0/24
and LAN port 2 : 192.168.2.0/24

can you tell me what is your modem type ?



Author

Commented:
DG 1670A/TW
This one has four ports where you have to use port 1 for the initial connection to a router. So, port two may accomplish the same thing.
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
i go into datasheet of your router and it is doable to add one vlan per interface  

https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000NJnz9AAD&c=Touchstone%20Gateways#panel3   page 49


Author

Commented:
Thanks for all of your help. So, what would you recommend. I should be able to run an Ethernet cable from port 2 which will be a different vlan. Do I just run that to the router. Can the router receive two cables? Sorry.
Sr.Network & Security Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
Unless I'm missing something here, it seems most straightforward to just connect the WAP to a port on the pfSense box and configure the box for the security you want.  pfSense is VERY flexible and would allow you a great amount of control.  You can even accomplish the isolation of the WAP without VLANs if you wish.

Keep in mind that the DG1670 is a modem, router, and WAP.  It also has a 4-port switch built in, so you'd not need to add one between it and the firewall.

Do you need the WAP capability of the DG1670?  If not, I'd look at setting it up in Bridge Mode (where it is more or less just a modem), connect the pfSense box to it, and use two separate ports on the pfSense box to feed the WAP and the switch.  Better yet, if your ISP allows it, replace the DG1670 with your own modem.

CERTIFIED EXPERT

Commented:
either can work.

you can use 2 virtual vlan interfaces on the pfsense box and a trunk with both vlans on the switch
or
you can setup 2 separate regular interfaces on the pfsense box and 2 separate access ports on the switch

using 2 ports allows to have native separate bandwidth reservations but that is probably not aven a concern since the LAN is most likely orders of magnitude faster than the WAN

Author

Commented:
One factor is that the modem is located in the basement with concrete walls as far as the WAP is concerned.
CERTIFIED EXPERT

Commented:
as long as you can setup cabls between the pfsense box and the switch, it does not matter.
the modem needs to reach the pfsense box, either directly or through the switch and a dedicated vlan.
the access point is in the same situation.
virtual vs physical lan separation is a matter of choice and has little security impact in that case.
the modem on the other hand had better be plugged directly to the pfsens box rather than on the switch if you have an available port.

Author

Commented:
"Keep in mind that the DG1670 is a modem, router, and WAP"

Thanks. I was just making sure the CompProbSolver wasn't suggesting using the WAP from the modem itself. Of course, it would be good to know if it were in a more central location.

Everything goes to the pfSense router first.

In the past, I used a more rudimentary method explained above: modem to small unmanaged non-poe four-port switch. One cable from that switch to pfSense to the network. Another cable connected to a router then to the wireless router. This completely isolated the wireless. 
CERTIFIED EXPERT

Commented:
"This completely isolated the wireless.  "
Not really.  They both combine at the primary modem/router.  The isolation comes strictly from the rules in the pfSense box that prevent the WAN network from accessing the LAN network uninvited.  You could establish the same rules in the pfSense box from one port to another and simplify the installation.
CERTIFIED EXPERT

Commented:
given the above, the simplest solution would be to plug the WAP directly to an available port on the pfsense box.

but on the long run, if you own a managed switch or can use your router as such, it seems better to setup VLANs. proper network isolation even for a small office typically produces a handful of network segment. if you host services, you quickly reach one or a few dozens.

either way, you will be quickly limited by the number of available ports on the pfsense box. in such situations, i would usually first agregate multiple pfsense ports together to maximise the bandwidth between the pfsense box and the switch, and then setup virtual VLAN interfaces on top of the aggregate. you can reasonably allow the whole vlan range on the switch side of that aggregate in order to simplify maintenance.

with the above setup, the WAP would be plugged on the switch on an access port on vlan x and you would merely create a virtual VLAN ( on vlan x ) interface named WAP on the pfsense box.
CERTIFIED EXPERT

Commented:
skull makes an excellent point.  If you are going to want to have more "zones" that are to be isolated (or otherwise controlled independently) than you have available physical ports on your pfSense box, moving to VLANs on your switch is a better idea.  As he suggests, look at your future needs, not just present ones.

If you only need two different zones (Guest WiFi and everything else), then separating them at the modem/router or (my preference) in the pfSense box may be a more straightforward configuration than setting up VLANs.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.