Sure but you probably need a firewall to make that possible. Can you describe your setup, which network components, network setup, what kind of devices etc?

For example: a basic (home) setup would have a standard modem/router that supports a guest network. The guest network is a separate VLAN and on the modem/router device you can set options to allow/disallow the guest network devices to ‘see’ each other or devices in the normal VLAN.

agree with expert. should be possible. And if you are just looking wifi AP setup, you can set different SSID - like guest, home and office ssid. Ideally you have separate AP but within one AP it is doable as well with different SSID. Assign different IP range x.10 (guest), x.20 (home), .30 (office) vlan network. You can use the firewall to filter out the client to allow only specific range of address and leverage on AP isolation (if AP supports) to prevent spillover traffic across the SSID, and it is useful for additional segregation.   

https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Configuring_Simple_Guest_and_Internal_Wireless_Networks 

you need a dedicated network for the admin which not all ap support.

typically, the admin network is over the wire.

other options include a tiny ssl proxy in said admin network with decent authentication. mtls makes sense. or some vpn.

yeah, i'm (planning) to run pfsense on my home network, either that or a UniFi dream machine pro.

there are 3 networks, admin, accessed via a certificate in wpa3 in 192 bit mode.

guest, which has a password.

and IOT, which has a password.

client isolation, network isolation, as well as IDS and IPS.

those with Ethernet will get macsec encryption and cannot get to other networks.

I will make the VPn an IPSec tunnel with strongswan or NSA gosecure  https://nsacyber.github.io/goSecure/

and while i'll offen use the guest network myself for normal browsing, I want to have the admin network for sensitive admin stuff like the admin portal for the router and PFSense.

I think key tobsecure this network is segregation and just make sure they are in different networks and no routes to them esp from guest ("dirty" network) to office related working ones. Even cross wireless and wired network you can consider the IDS to inspect for known malicious traffic traversal. Management lan to the WiFi should be out of band and where possible use MFA for those admin stuffs. The stretch is to even consider wireless IDS on the wireless network for rogue AP and interception attempts. 

yeah, but how would PFSense detect rogue networks? it seams, well, not impossible, but definitely hard…

will something like suricata or snort be able to do this or pull it off?

if PFsense does not have native rogue AP detection, then agree harder as I foresee relying on other manual means and expertise to analyse log to detect and block unrecognised MAC address connecting to the network, no certificate to connect attempt, noisy device assuming Ip addresses thru ARP broadcast, DoS traffic to slow down the original AP etc.

wpa3 is not too bad but there are still ways to get into including brute force.

if you only use said network for short duration admin tasks, the exposition is minimal but not nil. likewise, hiding the admin ssid can help significantly but is not bullet proof.

i am not too sure i would trust gosecure more than any other.

not too sure what you mean by “rogue network”. does not make any sense to me.

the above rogue stuff had better be detected by the ap itself but that is not entirely possible.

which is why the vpn is helpful.

proven security features are much more efficient than attempting to detect rogue stuff globally. you would 

make sure the admin ui is unreachable except through the vpn.

make sure the vpn termination is only available through the admin network.

check for attempts at hammering the vpn termination

check for bad passwords on the ap admin ui

avoid using the admin connection except when it is needed.

note that you can run lots of modules including suricata on pfsense.

i'm aware of that last part. but how would I allow admin network only on that VPN?

nat? DMZ?

when VPN tunnel inside there should be a range of IP address that can be issued, you just need to issued that range and make it accessible or routed to the admin n/w. actually if you go on remote access from somewhere outside your enterprise n/w you should consider MFA (or client cert) authn for the VPN access. Best is avoid coming from open public network to remote into the enterprise if it is very sensitive network.   

 your privileged wifi network is whichever vlan is selected once you connect with your admin credentials.

the vpn termination (possibly pfsense itself) is in that same network and provides access to the actual admin network.

it is imho acceptable to skip on the privileged wifi. make sure you monitor rogue access attempts on the vpn termination and do not expose its presence. 

definitely secure the vpn with a client cert and at least one secondary mechanism. otp could make sense if you have something setup already.

I should ask, is this even possible to have FIDo or passkeys for an admin network?

also I plan to have the login be password less.

the only way I can think of doing this is having PFSense connect to a cloudfare tunnel, then setting WAF rules to not connect unless there is a valid client certificate.

cloudflare stuff makes zero sense imho but that would avoid bothering with wifi security.

you can easily create some reverse proxy with certificate based auth or use client cert on openvpn. pfsense does the crypto setup for you btw. 

there are also plugins for fido and passkey either ready or under development afaik but i am unsure atm. they should integrate with openvpn easily.

Not that I know pfsense support passwordless scheme, more of OTP or Google Authenticator when used with freeRadius authh server. So if you have some form of 2FA would be good enough for now. using Cloudflare is more from CDN for web services so if you are looking at protecting the pfsense, then you need to reduce exposure from the whitelist ingress cloudflare IP. As mentioned you wouldn't want to expose admin console into the Internet in the first place. 

thanks for that.

what reverse proxy should I use?

something like duo security for SSO?

or something else?

This is one that I refer in previous post

https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa%3fhs_amp=true

I think Duo is another possible. 

I know free radius can entigrate with PFSense.

but I must ask,  can free radius do PIV /MtlS?

also, how would I go about putting the admin portal to where only I (the only guy connecting to it) can get in via the VPn tunnel?

You probably has to explore eaptls in freeradius and check in with the specific piv supplier (if avail) for support. 

yeah but does EAPTLS work with the admin portal itself?

I think EAPTLS is only for WPA3 enterprise in 192 bit mode.

start by reviewing your needs. you have no reason to pile in stuff.

you can use a simple proxy in front of the AP ui if you just want to add some layer such as a client cert it does not support. that can be done with haproxy possibly on the pfsense box, or stunnel, or lighttpd, or nginx, or actually most l4 proxies.

but if you already have a vpn up and running on pfsense, this is totally overkill.

i would also avoid making the webui auths uselessly complex. you can restrict it to the vpn's lan (or directly attached host with a cable in said lan) so you do not end up locking yourself out in the future. likewise, i prefer to avoid relying on a complex toolchain on trivial infras.

Agree with expert. Start small first and get the setup done with vpn and wpa2 as well as hardening of the AP and vlans. The use and managing certificate will be totally a new effort for the full fledged enterprise network. That can come later and suggest you enegaged even penetration testing against the setup to assure the mitigation effectiveness. 

yeah. though you're thinking a little too far ahead imho ;)

also the cert management can be done quite trivially in pfsense itself. builtin ca that integrates with openvpn and can be configurred in the ui.

forgot to mention to stick the ap's ui in the same lan once you're done if you do not want to bother with yet another proxy.

cool, thank you.

also, I will not use wpa2, I will use wpa3, the enterprise version with certificates. I will put them on a yubikey.

seems right to me.

you can also use the yubikey for vpn auth but i would recommend against that if you are the only admin.

you may want to keep a secondary working certificate for your vpn on some protected storage or give it so your boss or whoever in case something happens to you or your own cert.

the result is quite decent. actually the wifi privileged network is imho of little use and adds probably more complexity than you need but that is debatable. prefer udp vpn in that case and close every other port of the firewall on the wifi side. ping included.