On 2018-03-10 18:54, Antonio wrote:
Hi pfSense experts,

I was hoping you could help me with a config questions. I have pfSense
configured as main routed for my network. The WAN is connected to DSL
modem, one LAN on a ethernet switch and another LAN port on a Netgear
R8000 with dd-wrt installed. One of the cool features of the R8000 is
that it has two seperate wireless networks: 2.4GHz and 5GHz.

I wanted to use one for guest and only allow access to internet while
the other for permitted users (family members) that would also have
access to the local network. How am I going to achieve this on pfSense
though? is it a matter of closing access to local network for all IPs
coming from the AP except those I want to permit (family devices) or is
there a simpler way of doing this i.e. VLANs?

I look forward to your reponse.

Thank you

The simple answer is to configure the dd-wrt box to give different IP addresses to the two separate wireless bands. Let's say you make the 2.4Ghz band and the 5Ghz band (I'm assuming you'll use the 5Ghz band for family members, just to make things easy for me). You then write firewall rules that allow to access the LAN and WAN while can only access the WAN. The easiest way for the first set of rules is to block access to from (your trusted users). And the easiest way for the second set of rules is to block all traffic to RFC 1918 address. So block all access to,, & You could be specific, but if you don't want the guests to be able to access anything but the Internet, then it's easier just to block all private address. That way if you change something elsewhere on your network, you won't have to mess with the firewall rules for the wireless.

Of course dd-wrt can do firewalling on its own, so (assuming you could assign different IP ranges to the different wireless networks) you could do the firewalling there. And in my example it's important for dd-wrt to act as a bridge. If it's a router, you would have to set up firewalling there to prevent your guests from connecting to trusted computers (prevent the two wireless networks from talking to each other). If you can't get dd-wrt to do that, I'd do the firewalling there.

Hope this helps.

Jason M.
pfSense mailing list
Support the project with Gold! https://pfsense.org/gold

Reply via email to