Semi-smart AP behind pfsense recommendations

Pfsense main router, LAN IP
Guest Network (to be created) IP
OpenWrt AP should be broadcasting 2 WLAN SSIDs. One in each of the above networks.
The LAN ports on the OpenWrt device should also be bridged to the private network.

What's the best way to do this?

Connect openwrt to pfsense directly as a new interface and send vlans, so pfsense manages everything?
Connect openwrt to my unmanaged lan switch (where pfsense is also connected) and let it manage the guest network on its own?
Something else?

The criteria for best is least cabling required and most efficient load spread I suppose. And avoiding double nat of course for everything other than the guest network.

I think both solutions will cover your criteria.
If you can tag the frames in vlans successfully and manage everything in pfsense would be a bit easier to manage afterwards.

Passing responsibility to pfsense sounds fine, but I'm not entirely clear on the implementation on the openwrt side.

Give openwrt's default bridge interface an ip in the private lan range.
Disable dhcp and firewall.
Connect it to the unmanaged switch.
Now it's a dumb wired switch. All good.

Create private SSID, bridge it to default bridge.
Create guest SSID, bridge it also to default bridge?
And then assign vlans from the bridge's configuration?

Should also mention my openwrt device is using the DSA scheme.

Could use some guidance here.

EDIT: Needed some sleep apparently. Disregard the part about connecting openwrt to an unmanaged switch and expecting to find vlans lol.

Still trying to sort it out with the proper connections though if anyone got any insight to share.

I suggest doing the guest network in pfsense. If it’s separated in the openwrt router then your lan will be part of the wan zone of the openwrt firewall and will be visible to guest clients. See section 3 of the DSA mini tutotial here. After creating separate interfaces for the main and guest networks, you can add your wireless SSIDs to their respective bridges.

After much deliberation and experimentation, the cleanest solution in my case ended up being openwrt managing the guest wifi. Without a managed switch to route vlans properly, I couldn't find anything better.

Documenting the process for anyone else interested in something similar.

Static ip for wrt in the lan range, dhcp disabled. Dumb AP essentially.
One wlan bridged to the lan for private access.
Second wlan on a new subnet, following the guest wifi guide for firewall settings.
That's all on openwrt side.

On pfsense simply create a new lan gateway pointing to openwrt.
Then add a route via this gateway for the guest subnet's address range.
Optionally block access from lan to that subnet with firewall rules and selectively allow individual hosts as required.

It works great, no hit to wired or wireless performance, guest network properly isolated. Double nat for the guest network, but that's not necessarily a bad thing and I don't care either way.

If a managed switch with enough ports was available, pfsense managing through vlans would be the cleaner solution theoretically, but I doubt there would be any measurable performance improvement.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.