PfSense and DD-WRT, Single WAP with multiple SSIDs and separate networks

dd-wrtpfsense

I have a ASUS RT-AC66U with DD-WRT loaded and I'm trying to use it as a WAP connected to a PFSense box. The ASUS router has the option to setup multiple SSID's (guestAP_SSID, mainAP_SSID) and separate WLAN from LAN. I can even put them on their own network if I let the ASUS router handle everything. What I'm trying to figure out is how to configure DD-WRT to tag wl0 to be on VLAN4 and wl1 to be on VLAN5 so that in pfsense I can separate the traffic.

The end result is I'm trying to put guestAP_SSID on 192.168.10.0/24 and mainAP_SSID on 192.168.11.0/24 in pfsense and I'm having trouble figuring out how to tag the traffic from DD-WRT so that pfsense can separate it when it hits its interface.

How can this be done? Or is there another way to configure a WAP and PFsense so traffic on different SSID's (guestAP_SSID, mainAP_SSID) from the WAP is sent to the LAN interface on the PFSense box and separated?

Best Answer

enter image description here

Here is a summary of the steps I took to accomplish that with 3 SSIDs on isolated networks, IPv4 configuration using a 4 port pfSense box and a ASUS RT-AC66U with the latest version DD-WRT loaded. Note in this setup I'm leaving port1 on ASUS with default setup, and LAN on pfSense box with default setup for simplicity. Changing it after confirming this works is straight forward.

pfSense Setup

  1. Connect to pfsense box via LAN port and go to Interfaces>assign>VLANs.

  2. Click "add" and assign the "Parent Interface" you want all the wireless traffic from the ASUS modem to flow to. In this example I'm choosing em2(default named Opt1).

  3. Set VLAN Tag to 4 and set your priority, description, click save.

  4. Repeat steps 2 and 3 for vlan 5 and 6.

  5. Navigate to Interfaces>assign>Interface Assignments and under "Network port" next to available network ports, find the label that includes VLAN4 in the dropdown, select it and click add.

  6. Repeat step 5 for VLAN 5 and 6.

  7. Click on the "interface name" for the first added interface, click enable interface and set IPv4 Configuration Type to Static IPv4.

  8. Set the IPv4 address configuration to 192.168.2.1/24 and click save.

  9. Repeat steps 7 and 8 based for VLAN 5 and 6 with 192.168.3.0/24 and 192.168.4.0/24 respectively.

  10. Go to firewall>rules and duplicate the default rules from the LAN onto OPT1 and add a rule to block traffic to the other interfaces from OPT1. This will ensure users on this network can't reach the other networks. Remember to apply/save settings.

  11. Repeat step 10 for the other 2 interfaces.

  12. Go to services>dhcp server and enable DHCP for each interface you want DHCP enabled on and set the DHCP range to start at .10 or higher and save.

ASUS DD-WRT Setup

The following steps are for the ASUS modem.

  1. Connect to ASUS box via LAN port "1" and go to setup>VLANs and uncheck port 3 from the default VLAN1. Scroll to the bottom of the column with port 3 and check the box for "tagged" and then check VLAN 4,5,6 in the same column. Click save and apply settings.

  2. Here we are going to create 3 VWAPs, since the wl0 and wl1 are bound to VLAN1/LAN. You can change this to your preference later. Go to wireless>basic settings and click "add" under the virtual interfaces for wl0. Make the SSID your desired name, and everything else Disabled/Bridged and SSID Broadcast enabled. Click apply settings/save.

  3. Repeat step 2 for two more SSIDs. This will create wl0.1, wl0.2, wl0.3. Now you can go to wireless>wireless security to setup desired security. I left the SSID's security mode disabled while testing.

  4. To create a bridge between your wireless interface and vlans go to setup>networking and create a bridge for each SSID (br1, br2, br3) and click save and apply each time. You may need to refresh, revisit the page before you see the new bridges populate as options in the next step.

  5. Go to setup>networking and under "assign to bridge" click add 6 times.

  6. Make the first assignment the first bridge to interface the first VWAP and the second assignment the first bridge to the VLAN4. So this would be Assignment 0 br1 interface wl0.1, and Assignment 1 br1 interface vlan4.

  7. Repeat that concept for the next 2 VWAPs and VLANs.

  8. Scroll down under port setup, network configuration br1 and set the IP address to 192.168.2.4 (or some other address outside the DHCP scope for this network (vlan4)). This will be the DD-WRT management access for this network.

  9. Repeat step 8 with the appropriate network address for br2 and br3 and click apply settings/save.

  10. Reboot the router

Plug an ethernet cord from port 3 on your ASUS box to Opt1 on your pfSense box. Test your wireless connections to confirm everything is working. This is just an overview of how I got it working while testing. Change your VLANs, ports, networks, rules, etc as desired. Back up all your configs.

Related Question