I’ve been trying running my hAP ax2 is an AP + gateway (the typical home router setup), but now I’m looking to change it to serve as an access point with a remote gateway (a pfSense firewall I got from work that was gonna be tossed).
I have a simple setup:
VLAN 1: the management network, only available via a physical ethernet connection
VLAN 100: the main wifi VLAN
VLAN 101: IoT wifi VLAN
In addition to my hAP ax2, I’m planning to buy another one to hardwire to a more remote location on my property that is out of range for my single AP.
What I’m looking to do with this is the following: ensure that the IoT wifi clients cannot talk to each other, only the gateway (at 192.168.101.1).
My question: is it possible to enforce client isolation across a wider network, i.e. so that each member of the IoT VLAN can only communicate with the gateway?
I know how to do this for a single AP (with client isolation and/or bridge filter rules), but these techniques don’t isolate clients between the APs → while two isolated clients on the IoT network on the same AP can easily be blocked, a client on the remote AP would still be able to communicate (because it would have to go out the same ether1 that it would for the firewall / gateway).
I understand the basics of how I can turn on “Use IP Firewall” and “User IP Firewall For VLAN” for the bridge (to send all packets, even those that would be bridged and not routed, through the firewall rules), but I don’t know how to express the following rule in the firewall: for the IoT VLAN, the only valid destination for packets going out the uplink (ether1) is the MAC address of the gateway (IP: 192.168.101.1).
My current hacky plan is to just create another VLAN (102) and use the single-AP isolation techniques, and isolate them at the firewall, but I’m wondering if there’s a better way than creating a single VLAN per AP for this.
Hopefully the question I’m asking is clear, but I’m still new to networking so I may have used the wrong terminology!
Sure thing. VLANs are actually something running on top of ethernet. It’s industry standard, so your pfSense supports it as well. The only thing for you to do is to tie different virtual APs on your hAP ax2 to appropriate VLANs and configure connection between hAP ax2 and pfSense as trunk (carrying multiple VLANs).
Here’s tutorial on how to do VLANs with examples. You want to follow the “Access point” example, but you can make a hybrid with “Switch with a separate router (RoaS)” if you want to use also ether ports on hAP ax2 as well.
Dont use vlan1 to pass data, its gets confusing especially as you are mixing devices. The MT uses it in the background..
If you are using vlans then go all vlans.
If the HAPAC is simply acting as an AP/Switch the below works…
Hence a TRUNK Port carrying all vlans from pfsense to MT.
The MT gets an IP address on the trusted vlan.
The Trusted vlans is the only need be identified on the MT
The trusted vlan is the only vlan needing to be tagged on the bridge, we are simply passing the rest of the vlans from ether1 to the applicable etherport or wifi port on the MT device.
Thank you both for your responses and your prior posts (including the linked ones). I’ve learned a lot from you and this forum!
I have attached a diagram that hopefully sheds some light on what I want to do. Basically, I want to implement client isolation on a VLAN (the IoT VLAN) that spans multiple hAP ax2 instances (I’m getting another one for a remote site).
Going on the diagram, I know how to prevent Clients 1 and 2 from talking (turning off default forwarding, using bridge filter rules like what the default guest network does in the auto configuration). What I’m looking to do is prevent Clients 1 and 2 from being able to reach Client 3.
As the uplink to both the pfSense gateway and the other AP (for Client 3) are on the same physical interface (and VLAN interface), I cannot do this by filtering on the interface from what I understand. I think I would have to filter it via IP-based rules.
My understanding is that I’d want to
Learn the MAC address of the gateway (e.g. 192.168.101.1)
Add it to some list of “safe uplink destinations”
Use a rule to only allow the VLAN members (e.g. the clients) to talk with that uplink destination (the gateway).
Is what I’m looking to do here feasible / possible (with Mikrotik or with networking in general)?
