So far we have setup pfSense and connected up our WAP to it. This has formed the basics of our home network.
However it would be good if we could use multiple access points each running on their own network, but sharing the pfSense router, firewall and WAN. We also need to consider locking down the network to improve security.
In this post we will expand our network further to incorporate these items by:
- Configuring VLANs in both pfSense and our VLAN compatible switch
- Move our existing WAP to a VLAN.
- Leave our LAN as Ethernet only with no AP attached
To start with we will do a little digging into how switches work to provide some context for when we later setup the VLANs.
A switch is a hardware tool (located at the Data Link Layer on the OSI-7 layer model) which is responsible for routing packets from one machine to another. A switch relies on knowledge of the networked machines MAC addresses.
Typically a hardware unit will consist of multiple Ethernet ports that devices can be plugged into. Our setup so far relies on using the WAP connected to a single Ethernet port to assign IP addresses to machines on the network. Once a machines has connected to the switch via the WAP, a record of its MAC/IP combo is stored on the pfSense appliance.
Switches were a replacement to what are known as Hubs (found at Layer 1 of OSI-7 Layer model). A Hub broadcasts messages out the whole network and any device connected to the Hub can read the packets. If a NIC was placed into promiscuous mode, then sniffing the packets and viewing the data was possible. A switch on the other hand only routes traffic to the target machine.
Of course this also mean your network speed is affected by the speed of the switch! A faster switch with the right Ethernet cable and newer NICs for the devices running on the network, improves overall speed.
If you cast your mind back to an earlier post you will remember we discussed the ARP protocol. One issue some switch configurations are susceptible to is what is known as ARP and IP spoofing.
Each machine on the network will keep a copy of the IP/MAC combo in their ARP cache. An attacker can therefore use its own copy of the ARP cache to try and eavesdrop on communications between machines.
The way this works is to send out a Gratuitous ARP message to the machines on the network and replace the portion of the MAC mapping, with the MAC of the attacker. The attackers machine then sits in the middle (man-in-the-middle) eavesdrops on incoming messages, and then forwards them on to the other party.
If you are interested in trying this out yourself then take a look at the dsniff tool.
At the switch level there is another issue we need to be aware of – MAC flooding.
The switch as you will remember contains a table mapping MAC’s to IPs. We can see this mapping in pfSense under the Diagnostics > ARP Table link.
A MAC flooding attack attempts to overwhelm the switch so that no new MAC/IP pairs can be generated (a DoS attack), or worst the switch reverts into acting like a hub, thus allowing eavesdropping.
Thankfully aspects of the 802.11 protocol defend against MAC flooding. When a device associates with a WAP it is MAC-based. Therefore the WAP bridges traffic coming only to/from known MACs.
Therefore if a MAC flooding attack is directed from a wireless device to the network, any 802.11 frames with a random MAC address in the source not associated with the WAP are discarded.
So now we have a little understanding of how switches work and some of the security considerations, let’s look at VLAN compatible switches.
For this portion of the post I will be referring to a Dell PowerConnect 2808 VLAN compatible switch. The 2800 series switches start at around $129.00 USD. If you are using a different device, then modify the instructions below as applicable.
VLAN stands for Virtual LAN. As it’s name may suggest, the concept behind it is to take one set of hardware i.e. ‘n’ machines and one switch and create multiple LANs from this. Each LAN being its own subnet. The traffic on each of these LANs is then tagged so we know which VLAN it belongs to.
pfSense allows us to configure VLAN interfaces and then assign DHCP servers to each of them. We therefore can use our VLAN switch as a method for connecting multiple AP’s (or wired devices) and let the configuration of the IP range etc. be handled by pfSense.
Configuring VLANs in pfSense
Our first task is going to be to move our WAP off the LAN interface on pfSense. Going forward we would like the LAN to only be accessible for devices connected directly to the switch.
We therefore need to come up with an IP range for WAP to use, since it will no longer using 192.168.1.0/24.
Let’s start by plugging out laptop/PC directly into the pfSense appliance, as the WiFI will shortly stop working. You can also power down the WAP for the moment.
We are going to use the range 192.168.3.0/24 for our new VLAN.
Let’s start by navigating to Interfaces > (assign)
On the screen that pops up select the VLANs option. You’ll now be presented with a list of VLANs which currently will probably be none.
Select the Add button from the bottom right.
The VLAN Configuration screen will now be presented. On this screen we can create our new VLAN and tag it.
From the Parent interface drop-down, select the LAN option.
Below this you will see the VLAN Tag input field
Set this value to an integer between 1 and 4094. I like to use a value derived from the subnet. So if the subnet is 192.168.3.0/24 I use the tag 3. Do not enter the value 1 however. This will become apparent why later.
You can ignore VLAN Priority for now. If you wish to add a Description now is your chance. For example “HomeAutomation”.
Return back to the Interface Assignments screen under Interfaces. This will be updated with an Available network ports drop-down. Listed here you will see your VLAN.
Select it and click the green Add button. Once added you will see it has a name similar to ‘Opt7’
Next navigate to the Interfaces drop-down. Your new VLAN interface with the Opt7 (or whatever was auto generated) will now appear.
Select this option to go to the interfaces configuration.
We have now going to select the Enable interface checkbox.
Following this change the Opt7 value to something more intuitive e.g. HomeAutomation.
The IPv4 Configuration Type should be changed to Static IPv4.
Our final task is to scroll down the screen to the Static IPv4 Configuration.
Change the value of IPv4 Address to 192.168.3.1 and ensure the ‘/’ value is set at 24.
Save these values.
Now navigate to the Interfaces > Interface Assignments screen. Here you should see the new Interface HomeAutomation (or whatever you called it) and the Network port should be similar to: VLAN 3 on igb1 – lan (HomeAutomation) .
We now have an Interface setup for our VLAN. This will work over our LAN connection allowing us to run a virtual LAN with the 192.168.3.0 subnet.
Currently our WAP is setup however to use 192.168.1.0/24 so we will need to change this.
First let’s get the DHCP server running on the VLAN interface.
Navigate to Services > DHCP Server from the list of available interfaces, select the one corresponding to your VLAN e.g. HomeAutomation.
When this screen loads you will see some General Options.
Here you will need to do the following:
- Check the Enable checkbox
- Select the Range e.g. 192.168.3.60 to 192.168.3.199
Save these changes.
Now we are finally ready to update that static mapping we created before for our AP.
So navigate to Status > DHCP leases.
Next edit the Static mapping you added for the WAP. Change the IP address to a new one in the new subnet 192.168.3.0/24.
Make a note of the IP address you selected, as we now need to update the WAP.
Save the changes.
You can now unplug the laptop from the pfSense appliance, unplug the WAP from the LAN port and power up the WAP again.
Once it is up, login to the web interface and change the IP address for the AP to the one you selected above.
So we now have a VLAN configured on pfSense and the WAP configured with an IP address for the new VLAN. That leaves us with our final task – setting up the VLAN switch so we can plug our WAP back in.
Configuring the VLAN switch
Our final task is going to be to configure the VLAN switch. As mentioned for this I have selected a Dell PowerConnect 2808, so you will need to tweak the following instructions to your specific switch.
First we are going to plug the VLAN switch from LAN port 1 into the Ethernet port where the WAP was originally, then power up the VLAN switch. Also plug your laptop/PC into one of the other free ports on the pfSense appliance.
Once it has booted up, the LAN DHCP server will assign it an IP address in the 192.168.1.0/24 subnet. You can check on the DHCP leases screen in pfSense to find out what was assigned to it.
Navigate to the web console for your switch and log in. Remember after you login to change the username and password from the default values to something more secure.
Once logged in we need to configure a VLAN for our HomeAutomation interface.
Within the GUI located the VLAN configuration screen. In the Dell PowerConnect this is:
Switch > VLAN > VLAN Membership
Under this screen we can select an existing VLAN or configure a new one. By default you should need a VLAN tagged with 1 available. This acts as a the Trunk, that all traffic is sent over and is the configuration associated with the Ethernet port (1), you plugged the pfSense appliance into.
The Dell switch comes preconfigured with the VLAN tagged as 1 and will not allow you to edit any of the details here. This configuration is needed in order for the switch to communicate with a router etc. once plugged in.
Use the Add button to load up the screen for configuring a new VLAN.
Let’s enter the tag value we set in pfSense for the VLAN ID. I recommended using 3 earlier, but this can whichever value you chose.
For the name enter HomeAutomation, or whatever you decided upon when setting up the VLAN interface.
You can leave the final value as is and click the Apply Changes button.
Back on the VLAN Membership screen select the Show VLAN drop-down and select VLAN 3 (or whatever you chose).
You’ll see a small table now appear which is called Ports.
Clicking on a square will insert a character (this is on the Dell machine, other switches will have a different interface).
Select the square for port 3 (this is where we will plug the WAP into) and click it until a U appears. Port 1 should show a T, if it doesn’t click it until a T appears.
On other models of switches you will need set port 1 as the Trunk where the tagged data passes over, and associate the physical Ethernet port you will plug your WAP into with the VLAN.
Save/Apply these changes.
Our final task is going to be to update the Port settings. On the Dell PowerConnect 2808 switch these settings can be reached via Switch > VLAN > Port Settings.
Select the relevant Ethernet port, in our case 3. Make sure the PVID is tagged as 3 and finally make sure the Frame Type is Admit All.
Save these changes.
Our VLAN switched is now configured so that Ethernet port 3 can be used for the WAP and all traffic running over it through the Dell switch to pfSense will be on VLAN 3 with IP addresses assigned from 192.168.3.0/24 subnet.
Let’s now power everything down.
Hook the WAP to Ethernet port 3 on the VLAN switch. Next make sure that the VLAN switch Ethernet port 1 is connected to the LAN on the pfSense appliance.
Now let’s start everything up.
Once booted, connect your laptop/PC to the WiFi SSID and bingo you should now have an Internet connection.
If you log into pfSense and check the DHCP leases – your laptop/PC should appear in the list.
Next Steps – Add another WAP
To add a second WAP and VLAN to your network, repeat the steps above and this time use a VLAN tag of 4 (or other acceptable value from the range). Associate this VLAN with the 192.168.4.0/24 subnet and assign the WAP a static IP from this subnet.
You absolutely must assign a different VLAN tag and subnet for this to work. If you encounter problems with VLAN not working with the second WAP ensure that:
- DHCP is disabled on the WAP and configured correctly for your new AP in pfSense
- The VLAN is configured in pfSense
- The Interface is configured correctly in pfSense
- That the DHCP server is running on the new Interface with a different subnet to the other interfaces
- That the VLAN is configured correctly in the Dell switch
- That the port in the Dell switch is set with the correct tag
- That the device is connected to the correct Ethernet port
In this post we hooked up our VLAN compatible switch. In addition to this, we connected up our existing WAP and saw how we could add a second one by following the steps for configuring the first.
We now have a home network with:
- pfSense firewall appliance
- A Dell (or similar) VLAN switch
- Two wireless access points
In the next post we will look at the WAPs in a little more detail and discuss security.