Need advice on how to create VLAN with only internet access

[mellow_]

I have a "guest" WLAN SSID that I would like to isolate from the rest of my LAN. It should have internet access only.

This is my first time working with VLANs. I have been watching some videos and reading up on the basics, but I can't figure out how to configure it to work as I need.

Relevant nodes:
HP 1920 24G managed switch
Router running pfSense 2.2.6
Ubiquiti AP (controllet by Unifi Controller)

What I already have done:
- Set "vlan tagging" to "10" for the "guest" SSID.
- Created VLAN 10 on the switch with no ports assigned.

What I can't figure out is what to configure in pfSense. I know I have to create a firewall rule to allow traffic between WAN and VLAN 10, but do I need to create VLAN 10 as an interface first?

Any help is greatly appreciated.

 

[sdifox]

This might help
http://phil.lavin.me.uk/2012/10/cre...th-802-1q-vlan-tagging-in-pfsense-and-dd-wrt/

 

[LoopBack]

I've done this several times in various environments I manage for my employer. My setup is a bit different than what I am suggesting below, but it should work for you.

I create a VLAN on our switches, for example VLAN 10. I create a subnet for this VLAN, by essentially creating an interface on a firewall, for example 10.128.10.1/24, which becomes the default gateway. This firewall interface is it's own separate interface, separate from LAN or WAN interfaces (not a sub-interface). That interface is connected directly to the switch on an un-tagged port on VLAN 10. Configure the switch port the AP is connected to to untagged VLAN 10. Assign the APs a static IP, or configure DHCP on that VLAN, either from the pfSense, or a DHCP server that lives on that VLAN. My assumption here is that the APs are functioning on only a single VLAN.

You'll want to include ACLs and NAT configurations on the pfSense to ensure Guest traffic can't get to other networks, and that traffic can get out to the Internet.

This is one way of doing it, there are probably hundreds more. Instead of creating a single Interface on the firewall, if you didn't have additional ports, you can do sub-interfaces. I'm not sure how pfSense handles sub-interfaces. I haven't used a pfSense for quite a while. I'm assuming you would configure the VLANs right there on the pfSense when configuring the interfaces. The port you connect to on the switch would require a tagged port on VLAN 10, as well as tagged ports for the other VLANs/sub-interfaces.

I hope this helps. Good luck!