This post will describe how to setup Wi-Fi VLAN subnets for your home network.

This is the part 3 of a 3 steps guide to protect home network using subnets, based on using a pfSense firewall and VLAN.

Home network with vlans

With the first 2 parts done, the home network is already using pfSense and VLAN with multiple sub-networks. However, all wireless devices are still in one single sub-network.

This final setup will further extend the use of VLAN & pfSense to segregate the wireless devices into several subnets, each with it’s own SSID and VLAN ID.

home network with wifi vlans

This guide will split the subnet of wireless devices into 3 VLANs to insolate IoT and Guest devices:

  • VLAN 40 (SSID: Mobile): Your mobile devices
  • VLAN 42 (SSID: IoT): IoT devices
  • VLAN 44 (SSID: Guest): Guest devices

Ways to setup Wi-Fi subnets

Before diving right into the setup guide, let’s first go over a few different methods. Then we will demonstrate the setup with the first method using access point Unifi UAP AC Pro.

1. Router/WAP that supports multiple SSIDs and VLANs

This would be the best option to incorporate subnets to wireless networks. However, in the consumer market, there don’t seem to have a lot of routers/WAPs that support multiple SSIDs and VLANs.

Unifi UAP AC Pro is one of the few that supports VLANs and is easy enough to setup. This guide will show you how to setup VLAN subnets using Unifi UAP AC Pro.

2. Multiple routers/WAPS

Create additional VLANs using the VLAN switch and connect one wireless access point (WAP) to each VLAN.

This is the simplest method. But this requires extra cost and hardware to manage unless you already have some old ones sitting around somewhere.

Another concern would be potential interference among these access points that you may have to deal with.

3. Use custom firmware for your Router/WAP

There are couple custom firmware, if compatible, that you can flash to your router to enable VLAN support.



DD-WRT is a free linux-based firmware for wireless routers and access points, designed to unlock additional features that the official firmware does not support.

It supports many routers and you can check the router’s compatibility. Please also note that DD-WRT has specific builds for different router. So need to ensure the correct build is used.

Check out the setup using DD-WRT on RT-AC3200.

Tomato by Shibby


Similar to DD-WRT, Tomato also support multiple SSIDs/VLANs. And actually it’s easier to configure and enable multiple SSIDs/VLANs.

Check out the setup using Tomato on RT-N66U.

Wi-Fi VLAN setup using Unifi UAP AC Pro

Unifi UAP AC Pro is a great wireless access point. It’s easy to setup with multiple SSIDs and VLANs. The wireless signal/range is good and the connections are fast and reliable.

The only drawback is the Unifi line of devices require you to download their software (Unifi Controller) to configure the devices. You can’t configure the access point by directly connecting to it. You must use the software.

Well, it maybe a drawback if you only have 1 Unifi device. But their idea is to enable you to manage all Unifi devices from the single controller, from your local machine or from cloud. So if you are using many Unifi devices, it’s actually easier to manage them.

Install Unifi Controller

Note: Unifi Controller requires Java.

UniFi Controller

it will take a while for UniFi Controller to get started.

  • when the button Launch a Browser to Manage the Network
  • becomes enabled, click on it.

UniFi setup wizard

  • select your country
  • select your timezone
  • click Next
UniFi setup wizard

Configure devices

At the moment, the UAP Pro is not connected. So there are no devices found. That’s ok.

  • click Next
UniFi configure devices

Configure WiFi

  • enter ‘Mobile‘ for Secure SSID
  • enter a good password for Security Key
  • click Next
Unifi configure WiFi

Controller Access

Setup the login/password for use to access UniFi controller and devices

  • enter all required information
  • click Next
Unifi controller access


  • click Finish to confirm the initial setup
uniFi setup wizard confirm

Cloud Login Credentials

We don’t need to manage the devices from cloud.

  • click SKIP
cloud login credentials

UniFi Dashboard

UniFi dashboard

Setup Wireless Networks

  • select Settings > Wireless Networks
Setup wireless network

First wireless network (SSID: Mobile) was already created during initial setup. Let’s attach VLAN Id for the network

  • click Edit for wireless network Mobile
edit wireless network
  2. enable Use VLAN
  3. enter 40 for VLAN ID
  4. click SAVE at the bottom
configure vlan 40

Create VLAN 42 & VLAN 44 Wireless Network

At Wireless Network settings screen, click CREATE NEW WIRELESS NETWORK

  1. enter ‘IoT‘ for SSID
  2. select WPA Personal
  3. enter a good Security Key
  5. enable Use VLAN
  6. enter 42 for VLAN ID
  7. click SAVE
create vlan 42

repeat for VLAN 44 using SSID ‘Guest

create vlan 44

with the 3 wireless networks created with their corresponding VLAN ID, the Wireless Networks Settings screen should be shown as below:

Disable connectivity monitor

The access point will monitor connectivity by default. But we don’t need it since we are not using wireless uplink (and it could cause performance drop).

  • select SETTINGS > Site
  • uncheck Enable connectivity monitor and wireless uplink

Adopting UAP Pro

By adopting the UAP Pro in the Unifi controller, the controller will push the settings to the access point and enable the access point to run with your configurations.

  • select DEVICES
UniFi devices
  • set computer IP address manually to
  • connect computer directly to the UAP Pro
  • wait for a while and the UAP Pro should show up on the screen
Unifi UAP Pro ready to adopt
  • click ADOPT
  • status changes from ‘Adopting’ to ‘Provisioning’ to ‘Connected’
UAP Pro connected

The access point is now operational. You should now see the configured SSIDs show up on your mobile device as available networks (even though it’s not connected to the home network yet).

Configure pfSense and Netgear VLAN switch

Let’s now prepare pfSense and the Netgear VLAN switch with the additional VLANs before the access point joins the home network.

Add VLAN interfaces and rules at pfSense

Follow Step 1 through 4 of Setup VLAN interfaces at pfSense firewall to add VLAN 42 and VLAN 44 to the pfSense fireware.

Add VLAN 42 and 44 to Netgear GS108Ev3 switch

  • login to the switch (would be if you followed the guide in Part 2)
  • go to VLAN > 802.1Q > Advanced > VLAN Configuration
  • enter 42 at VLAN ID field and click Add
  • enter 44 at VLAN ID field and click Add

Configure port 6 as a trunk port

IMPORTANT: changing port 6 to trunk port will temporarily disable the sub-network VLAN 40.

Port 6 was originally setup as VLAN 40 for use of an access point to connect all mobile devices. If you have an access point connected to port 6 for wireless connections, it’s time to unplug the access point from port 6.

Set port 6 PVID to management VLAN 99

  • go to Port PVID
  • enable port 6‘s checkbox
  • enter 99 to PVID text box
  • click Apply

Convert port 6 to trunk port

  • go to VLAN Membership
  • select VLAN ID ’40’
  • click on port 6 & port 8 until both show ‘T‘ (tagged)
  • click Apply

Repeat for VLAN 42 and VLAN 44.

For VLAN 99, port 6, 7 & 8 should all be untagged (show ‘U‘).

Connect UAP Pro to home network

Connect UAP Pro to port 6 of the Netgear VLAN switch and the wireless networks should be ready to use.

Configure your mobile devices to use their new SSIDs accordingly.

All set. Your home network is now properly segmented with multiple sub-networks for better protection!

This Post Has 63 Comments

  1. What did you use to make that network diagram with? That’s very nice.


  2. Great article, thanks! This has helped me along the way, for sure. I’m not at the point where I want to create WiFi VLAN’s but I think my router is coming up short. Before investing further, would putting my IoT devices on the Guest WiFi network have the same effect?

    1. Yeah, that would separate IoT devices from your main network. For added protection, some routers have Isolation mode where you can further disable communication between devices within Guest network.
      You may want to test and double check the guest wi-fi network is setup correctly that devices in guest network has no access to your main network. Some router’s guest network does not work when in AP mode.

      Cheers Alan

  3. Great how-to!! I have one question: I have a surveillance camera system, Blue Iris, which has several cameras using the same switch (48-port POE managed). The cameras cannot call out to internet, but the blue iris server they connect to does through an unprotected open port when viewed by mobile device or web browser. Would this surveillance system be setup properly on VLAN with IoT devices or should I create a seperate VLAN for it?

    I also know I need to find a more secure way to remotely access the camera server but aren’t sure how yet. I currently use OpenVPN to RDP into that same machine (when away from home) but unsure how to implement the same secure connection using the Blue Iris app for mobile access and remote management (without actually doing it through Remote Desktop.

    Thanks in advance,


    1. I think it’s a good idea to have a separate VLAN for your surveillance system. This would prevent any IoT devices (if compromised) to try to tap into your Blue Iris server.

      It’s safer to use OpenVPN for viewing and remote management than opening port directly to the Blue Iris server. Once your mobile device is connected to your home network through OpenVPN, you should be able use browser or configure Blue Iris app to connect to local IP address of Blue Iris server.

  4. Great articles. I am running pfSense with similar having a Unifi Nano AP on a VLAN. I’ve been trying to figure out the safest way to allow a trusted laptop on VLAN 40 to connect through the Unifi AP and gain access to a backup server on Subnet 1? I understand how to use a remote access VPN from outside the home to access the home LAN, but not sure how to safely hop subnets while at home? Can OpenVPN be used to hop subnets? Thanks!

    1. Hi James,

      I did a test based on your scenario. I have a openVPN server on pfSense and my laptop connected through wi-fi.
      I can connect my laptop using openvpn to the pfSense openVPN server using home public IP, just like I connect remotely from outside.

  5. Hi Alan,

    Do you use your ISP router wifi network for any purpose, or you just disable it in this case?

    1. I disable ISP router wifi but you can use it for guest network.

  6. Hey Alan,

    So this guide has been really helpful but I’m having trouble adapting the settings for my use. Basically I’m going to have 4 VLANs: Trusted devices (wired and wireless), IoT, Printer, Guest. I have a Netgear GS308E Managed Switch and a Unifi AC Pro and a Unifi AC Lite. How would I configure say ports 1-4 for the Trusted Devices, and ports 5-6 for the others?

    1. Hi Justin,
      you assign vlan # (for trusted devices) to port 1 – 4.
      for port 5 & 6, you can assign different vlan # to each port. 2 ports can only serve 2 VLANS so you need to choose 2 out of other 3 VLANS (IoT, Printer & Guest)


  7. Alan,
    Thank you for such a throrough and helpful guide. I have successfully implemented the configuration as shown. However I cannot print from my desktop on subnet 1, nor from my laptop on VLAN40. My printer is connected to VLAN20. Do you know how to enable printing from Subnet1 -> VLAN20 and from VLAN40 -> VLAN20? I have searched the internet and tried a few ideas, but none have worked. Thanks.

    1. Hi Brian,
      You need to create firewall rules at Subnet1 and VLAN40 to allow traffic to VLAN20.
      go to Firewall > Rules > Subnet1,
      add new rule: source: Subnet1 net, source port: *, destination: VLAN20 net, dest port: *
      do the same for VLAN 40.

      Also, there are couple things you want to check. Each VLAN has its own non-overlapping IP address range.
      – Make sure your printer’s IP address & gateway are set correctly for VLAN20.
      – Make sure your printer device setup on your computer is pointing to the correct IP address of your printer


      1. TLDR: Alan, do you have any suggestions about how to allow printing from iPhones and iPads connected to VLAN40 or VLAN44?

        Alan, thank you for the feedback. The firewall rules did allow printing from my desktops and laptops on Subnet1 and VLAN40. For anyone else reading this: After creating the firewall rule Alan explained, I then assigned a static IP to the printer in pfSense DHCP settings for VLAN20 (down at the bottom). Next, I had to download printer drivers because they were not included in my OS. Finally, on each desktop and laptop, I added a new printer by entering the static IP and selecting the appropriate printer driver.

        However, I have not found a way to enable mobile devices to print. I have about 10 iPads and iPhones which connect to VLAN40 and VLAN44, and none of them can print. I don’t know if it matters, but some of those devices are owned by me and others are owned and “managed” by my employers and my local school district (this is one of the reasons I wanted to implement network segmentation). Those devices are given to people in my household to be used for work and school purposes. Do you have any suggestions about how to allow printing from iPhones and iPads connected to VLAN40 or VLAN44? Thank you.

        1. Printing from iPads & iPhones require communication using AirPrint.
          Check out avahi package. You can install it to pfSense to enable printing using iOS devices.

          1. Thank you, Alan. Avahi works brilliantly.
            For anyone else reading this, these are the steps
            1) Install Avahi: System -> Package Manager -> Available packages -> locate and install Avahi
            2) Enable Avahi: Services -> Avahi. check enable, and select the printer VLAN and the interfaces you wish to print from. I selected VLAN20, VLAN40, VLAN44 and LAN (subnet1)
            3) Create firewall rules to allow printing network traffic: Firewall -> Rules -> VLAN40 -> Add (up arrow). Set address family to IPV4+IPV6. Set protocol to Any. Source VLAN40 net. Destination VLAN20 net. Description “allow access to VLAN20.” Save. Apply Changes. Note: I placed this rule as the first firewall rule. Repeat for the other networks you wish to print from, in my case VLAN44 and LAN (subnet1). Note: These firewall rules may replace what Alan stated in his first response to me. Those rules may also work, but I went through much troubleshooting and re-wrote the firewall rules many times. This is what ended up working.
            4) Test: Print from a device on VLAN40 (SSID: Mobile) using AirPrint. It should identify your printer and print successfully.

          2. I followed what Brian said. Got Avahi installed, enabled, and FW rules set up. When my iOS device joined the same VLAN as the printer, I can print without issues. When my iOS device joined another VLAN and it said no airprint printer found but I can ping the printer by IP from another VLAN. Any ideas what I did wrong?

          3. Check the Avahi settings. Avahi is the package that enables airprint communication.

  8. I just want to say this is an excellent How-To. I followed all 3 parts and got my network setup. There are still work to do but at least this got me going. The only hiccup I had experienced is the part where I downloaded the latest Unifi controller and the interface looks a bit different. The way it ties the VLAN to the wireless network is different now (Use VLAN checkbox and specify your VLAN ID is no longer available). I poked around and tried to add my VLAN through Networks section and added it to my wireless network but it does not work. I went back and downloaded an older version of the controller similar to yours and it works flawlessly. I blamed that it is likely me not familiar with how to set it up in the new version but I don’t have time to explore.

    1. thanks for your feedback. Great to know that newer Unifi controller works differently.

      1. Hi! First thing first…Thank you very much for this great tutorials. They helped me a lot in my migration form OpenWRT to pfSense.

        I used one of the newest AP’s from UniFi, the U6 Pro. I configured it using the newest Network Controller application (7.0.23) from UniFi. Maybe it’s already a bit too late but I wanted to post this to help a bit if possible. In order to be able to configure the AP to use VLAN, we have to replicate those in our pfSense in the network configuration. There we can set the desired VLAN. I did it without selecting “VLAN only network” and setting as host address my VLAN gateway. After that, we can create our SSID’s as usual and “link” them to the desired network. I tested it with three different SSID’s at the same time and no problem at all.

        I also have to say that I adopted the AP first and after that I configured it, but I think this has no influence in the end result at all.

        I hope I could help.

  9. Hi Alan
    Thanks for wonderful guide especially for people who are not that technical savvy in networking area. I would like to say thanks for writing the article with step by step instruction.
    Could you please advise if it is possible to perform above configuration using below instructment.

    I have 1 Gig Cox Connectivity in the home. Whole house is Cat5 enabled, all cat5 are landed in Master Bedroom closet last time I count the cable those are more than 50 cat5.
    I have IOT devices, NAS drive, Computer, Printer. Solar panel which are connected to internet. IOT devices including solar panel, ADT devices, Cameras, Security Camera, VOIP, Chromcaset, AVR.
    I would like to separate out derives base on security pasture.
    Could you please advice me what is possible and what i have to get what you describe in the document.

    Firewall –
    Hardware -:
    Qotom-Q575G6-S05 Mini PC Intel 6 Gigabit NIC with i7 7500U AES-NI Thin Client Fanless Compact PC Firewall Router (16G DDR4 RAM + 256G MSATA SSD + WiFi).
    If required I can use USB base NIC to add more port.
    Software – Planning to use one of these options Pfsense, OpnSense, Untangle
    I not done any setup yet as I want to devise the strategy what are the equipment’s I have to buy futher.

    Unmanaged Switch
    TP-Link 24-Port Gigabit Ethernet Unmanaged Switch | Plug and Play | Desktop/Rackmount | Fanless | Limited Lifetime (TL-SG1024D)
    Currently most of the Cat5 are plug-in. I have to buy another switch to plugin remaining cables.

    I have currently following routers which I would like to use if possible as I will try to stay away from new investment.
    Asus RT-68U
    Asus RT-87U

    1. Hi Prashant,

      The first step is to group your devices and decide how many segments (subnets) you want.
      You have Qotom with 6 NICs. For 1 port uses as WAN port, you can create 5 physical segments (or more with USB NICs).

      Option 1: create all subnets using Qotom NIC ports. The catch is that for each subnet that requires WiFi, you need a separate access point (which you can configure your routers for this purpose)
      Option 2: for subnets that require Wi-Fi access, use VLANs with compatible Wi-Fi access point so that you can use 1 Wi-Fi access point to provide wireless access for multiple VLANs.

      You can buy a Wi-Fi access point that support VLANs or install custom firmware on your router (VLANs with DD-WRT or VLANs with Tomato).

      Option 1 would be more straight forward to setup and seems like you have all the gears for the setup.

      1. Hi Alan,
        Thanks for quick response. I am trying to come up with number of segments i required and intra communication between those Segments. I identified 5 segments at this stage namely Secure, Kids, Mobile, IOT, Guest. I also identified matrix regarding communication patterns between each segments. Based on matrix look like i will have devices in each segment that required WiFi Access. Is my current devices will be sufficient to support 5 points per router (i know not OOTB, has to intall custom firmware) or there is any other suggestions.

        1. Since all 5 segments require Wi-Fi access, using VLANs look like better choice.
          To enable multiple VLANs for wired devices, you would also need a managed switch that supports VLANs.

          1. Current switch “TP-Link 24-Port Gigabit Ethernet Unmanaged Switch | Plug and Play | Desktop/Rackmount | Fanless | Limited Lifetime (TL-SG1024D)” does not support any kind of management, i have to buy new switch. Any Recommendation.
            Also could you please throw light how to create 5 physical segments (or more with USB NICs) with access point and configure devices.

          2. I am using Netgear switches and am happy with them. But it’s always good to check out different models and check them reviews.

            For creating physical segments, check out my other post Protect home network using subnets with pfSense

  10. Hi Alan,
    I am trying to follow your guide and I could not find the steps to add vlan 42 and 44 to pfsense.
    “Add VLAN interfaces and rules at pfSense. Follow Step 1 through 4 of Setup VLAN interfaces at pfSense firewall to add VLAN 42 and VLAN 44 to the pfSense fireware.”
    The steps from your link show how to add vlan 10, 20, 30 and 40 to pfsense. I found how to add them to Netgear switch but not pfsense?

    1. Hi Marty,
      The link does bring you to section to setup VLAN at pfSense. Check out subtitle ‘Step 1: Create VLAN interface’.
      It shows instructions to setup vlan 10. You just need to replace vlan# 10 to 42 and repeat same steps for vlan 44.

  11. Hi Alan,

    Thanks for this awesome guide. I have a question regarding multiple access points. I live in a two story building and currently use Google WiFi mesh 1+2. If I follow your guide and add another Unifi UAP AC Pro device, do I need to connect that device to the switch or it connect wireless to the other device connected to switch. If not, please suggest how can I extend WiFi coverage across first floor and second floor with the VLAN segmented features.

    1. Hi Karthik,

      Yes, you need to connect Unifi UAP AC Pro to the switch.
      Check out Ubiquiti UAP-AC-M-US Unifi Mesh Access Point. It would allow you to extend coverage as mesh setup.
      Some users also said that additional Unifi UAP AC Pro can now be used configure as mesh Wi-Fi.


      1. Thanks for your reply, Alan. I am buying the Unifi Mesh AP, before that I downloaded the unifi controller and tried to follow your guide. But in the controller everything is different. I could not find the VLAN option under the WiFi network advance settings. I would really appreciate it if you could pass on a quick guide to setup VLAN to a WiFi network on Unifi controller.

        1. Hi Karthik,

          Unifi has new version of Unifi controller seemingly has different GUI to configure VLAN. Unfortunately I haven’t used the newer version.
          Option for you is to download an older version.


  12. Alan, excellent writeup. It got me past my first big hurdle, but I’m stuck at a second. I’m using your writeup as more of a guide, hence my configuration is different. But the equipment, thankfully, is nearly almost identical. pfsense, Netgear GS308E switches and UniFi AP-AC lite. I’ve had the UniFi running VLANS for some time as the only device off the second LAN port of the pfsense router, so that part used to work. But then I decided to introduce VLANS into my wired network, and I’m now on day 3 of the experience. 🙂

    Still running the LAN as VLAN tag 1. My actual LAN subnet is 11. Otherwise VLAN numbering matches the subnet. Port 1 is attached to the pfsense router, port 2 to the UniFi and port 3 is attached to another GS308E. Problem I’m having is that neither the UniFi or the downstream DS308E see anything. I would expect the downstream GS308E would show up in my 11 subnet when attached to port 2, but it’s not.

    This is the configuration of the “main” switch:

    And this is the configuration of the downstream switch:

    As far as I can tell, except for the VLAN numbers, I’m configured exactly as your instructions say for the WiFi!

    Would appreciate your help.


    1. Hi Roger,

      VLAN traffic does not travel across pfSense interfaces. Just like VLAN traffic won’t pass through a router.
      You would need to chain the switch and UniFi under the same port of pfSense router (e.g. GS308E connects to port 2 of pfSense router, then UniFi connects to a port of GS308E setting up as trunk port)


  13. Hi Alan,

    Great writeup. I’ve been trying to follow your guide in order to setup my smart outlets, and only my smart outlets, on their own WiFi subnet, with all my other devices on the LAN. This would mean that the smart outlets cannot talk to any other devices on my network, but my other devices can talk to the IoT devices.

    I went through part 1 to set up the physical subnet, but after reading through Part 2 and Part 3, it seems like for my scenario, the physical subnet is not required, since none of my wired devices need to have this special treatment.

    Thus, if I’m understanding everything correctly, my goal is to create a single VLAN (say 40) for the IoT devices, which would be tied to a separate SSID that has been assigned to VLAN 40. I am using pfsense and a UniFi AP. However, I realized that my current switch is unmanaged. It sounds like this means my switch is not capable of VLANs. Short of buying a managed switch to replace my unmanaged one, is there any way I can make my desired setup work, where I can send commands to my smart outlets from my mobile device (where the mobile device is on my regular home WiFi network) but the smart outlets pose no risk to my overall network?

    1. Your wi-fi device can connect directly to pfSense without a switch if you do not require wired connections.

  14. This is a great write up! I think I would very much like to do this for my network. One question that I have is regarding the managment vlan99. I saw that you put your managed switch on the vlan99, but not sure if the pfsense router should or would end up on that vlan as well for management. Would you recommend that step as well and if so where would that fit into the sequence of setting up separate vlans?

    1. Yes, I do recommend using different vlan instead of the default vlan 1. The write up has instructions on setting up the management vlan.

  15. Alan, thanks so much for writing this! This is exactly what I was looking for, you have a gift for writing/teaching.

    I have one question, which is… why did you move port 6 to your (default) vlan 99? (on this wifi guide)

    Thanks again

    1. VLAN 99 is untagged. Setting port 6 to it allows untagged traffic to go through port 6 as trunk port.

  16. Excellent article on using and setting up PFSense with vlans! I am just now learning this area of networking for my home network with PFSense and managed switches I obtained cheaply and installed. My network has 4 subnets with 4 switches for LAN, GAMES, IOT, GUEST networks. I wanted to use vlans to isolate my wife from the LAN while continuing to work from home. The links to the other articles are good information as well. Thank you for a well written article!

    1. Great. Glad that it helps. Cheers, Alan

  17. HI Alan, great article, have it nearly working across the board. I have pfSense Firewall connected to the ISP router, the recommended Netgear switch with 5 VLANs; all good. However I have a Cisco WAP371 connected to one port of the switch which then has another 5 VLANs, clients can connect just fine but cannot connect through to the Internet. All the VLANs are setup the same on the FW so think its the switch that is blocking traffic. Any thoughts?

    1. trunking is needed between Cisco WAP371 and the switch. So make sure the connection ports between them are configured as trunk port.

  18. Hi Alan, thank you for spending your time and knowledge to put this guide together. It is appreciated.

    I’m a little confused about all the connections and any input or improvements would be great.
    I have included some pics of my planned network map. Let me know what you think.

    1. ISP Modem/Router – DSL connection so plan to put it into Bridge/DMZ mode
    Which one would be the better option?
    This device comes comes with 1 WAN + 4 LAN ports

    2. Pfsense installed on a Cyberoam CR-25iNG 5 Ports

    Which ports would I connect from my ISP/Server/WAP to which port of the Cyberoam ? Confused about that.
    Currently the mobiles/laptops/tablets/gaming devices all connect by WiFi to my ISP.
    Should I get 1 or 2 more WAPs connected to the switch or Cyberoam for these devices or leave as is?

    Sorry about all the questions.
    Once again thanks for taking the time to do this guide.

    Stay safe and healthy in these difficult times.
    All the best, Dean.

    1. Hi Dean,

      You would connect a LAN port from ISP router to the WAN port of your Pfsense.
      Your Pfsense should be configured to have 1 WAN port and 3 LAN ports (I think the 5th port on your CR-25iNG is a console port, not LAN port)

      All devices that need protection should be behind Pfsense (LAN side).
      That said, you would need a VLAN capable WAP added to the LAN side of your Pfsense.

      The network between ISP Router and Pfsense would be DMZ zone. WAP at your ISP router can be used for your guests but not your own devices.
      Hope this clear up some confusion.

  19. Alan,

    I’ve gotten everything setup but my one question is what IP to assign to the Unifi AP. I am plugging it in to Switch port 3 which is configured for 4 WiFi VLANs 30,32,34,36. Since that port just passes through the traffic the AP won’t get an IP from DHCP.

    Should I add a VLAN 31 and assign the AP a static address on the 31 dot LAN?

    1. I connect the Unifi AP to port 6 which is configured as a trunk port.
      My AP picks up its IP address from untagged traffic which is from LAN interface.

  20. Just confirming that I don’t have something setup wrong… Is it correct that in order to make adjustments on the Ubiquiti AP that I will need to directly connect to a computer running the Unifi Controller software?

    1. No, it’s not necessary. The Unifi Controller software can pick up the AP within the network.

  21. HI Alan,

    Thanks for the information. I’m a little lost here and request a little help.

    I’m building my home network and have the following inventory: Netgate SG-5100 pfsense FW/Router, Netgear Nighthawk AX12 router, Netgear Nighthawk R8000 router. I have no switch.

    So far I’ve diagrammed my network to be: ISP ~> Pfsense ~> AX12 and R8000 (both in AP mode)

    I’ve configured the FW WAN and LAN, configure OpenVPN, created (6) VLANs at the FW so far. The plan is (3) for each AP, respectively.

    I’m stuck and confused with the configurations. I’m not sure how to properly configure my routers to both serve as APs and assign the SSIDs to the respective VLANs. Please help. Also, is part of the problem that I NEED a switch?


    1. Your Netgear Nighthawk router need to support multiple SSIDs & VLANs.
      if they do, you can setup WLANs accordingly and setup a switch port (on the Nighthawk router) as a trunk port and use this trunk port to connect Nighthawk router to pfSense.
      You can chain your 2nd Nighthawk router to the 1st Nighthawk router via another trunk port. That way, you don’t need a managed switch.


  22. Thanks for taking the time to write up this fantastic guide.

    Would it be possible or advisable for me to connect my VLAN switch directly to my cable modem (in lieu of an ISP router) and connect my netgear nighthawk x10 router to a switch port to create vlans 40, 42 and 44? The router is capable of creating 3 SSIDS (5ghz, 2.4ghz and guest). And from what I can tell, the router is vlan capable.

    1. Hi Chris,

      I don’t think connecting VLAN switch directly to cable modem will work.
      You would need a router to process VLAN traffic and funnel the traffic to Internet (without VLAN tagging) as needed.
      pfSense is used to handle that. I’m not familiar with nighthawk x10 router. You need to check if it supports VLANs and has the ability to assign different VLANs to each SSIDs.
      If nighthawk x10 router can support VLANs like pfSense does, you can use your router instead of pfSense. But your VLAN switch would need to connect to the router, not cable modem.


  23. I like this article series, but I wish there was a bit more discussion about exactly why we do these things, and precisely the difference in consequences for the network

    1. Check out part 1 of the series. It did discuss why it should be done for all the risk we are facing.

  24. Thanks very much for taking the time to write this up. Super helpful! Really appreciate it

  25. Hey Alan – as with the others I’d like to say this is the best breakdown I have seen – especially for those of us who have been struggling to understand everthing. So, I hope you have some patience for a few questions/advice.

    1) I’m looking at the pfSense 5147 router. I know that it supports LAGG – but my question relates to the trunk ports on both the router and the L2 switch. Can there be multiple trunk ports between the two? Or can it only be one port mapped to each other?

    2) Does traffic within a VLAN still go through the router? Or only the traffic which requires interpretation by the router? If all traffic goes through, then the router becomes the bottleneck and a faster network, say 25Gbe, no?

    3) For shared devices such as printers, you mention to establish a rule to allow whichever VLAN you wish to have access to the printer. Maybe I’m missing something – but doesn’t establishing that rule defeat the purpose of having a VLAN to begin with, ie. preventing the printer from corrupting the home network by an attack on the printer?

    Again, thank you so much, you’ve been a great help.

    1. Hi Enricon,

      1. it depends on the managed switches, the managed switches I used support multiple trunk ports.
      2. traffic within the same VLAN doesn’t go through router. It’s handled by switch. For traffic between VLANs, it’s handled by router.
      3. the rule is a directional communication. That is, your devices in home network VLAN can initiate communication to the printer to print but your printer cannot initiate communication to your home network VLAN.


  26. Thanks, Alan for the thorough guard…. I have a greenfield pfsense (protectli) 2.6, Netgear 6 , switch and an Unifi LR 6 – . I suspect the interface for Unifi will be different from yours. It would be great to do a detailed write up on how to securely access your QNAP NAS (example) using wireguard etc

  27. Awesome Alan for doing these 3 setups.
    I have these items in my network now under one LAN.
    I want to secure everything a lot better so I started learning about VLANS.

    Comcast gives me several DHCP WAN IP’s so I will setup a dynamic DHCP from NameCheap or someplace else. I use a un-managed switch here.

    My Main LAN is on the network. I have 2 pfsense boxes using 20.3 and 20.4. Saving 20.2 for the comcast router. They are in high availability synced so when one goes down the other is there. I use an un-managed switch here but may need to use a managed switch because I am only using one pfsense box right now.

    That un-managed switch feeds a managed Unifi Server switch that feeds a Unifi Office switch and a 8 port switch.

    I am keeping my servers and pc’s on the LAN Network.

    As you can see from my diagram how I want to setup my VLANS.
    I have the Office access point that a SSID to feed My phone and Laptop and another cheap access point with a SSID using Vlan60.
    I send one VLAN40 to my Rv for tv’s.
    I send 3 VLANS to an access point that can give out 4 SSID and can manage VLANS in the greenhouse area. It broadcasts 3 SSID’s and hopefully it will be okay for guest phones being in that room (but if it works I don’t care how good that is because I don’t have many guests).

    I have a diagram like you did with all of these items and I can upload this or email you this so you can see this. It would be fine as well to show my setup to your users if you would like after it is complete.I have a different setup that might make sense for an office or business.

Leave a Reply

Close Menu