Freedom To Play

Configuring a VLAN per SSID with OpenWRT and pfSense

bsilvereagle -

Architecture Overview

My current network setup uses pfSense as the firewall and DHCP server with OpenWRT running on a TL-WA801ND wireless access point. OpenWRT broadcasts two SSIDs which reside on two different VLANs. After a power outage my pfSense box was caught in an endless reboot cycle. I very quickly realized that I had not made a backup of /cf/conf/config.xml and that I had a long evening ahead of tinkering with pfSense and OpenWRT. This is how I recreated my original setup.

Setting up pfSense

  1. Go to the VLANs tab in the "Interfaces->(assign)" window
  2. Create two VLANs tied to LAN. Pick two unique tags, say 10 and 20
  3. Go the "Interface Assignments" tab and add the VLANs
  4. From the "Interfaces" dropdown in the ribbon menu select each VLAN (probably showing as OPT1) and enable them with a static IP address. It is convenient to pick the subnet for the interface that matches the VLAN tag, for example, 192.168.10.1 for the 10 VLAN.
  5. Enable DHCP on each VLAN interface in "Services->DHCP Server"
  6. Create a Pass rule for each interface in "Firewall->Rules"

Setting up OpenWRT

  1. Disable the OpenWRT firewall in "System->Startup"
  2. Create a new bridge interface with a static IP in "Network->Interfaces"
    • Select the adapter associated with "lan", say eth1
    • Also select a custom interface and enter eth1. followed by the VLAN tag. For example, the 10 VLAN tag would be eth1.10
    • Set the static IP to be an address from the same subnet that was selected in pfSense
    • Set the gateway to be the static IP address selected for the VLAN interface in pfSense
    • Do not enable DHCP
  3. Create a new wireless instance from "Network->Wireless"
    • Associate the wireless with the bridge adapter created previously
  4. Repeat Steps 2&3 for the second SSID
  5. In "Network->DHCP" uncheck "Authoritative"

Create backups!

OpenWRT: "System->Backup/Flash Firmware"

pfSense: "Diagnostics->Backup and Restore"

Was this information useful or thought provoking? Do you appreciate a webpage free of analytics or ads? Say thanks and help keep this site online by using my Amazon Affilliate URL. I'll receive a small kickback from any purchases made within 24 hours of clicking. Or, feel free to donate BTC (1DNwgPQMfoWZqnH78yt6cu4WukJa3h8P1f) or ETH (0xf3c4a78c24D34E111f272Ac2AC72b1f01ba52DF3).