Advice for a more complicated network configuration


I could use some advice please.

A friend of mine owns a small nonprofit that has grown over the years. He’s been doing all the networking for all the computers as time allows and asked for help in overhauling it. I went and took a look.

His network is really managed in two different and very separate ways. LAN and wireless. They don’t really mix/interact well.

The LAN is essentially managed with the internet providers switch. It’s crazy simple.

The wireless is one cable from the LAN into an Apple Airport Extreme. From the back of that it goes into a switch. Any “LAN” devices that actually need to talk to the wireless network are plugged in here. Also, this building is old and made with thick brick and metal between the walls so signal is crap. He has a cable running out to half a dozen more Airport Extreme’s spread out every other room upstairs and downstairs. Where he couldn’t run a cable, he bridged via wifi (just one of these fortunately).

Security is nearly non-existent.

Essential computers, IOT, staff, volunteers, guests - all on the same network and everything is DHCP (including the apple wireless devices) so who knows what IP any device is going to have day to day. Even the Airport Extreme’s shift IP’s occasionally.

It’s a mess.

What I’m thinking about, is taking a good low-power system that I’ve got and starting with IPFire as the base system for firewall and network. I know I can address some of his concerns around QOS and security with IPFire as the device provided to him is basic-garbage. However, the wireless? I’m a bit stumped.

He’s a non-profit and doesn’t have a lot of excess cash nor budget. Even though the Airport Extremes are old, it’s what he’s got and can’t simply replace all of them. The Airport Extremes appear to be /very/ limited in what they can do and I’m not sure how to tie them into the same network as the LAN even with IPFire.

But even if I can get the Airport Extreme’s to work (or I end up with a miracle budget to replace with a device I can put OpenWRT on), I’m not sure how to address the concerns about a separate wifi for essential devices and a guest network for personal staff devices, volunteers, guests. When I’ve done this in the past it has been on a very small scale and my house is the biggest deployment of it. I’ve always setup one physical wireless device for trusted devices on Green or Blue and a second physical wireless device with the captive portal, QOS, filters, ect on the Orange interface. If I don’t have the budget to replace the existing wireless, I certainly don’t have the budget to double the wireless devices (not to mention running all that cable!). But if I put the wifi on the same network as the LAN (which is part of the hopeful plan as it would really help him to communicate with everything on his network from his laptop) then we are back to the same issue with all the devices talking on the same network that really shouldn’t be talking to each other.

I’ve never done this before, but let’s suppose I can replace the wireless devices with something I can put OpenWRT on. At that point, I think I can set up multiple wireless networks with VLAN’s so that there is separation from trusted and untrusted devices. And I’m pretty confident I can even configure it so that devices can hop between wireless AP’s without issues. However, I’m not sure at all how I’d tie those multiple wireless SSIDs/vlans back into IPFire so that one is on Green/Blue and the other is on Orange. Maybe that’s the wrong approach entirely.

Any thoughts or advice?

Is trying to continue to use Airport Extreme’s futile or could I actually make this work?

How challenging is it to take a single AP plugged into IPFire and split two wireless SSID’s to Blue and Orange (or maybe there is a better way to capture portal untrusted devices and put them on a separate network path with the same SSID??) ?

I’d appreciate any thoughts/help/guidance. Especially if there is a better way to design a solution.

[edit] I was searching for the wrong terms earlier. The “suggested topics” after I posted linked to one that pointed to this wiki page for VLANs - Zone Configuration . That seems simple enough. IF I can replace the wireless devices with OpenWRT then assigning a VLAN per wireless SSID and mapping that VLAN to different zones should be pretty easy. I think… haven’t done it yet. :slight_smile:
I would still appreciate advice on the best way to approach this problem and if anyone has recommendations that might allow me to keep the existing wireless apple hardware.

Hi @stack.

The simplest solution is to put an IPFire with three network interfaces. One for RED, one for GREEN and the last one for BLUE.

Yes, BLUE can go through a physical RJ45 interface and it is not necessary to install the Addon “Hostapd”.

All you have to do is assign (during network card assignment) the BLUE (WIFI) network to a network card.

Being in differentiated networks and due to the characteristics of IPFire, the computers located in BLUE will not have access to GREEN, but vice versa, they will.

Then, if you are interested in allowing a computer to access, in “Firewall groups → Hosts” you create an object with the MAC address of the computer in question and generate a rule at the Firewall level that allows access.

Hope this gives you some light.

Greetings and you will tell us.


Greetings Roberto,

I agree. That is the hopeful plan for the trusted network.

I’m still not sure yet how to deal with a secondary SSID that is for untrusted devices.

I’m leaning towards getting a few wireless AP’s that have multiple radios and VLAN tagging them but I’m still not entirely sure how to do that yet. Most of the devices I have only have a single radio, but I do have one that I’m going to try to test on this week.

Hi @stack

I am running my home network with a couple of WAP’s where I have two ssid’s set up in each. Each ssid is then given a vlan tag in the WAP. Then one of the ssid/vlan tag combination is used for green and the other for blue.

My switches also have vlan tagging and the port connected to IPFire green has the green vlan tag and so does IPFire. The port connected to IPFire blue has the blue vlan tagset and so does IPFire.

This way I have wireless on green for myself, with a very strong random password and with this I can access my Green lan servers etc.

Blue wireless is then used for guests and is restricted to only accessing the internet, although I can turn on firewall rules to allow access for specific blue clients to a printer if required.

I don’t know if your Apple Airport Extreme Access Points have the capability for multiple ssid’s and vlan tags or not but there are certainly devices out there.


Ah. So you are tagging on the switch port itself and not in IPfire? OK, that may be were I am adding too much complexity.

I am tagging on the switch port and on the IPFire port.


We use ubiquitti wifi access pro points.
Excellent and they run a slimmed down linux busybox os.

very good coverage and never crash.