Hello! I have been using IPFire now for about a year with a fairly vanilla red-green-orange configuration.
RED: Plugs into my cable modem
GREEN: Plugs into a wired, dumb switch. Into that switch I plug a Unifi AP. This is for all trusted, internal traffic. The AP simply forwards all requests to IPFire, including DHCP and DNS. 10.0.1.0/24.
ORANGE: Normal DMZ, 10.0.2.0/24.
What I would like to do is:
- Add a new subnet (10.0.3.0/24) for untrusted/guest connections
- Add a new “network” to my existing AP (using the Unifi admin tool) that routes all traffic to the 10.0.3 subnet.
- Preferably not purchase a new NIC or AP
I’m not asking for Unifi help, but is it possible to route traffic through my “green” NIC to a new subnet? Or am I trying to solve this problem the wrong way? I know enough about networking to be dangerous but I’m afraid I don’t know enough about this subject to ask the correct question.
There are 4 possible zones in IPFire, therefore you can add a blue zone to your IPFire machine, which indeed is reserved for less secure wireless connections. However, the traffic has to be segmented, either from a native, physical local area network (LAN) or a virtual local area network (VLAN). In practice, either you add a new NIC with an access point connected to it, or you use the existing NIC assigned at the moment to the green zone to be a trunk and sort the traffic in green and blue zones, but the packets have to arrive properly labeled with a VLAN tag, which is an extended ethernet frame created by Cisco. Whether your switch or you wifi appliance can do this, determines if you need to buy new equipment for this project.
This is perfect, thank you @cfusco !
I seem to be able to add VLAN tags from my AP, to I think I just need to add a blue interface to my existing config and point it at that tag.
There is the issue of the “dumb” switch. It should be able to forward the traffic maintaining the VLAN tag, however, keep this possible point of failure in mind if you have to troubleshoot. Good luck.