(request) vlan management policy server video

Hello, I first heard about Tommy Lawrence’s videos sometime after the COVID-19 pandemic began so I am fairly new here. Since then I have switched from my off the wall consumer router to Pfsense and have even bought a Truenas Mini X+ from your suggestions. I also have a managed switch.

I am a newbie building a homelab, I have everything setup and working fine but one thing that I’ve always wanted to get setup is a VLAN Management Policy Server. Supposedly you can do this with Pfsense w/ FreeRadius-3 package. According to documentation to my switch is support dynamic vlans and I’d like to learn how to set this up in Pfsense + FreeRadius3. Can you please make a video on how to set this up on Pfsense + freeradius3?

Thanks and that video is not likely to happen soon, but might eventually.

I’d recommend trying to understand how to use Certificates with say OpenVPN connections. Then use FreeRADIUS with your Access Point for 802.1x. Then combine the two.

If you have your homelab you can give it a go.

Not that I am complaining but can I ask why? Is it really complicated to do? Is it a network security issue? I have been searching around and I can’t find any information on how to do it. I only ask because if it is something that is too difficult or too risky to do maybe I should just stop trying to do it. If it is that you’re just too swamped with other projects then that is fine.

Again I’m not complaining and I want to thank you for the content that you’ve put out so far. I have been subscribed/watching your YouTube channel since this pandemic started, it has given me a new hobby while I’ve been trapped at home with everything practically shut down.

Thanks, learning how to do each of those things have been near the top of my list. So if I just combine those two things I’ll be golden? That is good to know that I can kill three birds with 2 stones.

For sure Certs aren’t too tricky for OpenVPN, setting up 802.1x for basic authentication for wifi again not too tricky if your AP supports it. I use one CA and give certs per device, that way if I lose my phone i can revoke the cert but not lose access on my tablet.

But there is a risk if you need to remote into your pfsense over OpenVPN to reboot for some reason, if the FreeRADIUS service does not restart you cannot then authenticate your openVPN session. I’ve done the above two without issue.

You can use Free RADIUS to manage rights across vlans I suppose but I’ve found it easier to create firewall rules that do this.

If you want to learn just knock yourself out, but I think PKI (public key infrastructure - using certs) is the way to go, just revoke the cert if something iffy happens.

The other gotcha is that FreeRADIUS includes older protocols, they may be weaken now, so you need to know what’s what which is easier said than done, you’ll also be restricted by what the equipment can support.

Thanks for your helpful reply. This is a homelab and I’m ultra paranoid about security so I don’t plan on ever setting up inbound connections to my network even through OpenVPN so I don’t think that will be an issue.

I guess I’ll tackle getting a local CA setup first.

So I spent last night following this tutorial to get started with using certs, unfortunately I couldn’t get it to work and I got locked out of the pfSense webconfigurator. I got a SSL error (I should have took a screen shot of the exact error). The issue was in both Firefox and Google chrome on Linux (I used the ca-certs package to import the certs to my OS as well). So I had to restore pfSense to an earlier config. Now the pfSense DNS resolver keeps crashing and I have to manually restart it to get it to work. So I guess this isn’t as easy as I thought it would be. Do you have a tutorial that you recommend? One that won’t fsck up my config.

The self signed auto generated certificates are fine in terms of security for working on pfsense. Yes, you get a self signed message when logging but the traffic is encrypted. This is the default config for pfsense.

I mentioned setting up certs with OpenVPN, it’s not difficult. The netgate site has good info on this.

Sounds like you have tried to replace the cert for pfsense and your browser doesn’t like it.

May I ask why you need dynamic vlans? Why don’t you use your managed switch to tag the ports instead?

Dynamic vlans make sense, with your RADIUS credentials you can assign vlan access rights. It’s another level security, otherwise the user will have network wide access.

The only downside is that you can potentially lock yourself out of your network if FreeRadius doesn’t startup for some reason.

Personally I only use FreeRADIUS for 802.1x for wifi and my IPcams.

I certainly don’t need a dynamic VLAN, this is a homelab and I certainly don’t need most of the stuff that I have, but during the current world wide pandemic lock downs now is certainly the perfect time to implement all the unnecessary stuff that I’ve long wanted but never had the time or the money to do so.

Sorry I’m pretty new to all of this, I thought OpenVPN was used to implement VPN connections. I don’t have a VPN provider currently and I do not have plans to have open connections to my LAN from the outside (at least not now I may change my mind in the future).

I was not aware that I could use OpenVPN to create certs. I’ll google around to see if I can get this working.

Excuse my ignorance on this subject, I’m learning.

Hmm I thought that this video was showing how to setup a cert for connecting to the pfsense webconfig. I do understand that this is a pretty pointless exercise. My hope was that if I could start with something relatively simple then work my way up to mastering more advanced topics.

I’m in the same position :slight_smile:

No that’s not exactly it. You create the certs in the Cert Manager, then use them with OpenVPN.

Yeah it’s probably a good idea to read the documentation on Netgate’s site rather than google. See pfSense Documentation | pfSense Documentation

I have a sort of different question that is sort of related.

As I said earlier I have a Truenas Mini X+ setup. On the NAS I have a samba share and a few other plugins installed including home assistant. Is it possible to have the home assistant jail on a separate vlan than the samba share using the same network interface? I would like to make an seperate IOT VLAN for IOT devices including homeassistant. I am aware that I could achieve separate VLANs using the 4 different network interfaces on my mini X+ box but unfortunately my poor 10 port switch is almost filled so using more connections from my X+ to my switch isn’t an option at least until I buy a more capable switch.