AirPort Extreme guest network with pfSense

AirPort Extreme guest network with pfSense

The AirPort Extreme is a great wireless router. I’m using it strictly as an access point (bridge mode) in front of pfSense.
Setup is a breeze, except for the guest network. You’ll need to configure a few things in pfSense:

  • Create a VLAN (tag 1003)
  • Create an interface for the VLAN
  • Enable DHCP on the VLAN interface
  • Create a rule to allow VLAN traffic
  • Configure NAT for VLAN IPs

Create a VLAN

Interfaces > Assign > VLANs > Add (+)

Parent interface should be your LAN interface (or wherever your AirPort is connected).
VLAN tag should be 1003 (the number hard-coded for AirPort guest network traffic).

Create VLAN interface

Interfaces > Assign > Add (+)

After clicking the plus, you’ll see a new interface (likely OPT1, which I later renamed GST).
Select VLAN 1003 from the dropdown, then click on the title of the new interface.

Enable the interface and select Static IPv4 from the IPv4 Configuration Type dropdown.
Set the IPv4 address. It should differ from your LAN’s IP address to avoid conflicts.

Enable DHCP

Services > DHCP Server > GST

Enable DHCP and set the Range of IP addresses.

Allow VLAN traffic

Firewall > Rules > GST

Add a rule to pass any type of of traffic, where the destination is not a LAN address.
This will allow users on the guest network to access the Internet, but not your network.

Configure NAT

Firewall > NAT > Outbound

Add a mapping for the VLAN IP address range.

3 thoughts on “AirPort Extreme guest network with pfSense

  1. On the Firewall > Rules > GST – Destination is not supposed to be “LAN address”. I found it is supposed to be “LAN net”. When I did LAN address I couldn’t ping my gateway on the LAN network but I could ping hosts on the LAN network. Once I changed it to LAN net it stopped me from pinging all of my main network on the Guest.

  2. Great tutorial. Saved my bacon when I repeated power failures trashed my build and I needed to start fresh. Thanks for bringing the site back up.

Leave a Reply

Your email address will not be published. Required fields are marked *