Continuing on with a multi-part series we are entering into the VisionNet M505N web interface once again, this time selecting the 'LAN' menu item. Rather than providing specific entries for the settings (which will differ by need between the "guest" wireless and IoT device isolation functionality) I will give guidance on what you might choose. In our scenarios, small networks would be used in practice, without worry of interfering with other "private-side" networks (as a friend tells me, a great future topic).
For recommendations on a guest network, I will provide two different examples. Again, the topic of subnetting will come in later blog entries, so if you don't understand all of the mechanisms just plug in the values I provide. Your guests will likely never need more than 13 addresses active at the same time, so the first suggestion is an 'IP Address' of 192.168.1.1 and subnet mask of '255.255.255.240'. The addresses will range (which you will enter for the 'DHCP Server' portion below) from "192.168.1.2" in the 'Start IP Address' field to "192.168.1.14" in the 'End IP Address.
I'll cover the remaining DHCP entries in a moment. If you want an even smaller guest network of five available IP addresses in the DHCP pool, set the same 'IP Address' for the modem, but change the 'Subnet mask' to "255.255.255.248" (keeping the subnetting simple for now). Your 'Start IP Address' for the 'DHCP Server' will also stay the same, but change the 'End IP Address' to "192.168.1.6".
I recommend setting the 'Primary DNS server' and 'Secondary DNS server' the same as the modem address (in our examples, "192.168.1.1"). This will actually help mask the actual DNS server addresses (whether public DNS or for a server you have in either the DMZ network or routed to another interface within pfSense). Additionally, I recommend setting a lower DHCP server 'Lease time (hour)'; "2" (for two hours) is a good choice for a guest network.
Entries for an "Internet of Things" Wireless Access Point network could be like the smaller choice (five available IP addresses) or as a "/30" ("CIDR notation", which will be covered in subnetting topics) that only would have room for one "IoT" device (until we cover "reserved IP addresses" in a moment). The entries for that would be the same 'IP Address' of "192.168.1.1", but a 'Subnet mask' of "255.255.255.252" (still keeping our subnetting simple). The 'Start IP Address' still remains the same, and this time, you are also entering the same value for the 'End IP Address' (don't worry, it still works).
We can create "reserved" IP address(es) if we learn the "MAC address" of what device we want to have that IP address. A MAC (Media Access Control) is a unique identifier for every interface able to establish a network connection. The MAC address conventions will also be covered in a later blog entry. Note that we can use this feature for both "management from an ACL" (Access Control List) to be able to securely configure or check the Wireless Access Point later, or for an IoT device entry. The reserved address(es) do need to be within what you have set for the subnet (by the 'Subnet Mask' entry) but outside the range of the DHCP pool.
In a later topic of this series, I will cover setting up an Access Control List on the VisionNet M505N modem. We are also leaving the 'Enable LAN side Firewall" unchecked at the moment, but will return to this powerful setting later as we cover security aspects. For now, we are only going to adjust one possible security setting of turning off uPNP. Click on the 'Security' menu item, then the 'uPNP' listing below it. Uncheck 'Enable UPnP' and click on the 'Apply/Save' button.
Next time we will look at wireless settings and later further security on the M505N. Leave comments and questions below. Please stay tuned!