A
@jknott said in Wifi router behind pfsense appliance - bypass risk?:
@akuma1x said in Wifi router behind pfsense appliance - bypass risk?:
Give it NO access to your network(s), and only let it talk out to the internet.
That would be appropriate if he wants a guess WiFi, but I didn't see that mentioned. If he wants to access his network via WiFi, as is often done in homes and businesses, then that's not a such a good idea.
True, he didn't say one way or the other how he wanted to do it.
Here's one: guest network with a good WPA2 passcode, like above. Limit, or give it no access, to your main LAN network.
Here's the other: on and part of your main LAN network. Use a good WPA2 passcode, maybe make the SSID hidden (but it can be found by anybody with basic wifi tools), make sure it's firmware stays up-to-date to plug up any security holes. Remember, you're dealing with consumer gear, the manufacturer tends to not update firmware for too long, they want to sell more, newer, better wifi gear. It's just going to be a simple access point, so you won't get much, if any, in the way of firewalling or routing.
Is getting newer wifi gear out of the question? I ask, because most, if not all, of the newer access point things offer VLAN capabilities. That means, with 1 wifi box, you can offer up multiple wifi networks, guest and main LAN, as an example. Add a simple 5-8 port managed switch to the mix to move this traffic in the right directions, and you can be done. This gives you 2 wifi signals, 1 that can be isolated to just the internet, the other that sits on your main LAN.
Jeff
