HOW TO Isolate WiFi Network From Exisitng Business Network?
-
Hello,
I am looking into using pfsense as the gateway and possibly the AP's for commercial installtions in restaurants and small business establishments. My concern is how to configure pfSense to not allow the public wifi install that we do to access the current establishments LAN and only allow internet access?Thanks
Joseph -
Create an alias containing all subnets which should not be accessible.
Modify the default "allow rule" on the wireless-OPT interface.
Change the "destination: any" to "NOT "alias"" -
Thank you very much for your reply.
If I used pfSense as the gateway only and added say deliberant AP's would this work the same way?
Thank you
Joseph -
Thank you very much for your reply.
If I used pfSense as the gateway only and added say deliberant AP's would this work the same way?
Thank you
JosephYes, but you'll need to use either VLANs or a separate interface for the AP to separate the traffic. Otherwise any 'security' you implement can be easily defeated by clients. If you're okay with all the APs being on the same network though, that's not really a big deal.
-
Thanks for the info,
I was thinking that I would have the AP's on the same 192.168.xx.xx network and then network in to the LAN of the pfsense gateway.
and on that NIC I would create the alias or Rule to not allow traffic to whatever the business LAN was.Could you possibly explain why so many People are hot on the VLANS? Or why so necessary? I am just learning about them now. Well moreover how to implement them…
Thanks
Joseph -
Could you possibly explain why so many People are hot on the VLANS? Or why so necessary? I am just learning about them now. Well moreover how to implement them…
Thanks
JosephThey're very convenient. Instead of having a separate switch and cabling for each logical network (to separate say an administrative and guest network like you're talking about), you just have one switch that can create 'virtual' networks. Clients on each VLAN can't communicate directly with each other at all, as if they were on physically separate networks, but you can reconfigure this at will without running any cable or adding switches/ports. Furthermore, 802.1Q allows frames to be 'tagged' with a VLAN id; using this protocol you can carry multiple VLANs on a single Ethernet cable, and the devices at each end can remove the tags and know which VLAN the packet belongs to. In pfSense this means you can have a whole bunch of separate interfaces (one per VLAN), but only a single physical interface to connect them to your switch. In other situations there are more useful applications that wouldn't really be practical without.
In your case you want to make sure the wireless and business LANs are kept completely separate; if you just use addressing schemes to stop them from talking to each other, an attacker could easily sniff the broadcast traffic, discover what other addresses are in use, and then simply move his client onto the 'secure' network. Using a separate interface (be it a tagged VLAN or a separate physical interface) means an attacker would have to get through pfSense to get onto the business network, rather than execute a trivial address change.
-
Thanks again for the info.
Although you have given me an excellent explanation I am a bit confused. Please let me map this out in my head here on the forum and you correct me.
I have installed pfSense on a basic AMD x86 box and two NICs. One LAN and one WAN. Now I have set my WAN interface to a private IP of my existing network 10.10.111.0/24 the actual ip is 10.10.111.226/24
I kept the default on the LAN for practicing purposes. I now can access the Internet and I can also access some of my servers. This is what I expected. I then impleneted some of the rules and aliases as instructed in this post. I was successful I can no longer access any host on the 10.10.111.0/24 network. This was my desired result. (Thank you)
Now after reading about the VLAN in your post I tried to make a VLAN on the LAN NIC but I could no longer get out? Also I don't see another interface? I am kinda lost here. Do I need a switch? My impression is that I could have multiple Virtual LANs with different subnets with a VLAN. I didn't see where I could set another subnet? Am I off with something?
Also you mentioned in you VLAN post that changing and address would allow the attacker to access the business LAN. How so? Would that mean in my test environment that If I changed my laptop to the 10.10.111.0/24 network I could access this network?
Thanks very much
Joseph -
Think of VLANs as if they are unconnected physical networks. Machines in each VLAN are completely unaware of the existence of any others and can't communicate with them. You need to put a router between the VLANs to pass traffic.
Now, 802.1Q VLAN tagging is a feature that allows you to carry multiple VLANs on a single cable, so you may have a few VLANs configured on your switch that are all independent, and you can then have a tagged connection to your router where each VLAN becomes a separate interface. The switch will tag packets it sends to the router with which VLAN they belong to, and the router will do the same for packets it sends back onto the network. This lets you use a single switch to carry what is essentially multiple networks, and then pass those to a router while keeping them separate.
In your situation it's not working because you don't have a managed switch (or don't have it configured properly). You need the switch so you can decide which ports are in which VLAN, and to decide which ports need to have traffic untagged, and where all the VLANs should be on a tagged port (to your router). Without this, it won't work and wouldn't accomplish anything anyway. When you create a VLAN interface in pfSense it will create a new listing in your interfaces; you can create as many as you want with different VLAN ids.
I'm not totally clear on your network topology. Are you putting pfSense between your normal LAN and the business LAN? I was assuming that you were putting pfSense at the border to the Internet and had several internal networks that should really be kept separate, and you were using supernetting to accomplish that.
-
Hello Ktims,
Thanks so much. That cleared a lot up for me. So in order to have a VLAN you must have a router that can create VLANS and use the tagging. I saw id 1~ ?? don't remember in pfSense. I also saw port. Now this port is the number in the switch? Or is it just a location that you configure on both switch and router?
You also must have a Layer 3 switch that handles VLAN tagging correct?
Also, I did see that new interfaces in PfSense as you explained. This is now a VLAN with tag id 1
I would then run the cable OUT from the LAN of PfSense and into the switch Correct?
On this one cable comming from the Router to the Switch many VLANS can be assigned Correct?
Now in the switch you would configure the switch to identify the VLAN tag id and it would then send that out the correct port? to the subnet of what that VLAN is.
Ok then that leaves just a little for me to ask.
What is the port? Is it a physical numbered location on the switch or is it a port that we assign similar to NAT 1:1 porting and port forwarding?
Second you were saying that any VLAN cannot "Talk" to another network. How is that so if all are inserted into the switch?
As for my test environment I am behind the current LAN. pfSense is behind Vyatta Main Firewall and gateway. I also have a Firebox in front sharing the same subnet. So there is only one LAN at subnet 10.10.111.0/24
I am connecting into this network with pfsense's WAN and then configuring the LAN of pfsense to 192.168.100.0/24
So I have connected my laptop at 192.168.100.199 I made the changes and wanted to see if I could access shares on the fileserver
at 10.10.111.11 and I couldn't so that is great! Just what I wanted and if I remove the rules/aliases I CAN reach it.Thank you so much for helping me with this.
Joseph -
Create an alias containing all subnets which should not be accessible.
Modify the default "allow rule" on the wireless-OPT interface.
Change the "destination: any" to "NOT "alias""Hello,GruensFroeschlino
Thanks for the input. I tried that method with the Default LAN Rule because I have no wireless Antenna setup on this box. However I am in need of a little clarity here please. This only works for me if I add another rule not just modifying the default LAN rule.
Also,what is the bolded NOT for in the Source and Destination sections?
Another thing is I have to reboot the box everytime I make a rule change for it to take effect. Is this normal?
I am using version 1.2.3 RC1
Thank you
Joseph