Some assistance required with basic firewall rules

OldNick

Hi,

My system is a pfSense 1.2.2 dual nic setup, LAN side on 192.168.0.10 hooked to a switch with some AP's and another server on it, WAN side is on 192.168.32.3 going to DSL router on 192.168.32.250

Captive portal is enabled and my landing page and T&C's are held on 192.168.0.6 along with my radius server

Captive portal is working perfectly.

What I would now like to do is limit the guest accounts on the DHCP range leased by pfSense to internet access only and prevent them from gaining access to the pfSense webconfigurator and prevent them from accessing each others machines on the LAN.

To do so I have created an alias which contains the range of IP addresses in my DHCP range (.100-.149) and then added a rule at the top of the list which blocks all traffic from my alias to 192.168.0.10:80 as can be seen below.

Proto      Source        Port          Destination  Port          Gateway Schedule Description   
TCP/UDP  DHCPRange  *              LAN address  80 (HTTP)  *

I also tried adding a 2nd rule:

Proto      Source        Port          Destination  Port          Gateway Schedule Description   
TCP/UDP  DHCPRange  *              DHCPRange  *

Source DHCRange port any to DHCPRange port any to prevent any communication between my guests over the LAN.

Unfortunately neither rules work and I am at a loss as to why?

OldNick

OldNick

Ok, little update, Ive sorted the blocking of webConfigurator by turning off the anti blockout rule, forgot all about that sneaky little bugger  ::)

Now with the other rule im guessing I need to remove the default access all rule from lan, must make sure I put in any additional rules before I remove this so as to not lock myself out of the gui, wished I really had of thought of that first  :'(

Regards

Nick

GruensFroeschli

There is now way to prevent users from accessing each other.
They are in the same subnet and thus can communicate directly with each other without going over the pfSense.

Is there any way how you could separete your CP-users from the static users?
I mean in the sense of moving them to a different physical subnet / different SSID on WLAN / different VLAN.

OldNick

Gruens,

Thanks for the reply, pants, should of realised that my self. Im dont think we can move to a differnet subnet, not yet looked at different SSID or VLANS

We are installing pfsense in sites to offer guest access to customers and on some sites the managers have a laptop and or pc which needs access as well.

Are there any documents on how to deal with different SSIDS or VLANS to get me started?

Nick

cconk01

I agree with Gruens. What I would do is either add another NIC and put the Guests on that which will give you the best security or buy a vlan capable switch and AP. Then I would setup my network with a LAN and DMZ. in either scenerio I would have my server and managers (safe users) on that bind captive portal to the dmz and create a rule allowing all outboud with an inverse selection with you lan. This will allow all access to everything but your lan.

OldNick

cconk,

Unfortunately adding another nic into the recipe is not possible, I have dealt with the guest machines getting to the managers machines but I would of like to of stopped the guests from being able to communicate with each other as well

Regards

Nick

GruensFroeschli

If you limit the guests to WLAN you can disable "Allow intra-BSS communication" and thus disallow communication between the guests.

But without adding another interface (be if physical or virtual via VLANs), there is absolutely no way to separate guests and internal users.

OldNick

Gruens,

the unit isnt acting as an AP, ie there is no wireless lan interface on the machine, WLAN is provided by multiple aps spread across the site coming back to a switch which is on the lan side of the machine.

Regards

Nick