Direct all traffic from VLAN to another host
-
Hi,
i have got a multi SSID access point. One SSID is for my colleagues notebook.
All traffic from this SSID is getting tagged with a vlan and the clients can reach the pfsense and other networks.So far so good.
Now i need a rule or are static route, because i want to direct all traffic with this vlan tag to another host (Gateway).
What can i do?
-
If that VLAN has its own subnet on the pfSense, then you will know the IP addresses on that VLAN - e.g. 192.168.12.0/24
Add the gateway to whatever interface it is on.
Add a firewall rule to the VLAN interface directing source 192.168.12.0/24 destination any to the Gateway (down in Advanced Features of Firewall Rules).
Maybe it is not that simple - maybe you have a subnet bridged between VLANs or something, in that case it is trickier to know which IP address goes with which VLAN. -
Yes, the vlan have its own subnet. In my case:
net: 10.0.30.0/24
default-gw: 10.0.30.1the alternate gateway in my test environment is 10.0.30.2
So is right?
http://picload.org/image/dwwipwd/gw-vlan.png -
Yes, that should work, but since the other gateway is in the same subnet as the the clients and access point, the router will end up sending redirects back to the client, letting it know that the gateway is directly reachable by the client (e.g. client 10.0.30.111 can talk directly to 10.0.30.2, and the gateway router at 10.0.30.2 will talk directly back to the client - bypassing pfSense). That should all happen OK.
I guess that on this wireless AP the clients are all getting IP address from DHCP on pfSense. Another easy way to redirect them in this case is to put the gateway address in the DHCP Server config (and maybe also put it in as a DNS Server, if 10.0.30.2 provides DNS and you also want the clients on that VLAN to use 10.0.30.2 for DNS).
Then there is no need for a firewall rule, and the clients will go straight to 10.0.30.2 without even having to send initial packets to pfSense at 10.0.30.1. -
Okay i understand,
Yesterday i tried to set the gateway by the DHCP, with success. But what is with clients they have configured the ip manually?
I think i will block all other traffic to 10.0.30.1 by simple firewall rules and set the gateway still by dhcp.Do you think this is a secure way for my networks?
Later, after testing in my test environment, i want to send the dhcp information through my MS TMG (DHCP Relay) from my intern dhcp server for the dhcp discover of the wlan clients. The tagged traffic gets route trough the TMG in my intern network. The MS TMG is checking for trustworthiness (AD Membership).
Do you think this is a secure way to connect the wlan clients to my intern networks? To join the wlan the clients using wpa2 with radius authentication (MS Windows Server NPS/NAP with AD integration)