New to PFSense…couple of questions
-
In talking to others, I don't think I'm needing to put the Control4 gear on separate VLAN.
Let's stick to the initial questions/needs for now I guess.
Again, those are setting up the two wifi networks on Unifi. One for me that accesses everything, and one for guests that ONLY accesses the internet.
I also want to leave the guest one unsecured, and use a captive portal to allow people on and monitor what they do while they're on. I want their authentication to be good for 6 hours, and then have to re-authenticate. In an ideal world, there would just be one password for every user and that password would change every 24 hours (and be emailed to my wife and I every day).
I really appreciate the help from everyone! The Unifi will be here tomorrow, and I'm excited to things back up and running.
-
In talking to others, I don't think I'm needing to put the Control4 gear on separate VLAN.
I thought you had your C4 gear on a VLAN already. Leave it like it is.
My intention was more: If there's a VLAN already then take care about the ID in use and the routing between subnets.
-
UniFi units just showed up. I'll have some time to play with this tonight. Any pointers I can get between now and then on getting this setup would be great.
I'm mostly needing help on getting the Guest Wifi and Captive portal setup as described in my previous post.
Thanks so much!
Dan
-
Ok, as I'm sure you'll be aware the secret to doing anything like this is to do it one step at a time and test at each stage.
The problem you are going to have here is that as you configure the VLAN ports on the switch and the interfaces on the pfSense box you could easily end up loosing connectivity to the webgui of both. Although I said earlier you should avoid having tagged and untagged traffic on the same NIC I'm now thinking it will be much easier to configure that way. If you do have problems you can always switch to a two VLAN setup.
So your network will remain the same but you will add a VLAN that connects your guest wireless network to a new interface in the pfSense box.
I will assume your pfSense box is connected to port 1 on your switch. Connect the Unifi AP to a spare port on the switch, say port 24. This should be all that is necessary to start setting up the AP. I'm not familiar with the Unifi setup so refer to the manual. If it is set to receive an IP via DHCP by default you can check the pfSense DHCP leases to find it and connect right away, other wise you will have have to manually configure a machine to connect to whatever IP it's using. Either way go ahead and set it up, set a password set an SSID etc, check that you can connect to it and that wireless clients can connect to it and receive a DHCP lease from pfSense. Check they have internet access and can see other machines on the lan. You may want to disable 'wireless client separation' in the AP. Once you have that all confirmed move on.
Now you can start at either end setting up the VLAN. In pfSense go to Interfaces: (assign): and go to the VLANs tab. Click the + to add a VLAN. Select your LAN interface as the parent. Choose a VLAN number other than 1, say 100. Enter a description.
Now go back to Interfaces: (assign): you will see a + has appeared, click it. You should now have a new interface, OPT1, that has 'VLAN 100 on ***' assigned to it. Go to Interfaces: OPT1: and enable the new interface, set its IP (maybe use 192.168.100.1) and remember to change the subnet to /24. Now go to Services: DHCP server: and eneble DHCP server on OPT1. At this point anything connecting the LAN NIC with VLAN 100 tagged packets should receive an IP. You still need to add firewall rules to OPT1 to allow any traffic.In the Unifi AP configure a secondary SSID and set it to use VLAN_100. I'm not sure of the specifics here so refer to the manual!
In the switch configuration add ports 1 and 24 to VLAN 100.
Done. :) Clients connecting to the guest SSID should now receive an IP from pfSense in the OPT1 DHCP server range.
That last step I can easily see giving headaches though.
Steve
-
In the Dell switch interface for VLAN 2 (the new one I just made) do I want to TAG or UNTAG egress packets?
Setup was easy, but it may not be correct as devices trying to connect to the guest network never get assigned an IP address…
Under interfaces I have enabled the new interface (VLAN2GuestWireless) and under IPv4 configuration type I put DHCP.
I left everything else blank, except under DHCP client configuration, in the Alias IPv4 address field I put 192.168.2.1/24
-
One thing that is interesting is when I go to Services, and select DHCP Server I only see a tab for LAN, I don't see a tab for VLAN2GuestWireless like I would expect…I wonder why?
EDIT: So I changed the IPv4 Configuration type to Static IPv4. Now, when I got Services: DHCP server there is a tab for VLAN2GUESTWIRELESS. I checked the box to "Enable DHCP server on VLANGUESTWIRELESS interface".
The subnet is listed as 192.168.2.0, the subnet mask is 255.255.255.0 and the available range is 192.168.2.1 - 192.168.2.254.
I set the range to 192.168.2.1 to 192.168.2.254.
However, when I try to connect the devices is never issued an IP address. I have the Dell switch setup to UNTAG the egress packets. I'll change that to TAG and see if it affects things.
-
Okay…so I changed the switch to TAG, and now devices are able to connect and are issued IP addresses in the 192.168.2.x range.
The only problem...they're not able to access the internet.
I did setup a rule in the firewall under VLAN2GUESTWIRELESS. In the rule I have Action set to Pass. The Interface is VLAN2GUESTWIRELESS. TCP/IP version is IPv4. Protocol is TCP (also tried ANY). I don't have any source, destination or port range selected.
I'm guessing my problem is here somewhere?
-
To just get internet access for guest clients you can copy the default LAN rule, just change the source from LAN net to VLAN2GUESTWIRELESS net. That should allow out all traffic, you can always tighten up the rules later. Are you seeing anything in the firewall logs to suggest traffic is being blocked?
The default dhcp range for LAN starts at 192.168.1.10 leaving some addresses at the low end free for adding static leases for servers, switches etc. You have started your DHCP range for VLAN2GUESTWIRELESS at 192.168.2.1. There are two potential problems with that. The interface address itself is 192.168.2.1. The default address of the switch webgui is 192.168.2.1.
I suggest you change the subnet of VLAN2GUESTWIRELESS to something other than 192.168.2.X. You could change the switch address but if you have to reset it ever you'll have problems again.Steve
-
Thanks Steve. I changes the DHCP range to start at .100.
I had to change it from VLAN address to VLAN subnet and now it works.
-
Okay…so I setup a guest user and got the captive portal figured out...IT WORKS! I modified/personalized the HMTL files for login and login error. I may tweak them more later, but they work good for now.
I just noticed though...I am now able to access all the stuff I don't want guests to be able to access. For example, I pinged one of my NAS drives that is at IP 192.168.1.210 and was prompted for the NAS credentials, and was able to pull it up.
I verified the device connected IP is 192.168.2.100.
So...I wonder why it's now able to see the 192.168.1.xxx network?
-
I know I'm generating a lot of posts here, and I'm sorry about that.
So, I edited the VLAN2GUESTWIRELESS Firewall rule and under Destination, I checked the NOT box, and selected the type "LAN Subnet".
This has appeared to effectively block being able to pull up any 192.168.1.xxx stuff. When you try to hit an IP on the 192.168.1.xxx LAN it eventually pops up with a page that says "This page cannot be loaded via this proxy.".
Is this the proper way to handle it?
EDIT: I was thinking about this as I drove in to work and I realized the better way may be to ONLY allow traffic to the WAN (as opposed to allowing all traffic that's NOT "LAN Subnet"). Would that be better?
-
The principle is good - you want to allow only the traffic that is wanted, and let the default block action drop everything else, whatever it is. The problem with that going out WAN is that actually you want VLAN2GUESTWIRELESS to be allowed to all public IPs out there on the internet - it is more difficult to specify all the possible public IPs than to specify "not the private IP subnet/s on your other LANs".
Your rule as-is does the job nicely. If you make more LANs in future, then you can make an alias containing all the LAN subnets you want blocked off - call it, say, ProtectedSubnets, then put !ProtectedSubnets in the destination of your general pass rule.
Or you can put a block rule before the pass rule. Make it block destination "LAN subnet" / "ProtectedSubnets".
More than 1 way to skin a cat. -
Yes, I agree. What you have done is good.
One thing to be aware of is that you may (though it's not really a problem) not want wireless guests to be able to access the pfSense webgui. You can block access to it on the VLAN2GUESTWIRELESS interface easily enough but guests will still be able to access it on the WAN interface. That caught me out before I realised what was happening. Like I say though it's not much of a risk.Steve
-
Yes, I agree. What you have done is good.
One thing to be aware of is that you may (though it's not really a problem) not want wireless guests to be able to access the pfSense webgui. You can block access to it on the VLAN2GUESTWIRELESS interface easily enough but guests will still be able to access it on the WAN interface. That caught me out before I realised what was happening. Like I say though it's not much of a risk.Steve
So you're saying I should also create a rule NOT allowing access to 192.168.2.1? Or anything on that subnet probably, right? I just want anyone connected to that to see the internet, and not be able to see each other.
-
Yes you probably want people on the guest wireless to access the public internet only. However they will need access to the dns forwarder at 192.168.2.1. Personally I have a rule that allows only traffic to !192.168.1.0/16 plus a rule to access the dns forwarder and a block rule to prevent access to the wan address.
Steve
-
Yes you probably want people on the guest wireless to access the public internet only. However they will need access to the dns forwarder at 192.168.2.1. Personally I have a rule that allows only traffic to !192.168.1.0/16 plus a rule to access the dns forwarder and a block rule to prevent access to the wan address.
Steve
Can you elaborate a little more please, especially on the last two? Maybe show me a screengrab of the rules? This is all new to me, including the terminology.
Thanks,
Dan
-
See attached screen shot of my firewall rules for the WIFI2 interface, which I use for guest wireless.
I have an alias setup that contains a list of my local subnets named LOCAL. In fact it just contains 192.168.0.0/16 because I was lazy creating it. ::) Looking at it again now I'm wondering if I could add the WAN address aliases to it. Hmm. Also I have two WAN interfaces so the loadbalanced gateway is specified in the allow rule.Steve
-
This is all really over my head…LOL.
So, I edited the "no GUI" rule and just blocked all traffic on the guest WiFi VLAN that was going to 192.168.2.1. Works great. I still access if it I want to (why would I?) from the main network, but you can't access it from the guest network.
Next goal, and maybe you can help me with this, is to somehow restrict the websites my kids can go to on their new iPads (Christmas gift).
My initial thought is that I create a 3rd WiFi network for them. Currently I have HH-Secure and HH_Guest. I'm thinking of adding HH-Kids. Is there an easier way though?
What I want to do is whitelist a small group of websites that they're allowed to go to. Ideally if the try to go a website that IS NOT on the whitelist, they will be prompted for a username/password to add that site to the whitelist. This way when my wife realizes they want to go to "CoolNewCartoon.com" and she determines it's safe, she can quickly just give them access on their device without me having to edit the firewall rules. Is that even possible?
I think I'll start a new thread for that, as it may be relevant to others as well.
-
You would usually do that with Squid and Squidguard (or Dansguardian) but if you have sufficiently small number of sites you might just do it with firewall rules or some sort of captive portal exceptions list. To be honest it might be easiest to do it directly on the iPad, I'm sure there are any number of parental restriction apps available (there are for Android certainly).
Interesting what you say about your firewall rule. So you have blocked access to the host interface completely but DNS queries are still getting through? Hmm, been a while since I set mine up. Might have been under pfSense 1.2.3 and a lot has changed since then.
Steve
-
I'm going to be honest Stephen. I have no idea what the last paragraph/sentence of your post means.
I don't know how long the list of sites will be, or end up being. I'm most interested in the ability for the kids to try and view and site for the first time, IE: disney.com, and it prompting for a username/password. My wife can then decide if she wants that be a site they can access, and if so…she can fill out whatever credentials are required (on the device, in this case, the kids ipad) and they will be allowed to access that site from that point forward.
Does that make sense?