Lan Wifi Bridge Initial Protection? (NEWB help)
-
Thanks crew - I GREATLY appreciate the help.
Lots of great info here ;D
I will give the Johnpoz method another go.We keep a great deal of sensitive business documents, personal documents, family files, etc on a NAS. My paranoia for protecting the data grows by the minute.
My goal is to
1 - replace my dying dd-wrt router/laughable firewall with
2 - a much more secure router/firewall then
3 - make it even more robust via SNORT and maybe even SquidGuard -
In regards to network.
I currently have everything setup via SMB
Everything being a mix of different Linux Distros, Macs, Windows, and Android devices. -
Bridging a Wi-Fi adapter with a LAN port is a reasonable way to go on a small network if you MUST use an internal Wi-Fi adapter.
Far too many things use broadcasts or multicasts for zeroconf. Yes, you can get them mostly working anyway but why hassle it?
Set a strong WPA2 password and roll with it.
I understand the aversion to bridges. I also understand the thought process behind segmenting Wi-Fi from the rest of the network. But if a user just ends up with pass any any on the Wi-Fi interface because they got sick and tired of things not working what's to gain?
-
Setting LAN to 192.168.1.1/24, WiFi to 192.168.2.1/24, DHCP server on both…
I can access via a browser PFSENSE on 192.168.1.1 and TOWER on 192.168.1.122 from a WiFi Laptop.
...however...
SMB/Network browsing/mapping does not work so the crucial access to files is not available!Setting a BRIDGE so both LAN and WiFi both are on the 192.168.1.10-245 SMB/Network browsing/mapping works fine.
So it sounds like I have 3 options
- Use the $75 PFSENSE Store wireless in bridge mode - why is a bridge bad if the LAN firewall rules are applied to it?
- Use the $75 PFSENSE Store wireless in segmented mode - and get SMB browsing/mapping working - help?
- Buy a new wireless router and plug in the WAN of the Wireless router into a switch downstream of the PFSENSE LAN.
-
https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131
-
Why don't you just put wifi on its own segment/vlan – I just don't understand the fascination with bridging wifi to wired??
If you're using Windows in a home enviornment, the Windows firewall blocks certain aspects if it's not on the same subnet.
Since you can't expect to control every machine in a home network (to make the appropriate config changes to the windows firewall) as you could in an enterprise one, if you have Wired and Wifi on separate vlans, you prevent things such as ping/filesharing/etc between machines.I am currently using a bridge in this way for this reason, though, what I'll be doing as soon as I get my new switch (out of ports) is just moving my access point to a port off the main switch on my wired network and killing the bridge completely.
-
Thanks Derelict…
I guess I am still a bit unclear on what is the best route...
Johnpoz frowns upon bridging internal wireless and lan (why?)
Setting up SMB across a segmented network appears to be a PITAIf using an external wifi router will keep me on the same segment, fine. A bit of a shame to waste the $75 for the pfsensestore wifi card AND a chunk on a dd-wrt wifi router... BUT if this is the preferred method, fine.
any final words of wisdom before I pull the trigger on an external wifi router for wireless access to my LAN?
-
@Trell - I use a STRONG WPA password and do not give it out freely.
I need filesharing between a mix of LAN and WIFI devices in my home: MAC, Windows, Linux, and Android!
-
@Trell - I use a STRONG WPA password and do not give it out freely.
I need filesharing between a mix of LAN and WIFI devices in my home: MAC, Windows, Linux, and Android!
I was saying the same thing you were because I had to do the same setup, though I'd prefer just having my access point going off my switch, I was limited by ports during my initial setup.
-
If it were my network, I'd stick an external AP in for the family wireless stuff, and locate it where I got the best signal coverage. Then use the built-in wifi in the pfSense box for untrusted "guest" access.
You'd get the single broadcast domain wired/wireless family stuff you want, and if there's an occasion where you have someone over that needs wifi you give the the pfSense AP password.
Simple and clean.
-
If the bridged interfaces are working for you why are we still talking about it?
Your original question was if you needed to do anything other than rules on LAN. That answer is no.
-
I must have missed that. Oops.
Opinions on network designs are like as*holes. We all got em.Glad its working.
-
"Setting up SMB across a segmented network appears to be a PITA"
What.. I just showed you accessing a smb share over a segment.. There is NOTING too it.. open up tcp 445 is such a PITA..
-
@johnpoz. To define PITA:
With 'IPv4 TCP 445' 'pass all' '445 (MS DS)' on both LAN and WIFI I can PING across the segment fine.
Accessing a Windows share from Linux, Mac, Android works as before -> but I do not care about accessing a Windows share.Accessing a SMB share on my unraid NAS does NOT work. I can ping the IP, but any access attempt returns a Connection Time Out / Unable to Connect to the Server. Also, these SMB shares do not show up in the network browse.
-
Accessing a SMB share on my unraid NAS does NOT work. I can ping the IP, but any access attempt returns a Connection Time Out / Unable to Connect to the Server. Also, these SMB shares do not show up in the network browse.
Your nas device may have some time of network ACL you may need to configure.
Just a guess on my part. -
1 - Skipping the bridge as it appears some aversion to this exists (still researching why).
2 - Done messing with the segmented network, over 18 hours in tinkering and no joy on proper SMB/Network browsing across different base operating systems.
3 - Using a very cheap Wifi router with DD-WRT installed as per Derelict (thanks) - appears to work GREAT.I have a e4200 on the way along with some heatsinks and external antenna kit (6 High Gain Antennas [2x2dBi, 2x6dBi, 2x9dBi] and 6 U.Fl cables, 3 of them RG178 clip on with IPX connectors and 3 RG316 no connectors for soldering) to replace the $20 low range el cheapo special.
Thanks for all the help/advice/opinions.
-
1 - Skipping the bridge as it appears some aversion to this exists (still researching why).
For what it's worth, my aversions on the subject of bridging:
Bridging two ethernet router ports because someone is too damn cheap to buy a switch. You'd be surprised how often this brain damage comes up.
Also, for what it's worth, my aversions to built-in Wi-Fi cards:The support is getting better but is still YEARS behind what you get with something like a Ubiquiti and it will never compare with Ruckus/Aruba and, I guess, Aerohive/Cisco, etc.
Why wrestle with spotty support when you can just plug in an AP and be done? Any decent wireless router from a big-box store will make a better AP than a wi-fi card.
That, and you can't put the wi-fi and wired clients on the same subnet without a bridge… :)
-
Bridging: I have a SG100-16 unmanaged switch, populated with 6a cable, having long ago dismissed the desire for the router to pull switch duty too. Coming from the world of prosumer Routers with Lan and Wifi integrated into a single box, I ASSUMED the $75 add-on would not cause many issues.
Aversion: This I did NOT know and is a SOUND reason to avoid. You have also brought up a few companies I have never looked into - they appear to have VERY nice WLAN APs! If my Antenna/Heatsink/DD-WRT modded e4200 does not pass muster, I will likely check out the Ubiquiti AP.
Rather than waste the internal WLAN, I am setting up a guest network that only has access to the WAN. I will also put the few less secure devices onto this (Sony Blu-Ray/Netflix terminal).
Thanks again for the help EVERYONE :)
-
"Accessing a SMB share on my unraid NAS does NOT work. I can ping the IP, but any access attempt returns a Connection Time Out / Unable to Connect to the Server. Also, these SMB shares do not show up in the network browse."
Who gives a shit about network browse?? Come on really you don't know the name of your server? But if you want that to work then you have to have browse masters on both segments or use wins, etc.
Here is my ubuntu box run samba, can access it just fine from my dmz segment.. I had a windows 7 vm handy.. But this works just as easy from another linux box..
So put in the 1 firewall rule. As you can see try to net view and fail - then I auth as account and there you go net view works, net use works, and can connect and use the share just fine. Check with your nas maybe its not listening on 445 and using the old school netbios ports 137-139?
-
"Who gives a shit about network browse??"
My wife who is NOT techie, uses a Mac for personal work and a 8.1 machine for business -> all files saved to the NAS.
…It took me years to get her comfortable with using the NAS via SMB under network browse. She REFUSED to have backup software (after a Tech at her business said she should never use backup software (OMG)), so every-time she saved 'an important doc' she would rush to me and ask me to make a backup copy to the server. Typing the name of the server would result in a meltdown for her and persistent smb mapping is not stable on the MacI will double check the NAS SMB port as I do not like knowing WHY this has not been working, likely this upcoming weekend. For now the cheap WIFI AP plugged into the LAN via a Switch works fantastic.
Thanks again.
