DHCP requests across firewall
-
I'd love to, but if all my wireless is on one network/segment, then I can't have custom content filtering per WAP. for example: One access point will have filters that block adult content, whereas the other will not for those spicey/naughty situations.
-
"then I can't have custom content filtering per WAP"
AcessPoints don't do content filtering.. if they are doing any sort of content filtering then you must be using them in NAT mode as a wifi router
What are these devices that your calling WAP that do content filtering? Why would you not do the content filtering at pfsense and you can setup rules based upon IP or authentication. So adults can auth no matter what machine they are on surf porn, while kids no matter what machine they are could only got Nickelodeon and the Disney page..
-
Of course the WAPs don't do content filtering, and even if they did, then what subnet it's on wouldn't make a difference anyways.
I meant, I have content filters ON PFSENSE attached to one subnet and not the other. Therefore, all of one subnet has content filtering, and subsequently the WAP connected to that subnet, and the other subnet does not.
But I'm just going to guess you'll suggest a better method where they can be on the same subnet, that I'm most likely not aware of.
-
Yes as I already stated you can do content filtering based upon source IP or based upon auth.
if you isolated your wifi to its own segment then you can firewall devices on your wifi network from accessing stuff on your wired lan.. How you have it anyone on your wifi network can do anything they want to your wired devices.
-
If the WAPs are on the same subnet, and the subnet is getting IPs from it's respective scope on the DHCP server, how can I filter by IP? Won't it be assigned randomly?
-
Normally yes, which is why you would setup a reservation or static.. This is easy done in both windows dhcp and pfsense dhcp.
You setup a reservation so that client with specific mac address always gets IP a.b.c.d, if you don't have that mac address you don't get that IP.
-
What about a client that frequently switches between wired and wireless, for example: A laptop. How would you get around the issue, which is identical to the one in having now with the wireless device?
-
So you have reservation for their wired and their wireles mac – that was hard ;)
Wireless address 192.168.2.42, wired address 192.168.1.42
-
You aren't seeing my problem, the clients aren't getting a different IP when they switch between them. They keep the up of the first one the joined and thus can't join the other.
-
"They keep the up of the first one the joined and thus can't join the other."
Do they ask for a new one? I switch between 2 different wireless networks. I have my normal wireless 192.168.2.0/24 and then I have a guest wireless on different vlan 192.168.4.0/24. When I connect to the different wireless it changes to that network segment with different IP. This is on multiple devices by all makers. Your client when switching to new wireless network should ask for new IP.. Your dhcp server would see the discover and give it an IP. Sniff on pfsense for dhcp - what are you seeing when the wireless device moves from network A to B?
Are you using the same ssid on these networks? Does you client ask for new IP?
Did you change back to running dhcp server on pfsense for your other segment. You do understand ALL your issues go away if you just use 1 segment for wireless be it bridge to one of your wired networks or on its own segment.
Ok - lets just get to the bottom of your problem, I am getting bored with this nonsense..
So we have
NetA 10.1.1.0/24
NetB 10.1.2.0/24Mask is /24 or what?? These network do not overlap??
What are the SSIDs of these networks. And lets be clear we are using your "WAP" as AP.. they are not natting wifi routers that you are natting with?? What devices are these, you have their dhcp servers OFF and connected to your different wired networks via their lan ports..
And your not connecting both interfaces on pfsense to the same switch an thinking you can run 2 different segments?
So you have this?? See attach.
Please post your firewall rules on both networkA and networkB interface. Please post the IP addresses you have setup on your network a and b interfaces on pfsense. Please post what IPs you have on these AP of yours. And please lets see a ipconfig /all on device when on network A and then lets see when you move it to network B and you do a ipconfig /renew or /release and then renew.
This is really basic stuff.. While I think its completely pointless to be running wireless on 2 different segments where they are bridged to 2 different wired network.. You can for sure have multiple wireless networks with different networks on them and switch between them.. So more than happy to figure out what your doing wrong in your setup.
But need DETAILS or we will continue to go round and round and round.. Please point out anything I have wrong in the drawing and your IPs and such for your 2 pfsense interfaces and your AP and I will add them..
edit: here I connected to my guest ssid and then connect to my other ssid.. See how got new lease with new IP and info. I can duplicate your setup pretty quickly by just enabling scopes on 2k12r2 vm and setting up relay just like you were going to setup.. But did you go back to running dhcp on pfsense?
edit2: Trying to duplicate this with relay setup and windows dhcp server on different segment. You really need to do a sniff on your dhcp server - while I see it getting the discover from the right segment in my case 192.168.4.0/24 – it was sending offer from the 192.168.2.0 pool?? When I turned this pool off, it would never send anything even though it was clearly getting relay from the correct segment.. Will have to play with this a bit more but that would explain your problem I think?? I had to turn my dhcp servers back on was starting to cause problems with my devices ;)
-
I was just about to provide everything you asked for, but then I saw your edit. That is identical to the problem I'm having. The request is coming from the right segment, but it's getting the info from the wrong scope. IE: Request is coming from 10.1.2.0/24 and is being given info from 10.1.1.0/24 scope. Any updates? Still want all the info?
Also, the DHCP Windows Server is 10.1.1.100
-
Did you do a sniff on the server like I suggested. I just did a better look see to what was happening, and trying to test via wireless my vm running the dhcp server was seeing discover from same mac was seeing both a discover from the AP and the relay with the same transaction ID.. So it only sends from the first one it sees which because it was not relayed will always be first.
I have to setup way to actually duplicate your setup.. So have to fire up a another AP or will completely disrupt my network vs just turning off a dhcp server for a few minutes to test your setup.
-
Haha, bringing the thread back.
So, how does one fix the problem of having discover requests from both the AP and relay?
-
Hey @johnpoz, thought I'd bring some closure to this. Basically, I had a superscope for the NetA and NetB scopes, which apparently is a big nono. That's the issue! Devices can now openly switch between WAPs and therefore subnets and therefore scopes. Thanks for all the help man!
-
superscope - never saw the purpose for them to be honest. That is for when your running multiple address space over the same physical network.. Which is stupid to do in the first place ;)
