Help with getting devices on differnt subnets to see each other
-
Hi Johnpoz,
You can Ping the Airport Express in Pfsense from the Opt1 interface but not LanRegards
Jamie -
so you have a gateway on the AirPort? pointing to pfsense ip in that segment?
-
Yes it's set to 192.168.9.1
-
Why do you always say that when there are clearly pointless rules..
I didn't say anything because it isn't something keeping it from working. He had pass any any rules higher. That's all I'm concerned with.
You can fine-tune his stuff with him.
-
Well makes no sense then your rules look to be any any.. Pfsense would clearly know the networks its attached too and you should be good. This is normally click click all set.
Do you have any rules in the floating tab that could be blocking the traffic?
So when you run a traceroute from pc in lan to your airport IP for example – you see it hit your pfsense as its gateway.. And then it just dies?
example
So here is from my lan 192.168.9.0/24 pinging my wlan controller on my wlan segment 192.168.2.0/24You see it hit pfsense IP on the lan 192.168.9.253, then the IP of the wlan controller 192.168.2.11
C:>tracert -d 192.168.2.11
Tracing route to 192.168.2.11 over a maximum of 30 hops
1 6 ms <1 ms <1 ms 192.168.9.253
2 1 ms 1 ms <1 ms 192.168.2.11Trace complete.
Then in the other direction you will see it die after hitting pfsense in that segment 192.168.2.253 because I do not allow traffic from my wlan to my lan
user@uc:~$ traceroute -n 192.168.1.100
traceroute to 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte packets
1 192.168.2.253 0.668 ms 0.608 ms 0.433 ms
2 * * * -
Thanks Everyone for your help, I finally got it working, I had capitive portal turned on and had to add the IP's of lan computers trying to access Opt1 Computers/devices
The Sonos won't work on a different subnet so I will need to try and move it onto the 192.168.9.0 range.
Now that I have it working I will need to look at locking it down from some computers/devices.
How secure is the captive portal? if I turn off my wifi password how likely is it that someone could bypass it.Regards
Jamie -
How secure is the captive portal? if I turn off my wifi password how likely is it that someone could bypass it.
Captive portal does nothing to protect the assets on the local subnet.
-
I'm looking at locking down the access from opt1 to lan now seeing it's working, I'm looking at only giving access to the lan from opt1 for certain hosts, just wondering if the captive portal can be easily bypassed
I'm using my windows server to auth users through the captive portal, and currently have a password on the wifi, if i remove the wifi password can people easily bypass the captive portal and connect through my internet connection, if they can I will just leave the wifi password on.Cheers
Jamie -
Well, you have a problem. Captive portal has nothing to do with what the firewall will allow from OPT1 to LAN. That traffic is still governed by the firewall rules on OPT1.
Captive portal can make it easier to filter on MAC addresses, but MAC addresses can be spoofed so that adds no real security.
The OPT1 firewall rules can filter on IP address, but anyone can just statically assign an IP address so that provides no real security.
It sounds like you are trying to make OPT1 both a trusted and an untrusted network. That simply cannot be.
That said, allowing access to "certain hosts" and allowing access to those hosts with users who successfully authenticate to AD are two completely different things.
If you can leave your Wi-Fi secured with WPA2 why would you make the network open?
I am also unclear on what you're trying to accomplish. First you talk about "locking down access from OPT1 to LAN" then talk about "connect through my internet connection." What is it, exactly, precisely, in detail, that you're trying to do?
-
I had capitive portal turned on
And that, my good friend @johnpoz, is why I decided to stop worrying about things that don't really matter to the question at-hand. Would have been two pages of crap about the nuances of firewall rule order when in actuality OP had CP enabled, without saying so, on OPT1.
-
Hi I'm happy for users who auth through captive portal to have access to my internet and also some users who auth to also be able to access my Lan.
Just wondering if there was a way that someone could bypass the captive portal and use my internet or connect to my lan.
I don't want my users to also need to enter a wifi password if possible as well as auth through captive portal.
if there is a risk they can bypass the captive portal somehow then I guess it's a silly idea and I will forget about it, just wondering at this stage that's all.Cheers
Jamie -
With WPA2 there's little need for captive portal in a casual environment now is there.
-
Thanks Derelict, I appreciate your advice and help :-)
