Separate LAN and WLAN
-
imWACCo on your interface it should show something like this 192.168.2.1/24. That 24 stands for 255.255.255.0. It is used as a short hand for subnetting. You can set your wifi address as 192.168.0.1/24 and then your lan as 192.168.1.1/24. Then on any device you connect to your wifi or lan just go into your network settings and change the subnet to 255.255.0.0 or /16. This will allow any device to see other devices on your network if that is something you want to do.
-
@bobgoblin Thank you for your reply
For the most part I want to keep the two apart. I have a NAS and shares. I don't want my step-daughters friends to infect my systems.
After I tell the LAN to see all of it, how do I tell it to keep them apart?
-
OK to do this just set your wlan interface as 192.168.0.1/24. This is also just an example, you can use anything you want. This will give any laptop or device that connects to it a 192.68.0.x ip address. Then set you Lan address as 192.168.1.1. This will give any system plugged into it a 192.168.1.x address. They will be separated so you don't have to worry about any device going back and forth. If you have a personal laptop or device you want to see both networks set your personal up address with a subnet of 255.255.0.0. Or /16 if using Linux.
-
No. That is horrible advice and likely will not even work.
How have you put your network together?
How many ethernet interfaces does your pfSense have?
What kind of switch are you using to connect the DD-WRT devices?
What do you want devices connected to Wi-Fi to have access to besides the internet? (think local things here - like printers perhaps)
-
That is the easiest and most direct approach. If he is asking about a Lan and wlan than I would imagine he has at least 3 interfaces. And if he is trying to keep the networks segregated then it will be perfect. Network+ setup.
-
That is the easiest and most direct approach. If he is asking about a Lan and wlan than I would imagine he has at least 3 interfaces. And if he is trying to keep the networks segregated then it will be perfect. Network+ setup.
It is nothing of the sort. I have no idea what you think will be gained by setting a management workstation to /16.
It is better to ask than to imagine.
-
Having a management station set as /16 gives that device the ability to see all systems on both networks. An easy Nmap scan will show you all of the devices. He will be able to use that laptop or device to connect to devices on both subnets. As he already stated he has a NAS setup on one network and wants a segregated network for let's say guest and family. And yes it's an easy setup. Take maybe 10 to 15 seconds and everything can be up and working. I have the same thing at my house and it works just fine.
-
That is not at all how it works with 192.168.1.0/24 and 192.168.2.0/24 as routed networks on two interfaces.
The only way that would have any hope of working would be if both routed interfaces were patched to the same broadcast domain, in which case it provides no security at all. That and the /16 broadcast address would not match the broadcast address of either /24 so weird stuff would fail at weird times for (to the uninformed) weird reasons.
Not to mention having two DHCP servers on the same broadcast domain. Hilarity will follow.
First step to getting out of a hole is to stop digging.
-
You would do well to listen instead of clicking smite, bro.
-
Well first off I did not click smite. to be honest I didn't even know that existed till you said it. Secondly I was taking screenshot of my personal home network that I have this exact same setup. Now I am using two different lan cards but it applies all the same for a lan and a wlan. see attached pictures. I also have my linux box setup as my management box that can see both interfaces. I have a firewall setup on both devices and both interfaces hand out DHCP address starting from .100-.200. I assign my personal computer as .5 for shits and giggles.
:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.267 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.238 ms
^C
–- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.238/0.252/0.267/0.021 ms:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.293 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.315 ms
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.293/0.304/0.315/0.011 msAs you can see from this output I can see both devices. Nothing goes up or down randomly.
-
And both of those interfaces are connected to the same unmanaged switch?
-
No. They are different network cards on my server. If I had both of them plugged into the same switch that would create a network loop and nothing would work correctly.
-
Then your /16 "management" host would not work. You are confused about something. If you have pass any any rules on the interface your /16 host is on that's why you can access the other network. It has nothing to do with your /16.
The real tool here is separate interfaces with firewall rules preventing untrusted hosts from accessing things they shouldn't. Netmasks really don't come into play.
-
How have you put your network together? See diagram
How many ethernet interfaces does your pfSense have? 2, one in (on-board NIC) and one NIC card out
What kind of switch are you using to connect the DD-WRT devices? All 4 DD-WRT are set to AP/dumb_switch, so one of the DD-WRT is the switch
What do you want devices connected to Wi-Fi to have access to besides the internet? For the most part, just internet. There are one or two that I want to have full access, but I assume that I can handle that with MAC rules
-
Re: https://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
There are several iptables commands, at the end of the page. Dose this help?
-
yeah that gear cannot give you any isolation without going to VLANs on the DD-WRT devices. I will be zero help with that. Every time I try to DD-WRT something I brick it.
-
dd-wrt can do some really neat stuff above and beyond anything the native firmware does. But if what you want is vlans for your different ssid, I really would suggest you get real AP with vlan support, and then a switch with vlan support.
What specific version of dd-wrt are you running on what specific hardware? While dd-wrt my have support for vlans, from what I recall it did not work on all chipsets that dd-wrt ran on, etc.
Post your vlan setup you have setup on dd-wrt for atleast your dd-wrt connect to pfsense and then a downstream AP..
Your vlans should be setup here.. With trunking on the ports that are you uplink, etc.
That being said even if get it to work.. I really would suggest you get a switch with real vlan support and AP with support as well. This can be done on a very low home budget.. A 8 port gig switch with vlan support can be had for under $40, and a AC AP with vlan support from unifi is like $89 to start..
-
Thanks for the feedback. Most of this is me not knowing what questions to ask. Now that I'm headed in the right direction (knock on wood) I think I can get this.
I'm studding up on VLAN, trunks, native, management, 802.1Q and why I should care.
I think the hard part is going to be on the pfSense side. The pfSense Documentation site "VLAN Trunking" says "There is a lot more detail on VLANs…and more in The pfSense Book" then goes on to tell you how to set up your switch.
So, if anyone knows of a good how-to once I get the trunk to pfSense, that would be a big help.
What specific version of dd-wrt are you running on what specific hardware? All of them are running the firmware that's on the wiki:
Linksys E800*
Netgear WNR3500L (main switch)
Linksys WRT54GL
Also, a openWRT Linksys E1700, not on network yet.*only one not on the VLAN list. But I can restrict this one so that only I'm using.
-
Well, sort of good news…
I just picked up a Cisco Catalyst 3560 PoE-48, for $20USD
Going to take me a week* to set up and get it running. But that should help things a lot.
*I'm guessing here. Never had a real switch before.
-
you got a 3560 for $20??
Is it a G or just 10/100? Do you have any use for poe or 48 ports? You would of prob been better off getting a cheap gig switch to be honest..
As to pfsense being the hard part - yeah don't think so.. You add a vlan, give it tag ID.. It is now just like any other interface in pfsense.
