Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access point and clients which can only use the internet

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 939 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Artefakt
      last edited by

      Hi,

      i have a pfsense router (ip 192.168.0.254, works as internet router over DSL). Works great. Now i want to integrate a little buyed access point (edimax) to access the internet (ip 192.168.0.2).
      With this access point i want, that the clients can get an ip adress from the dhcp-server (win 2003, ip 192.168.0.1) and that they can connect the internet.
      I don't want the clients of the access point to use the local network, only internet over the pfsense router is allowed.

      Which rules must i integrate in the firewall, that the clients connected via 192.168.0.2 can get a dhcp-adress from the windows server and can connect the internet.

      Or is it better to connect the access point to the second lan port of my pfsense alix and make an own dhcp-server with this port? How must i configure the lan port to reach my task?

      Thank you.

      Arti.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Or is it better to connect the access point to the second lan port of my pfsense alix and make an own dhcp-server with this port?

        Yes - you cannot stop the WiFi AP clients from trying to access hard-wired LAN devices if they are on the same physical network.

        How must i configure the lan port to reach my task?

        Interfaces->Assign vr2 to OPT1.
        Interfaces->OPT1 - give it a static IP in a different private address space e.g. 192.168.42.1/24
        Enable DHCP Server on OPT1 with some range of addresses in 192.168.42.n
        Add rules on OPT1 to do what you want. Most likely you want OPT1 devices to access internet, but not pfSense webGUI or LAN - something like:

        • Pass IPv4 protocol TCP/UDP source OPT1net destination OPT1 address port 53 (DNS)
        • Block IPv4 protocol any source any destination OPT1 address (stop other access to OPT1 address - webGUI…)
        • Block IPv4 protocol any source any destination LAN net (stop access to LAN)
        • Pass IPv4 protocol any source OPT1net destination any (allow everything else - the public internet)

        Set the WiFi AP to an IP address in OPT1net so you can manage it (192.168.42.2) and plug a cable from it into OPT1.

        Connect a client to WiFi AP - it should get an IP address from pfSense OPT1 and work.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • A
          Artefakt
          last edited by

          Phil, thank you.

          Arti.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.