WiFi AP not on lan - guest network isolation
-
Hi All,
I have a surplus wifi router, and I would like to add this as wifi AP to one of the spare ethernet ports on my Netgate SG-4860 box. I would like this to be set up so that it does not have any interaction with any of the other ethernet ports on the box, other than allowing traffic to the WAN.
My LAN port IP address is 192.168.2.1, and connects to a single box with address 192.168.2.2. I would like to connect a surplus WIfi router on interface OPT1, with a network of 192.168.4.0/24. The wifi router will handle DHCP for the 192.168.4.0/24 network. What do I do to set up the routing to prevent the traffic from the WiFi router on192.168.4.0/24 from being able to access anything that goes through 192.168.2.0/24, but only go through the WAN?
Also, I would like to make sure that 192.168.4.0/24 cannot access the management interface. Does this need an additional firewall rule?
Thanks,
Tom
-
"The wifi router will handle DHCP for the 192.168.4.0/24 network"
Why would you do that? Just let pfsense hand out dhcp for this network that is attached to pfsense.. Seems pointless to let the old wifi router do it.. And most of time their dhcp server doesn't have the ability to hand out different router other than its own IP, etc.
Create your network on your opt interface.. Connect this to LAN port on your old wifi router, turn off wifi router dhcp. Give its lan IP on this network lets say 192.168.4.2/24 where pfsense opt interface is 192.168.4.1/24
Now create the rules you want on the opt interface.
If you do not want it to get to managment, then block managment ports to pfsense IP, or use this firewall alias for all IPs..
Keep in mind that rules are evaluated top down, first rule to trigger wins. No other rules will be evaluated. So if you want these clients to use dns on pfsense you would allow that before your block rule to this firewall.. You would allow ping for example would be above.. So simple rules would be
alllow ping opt1 address
allow dns opt1 address
block lan network
block this firewall
allow any any.So now clients can ping 192.168.4.1
clients can ask 192.168.4.1 for dns
clients can not go to 192.168.2/24
clients can not hit any IP on firewall for anything, be lan ip, wan ip, or even opt IP.
clients can go to internet doing anything else they might want.one thing else to remember, many wifi routers do not allow to set a gateway on their lan IP.. So you would not be able to manage it from your lan, ie hit the wifi routers web gui. So you would need to manage it from something on the wireless network 192.168.4/24 or you could source nat the traffic so looks like your traffic from lan is coming from the opt1 address.
You only need to do that if your wifi router does not allow setting gateway on its lan.. Many native firmware does not - but if your running 3rd party firmware should be able to set the gateway.
-
"The wifi router will handle DHCP for the 192.168.4.0/24 network"
Why would you do that? Just let pfsense hand out dhcp for this network that is attached to pfsense.. Seems pointless to let the old wifi router do it.. And most of time their dhcp server doesn't have the ability to hand out different router other than its own IP, etc.
Ok, but I don't understand how to do this.
Are you suggesting that I can configure pfsense to hand out 192.168.4.0/24 addresses to the wifi clients? I do not see the configuration screen to set this up.
-
" I do not see the configuration screen to set this up"
When you created your new interface and put 192.168.4.x/24 address on it - did you enable dhcp on it? Go to the dhcp server tab and enable it.
Any interface on pfsense that you set at static on pfsense can run as dhcpd.. So set the IP to 192.168.4.1/24 for example.
-
Ok, I found the DHCP configuration page. I had incorrectly set OPT1 to be a /32 address block, and it did not offer a DHCP server. After I changed this to /24 the DHCP server page appeared.
Thanks
-
Great.. Glad you got it sorted - the /32 thing is showing up now and then because the drop down defaults to that. Needs to default somewhere and that is the end of the list, etc. Might be possible to put in a feature request to have it default to /24 on ipv4 and /64 on ipv6.. This might reduce the number of mistakes like this.
Have to look if there is a feature request already, if not can put one in.
edit: Ok I put in a feature request for the defaults to be change. This might help future users from making the mistake
https://redmine.pfsense.org/issues/8021No saying when they might get to this.. For sure its a very low priority - but should be fairly simple fix I would think.