Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WiFi AP not on lan - guest network isolation

    Firewalling
    2
    6
    3.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tmoore
      last edited by

      Hi All,

      I have a surplus wifi router, and I would like to add this as wifi AP to one of the spare ethernet ports on my Netgate SG-4860 box.  I would like this to be set up so that it does not have any interaction with any of the other ethernet ports on the box, other than allowing traffic to the WAN.

      My LAN port IP address is 192.168.2.1, and connects to a single box with address 192.168.2.2.  I would like to connect a surplus WIfi router on interface OPT1, with a network of 192.168.4.0/24.  The wifi router will handle DHCP for the 192.168.4.0/24 network.  What do I do to set up the routing to prevent the traffic from the WiFi router on192.168.4.0/24 from being able to access anything that goes through 192.168.2.0/24, but only go through the WAN?

      Also, I would like to make sure that 192.168.4.0/24 cannot access the management interface.  Does this need an additional firewall rule?

      Thanks,

      Tom

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "The wifi router will handle DHCP for the 192.168.4.0/24 network"

        Why would you do that?  Just let pfsense hand out dhcp for this network that is attached to pfsense.. Seems pointless to let the old wifi router do it.. And most of time their dhcp server doesn't have the ability to hand out different router other than its own IP, etc.

        Create your network on your opt interface.. Connect this to LAN port on your old wifi router, turn off wifi router dhcp.  Give its lan IP on this network lets say 192.168.4.2/24 where pfsense opt interface is 192.168.4.1/24

        Now create the rules you want on the opt interface.

        If you do not want it to get to managment, then block managment ports to pfsense IP, or use this firewall alias for all IPs..

        Keep in mind that rules are evaluated top down, first rule to trigger wins.  No other rules will be evaluated.  So if you want these clients to use dns on pfsense you would allow that before your block rule to this firewall.. You would allow ping for example would be above..  So simple rules would be

        alllow ping opt1 address
        allow dns opt1 address
        block lan network
        block this firewall
        allow any any.

        So now clients can ping 192.168.4.1
        clients can ask 192.168.4.1 for dns
        clients can not go to 192.168.2/24
        clients can not hit any IP on firewall for anything, be lan ip, wan ip, or even opt IP.
        clients can go to internet doing anything else they might want.

        one thing else to remember, many wifi routers do not allow to set a gateway on their lan IP.. So you would not be able to manage it from your lan, ie hit the wifi routers web gui.  So you would need to manage it from something on the wireless network 192.168.4/24 or you could source nat the traffic so looks like your traffic from lan is coming from the opt1 address.

        You only need to do that if your wifi router does not allow setting gateway on its lan.. Many native firmware does not - but if your running 3rd party firmware should be able to set the gateway.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          tmoore
          last edited by

          "The wifi router will handle DHCP for the 192.168.4.0/24 network"

          Why would you do that?  Just let pfsense hand out dhcp for this network that is attached to pfsense.. Seems pointless to let the old wifi router do it.. And most of time their dhcp server doesn't have the ability to hand out different router other than its own IP, etc.

          Ok, but I don't understand how to do this.

          Are you suggesting that I can configure pfsense to hand out 192.168.4.0/24 addresses to the wifi clients?  I do not see the configuration screen to set this up.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            " I do not see the configuration screen to set this up"

            When you created your new interface and put 192.168.4.x/24 address on it - did you enable dhcp on it?  Go to the dhcp server tab and enable it.

            Any interface on pfsense that you set at static on pfsense can run as dhcpd.. So set the IP to 192.168.4.1/24 for example.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • T
              tmoore
              last edited by

              Ok, I found the DHCP configuration page.  I had incorrectly set OPT1 to be a /32 address block, and it did not offer a DHCP server.  After I changed this to /24 the DHCP server page appeared.

              Thanks

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Great.. Glad you got it sorted - the /32 thing is showing up now and then because the drop down defaults to that.  Needs to default somewhere and that is the end of the list, etc.  Might be possible to put in a feature request to have it default to /24 on ipv4 and /64 on ipv6.. This might reduce the number of mistakes like this.

                Have to look if there is a feature request already, if not can put one in.

                edit:  Ok I put in a feature request for the defaults to be change.  This might help future users from making the mistake
                https://redmine.pfsense.org/issues/8021

                No saying when they might get to this.. For sure its a very low priority - but should be fairly simple fix I would think.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.