Firewall rules to create a guest network
-
@DrPhil You cant filter traffic on the same interface since it is not passing through pf.
You need to put guest clients on another interface.
Even then, you cant stop them from seeing each other. (unless they are on wifi with client isolation enabled) -
Yeah, you need to two interfaces to isolate and filter that. They can be bridged if you really need them in the same subnet.
Steve
-
Or, they can be on the same network plug/port on your firewall, if you’re short on physical interfaces. But, then you need to use VLANs and have appropriate hardware to handle that stuff.
-
Thank you all for responding to (from your perspective) a pretty basic and dumb question.
Let me expand on the problem I am trying to solve.
In the past when I had a WiFi router, I could create a guest network that isolated the guests (I don't really need to isolate them from each other).
Now that the old device is just a WiFi AP (and NetGate is my router), the isolation for the guest network doesn't happen. All my valuable devices that I am trying to protect (home PCs with data) are also on WiFi.
Do I have any options that do not involve me buying another WiFi AP?
-
@DrPhil Do you have a spare ethernet interface on pf? or can you add one?
-
@netblues let's just say I do.
-
@DrPhil Then its straight forward. Assign a new subnet, enable dhcp and connect your old wifi ap there.
Disable any dhcp server on the ap.Create a rule on new interface to allow wifi lan access to the Internet, and block them from accessing your lan.
Add/adjust rules as needed.
If you have nat outbound to auto, creating the new lan subnet will also take care of natting to the internet.Good to go!
-
@netblues This wouldn't help at all, because he just has one AP for all of his devices, trusted and untrusted.
-
@Bob-Dig The op also says that he has valuable pc's, so we can assume they are wired.
But even if thats the case, the wifi lan can be segmented with firewall rules and access cam be given to specific devices
Yes its not top security, macs can be spoofed et al. Finding an old wifi router and using it as a second ap is also a zero cost scenario -
Thank you @netblues.
@Bob-Dig is right. I currently have a single AP (which is the old wifi router) for my trusted and untrusted devices (even my trusted PCs are wireless, not wired).
Do you know if they sell WiFi APs that have the ability to create a guest network?
Related but slightly different question, is there a WiFi AP that comes highly recommended to work well with Netgate hardware (specifically SG-1100)?
thanks.
-
Yes many APs can do that. The one you're using might be able to, what is it?
The AP (or router running as an AP) needs to be able to create multiple SSIDs and assign them as VLANs. Then you can add that VLAN (or multiple VLANs) as a new interface is pfSense and filter traffic to/from it as required.
Steve
-
I am using Netgear Nighthawk R7000 (my old router as an AP).
It can create a separate SSID, but an option "Allow guests to see each other and access my local network" is grayed out in AP mode. I am reading that to mean that as an AP, both SSID's will be on the same subnet. Which sort of doesn't make sense to me. Why have the option to create a 2nd SSID, if it cannot be separated logically?
(Please excuse me - I am using words that I don't understand)
-
@DrPhil Same with my Asus. But with modified/alternative Firmware, you can have vlans...
-
@DrPhil said in Firewall rules to create a guest network:
I am using Netgear Nighthawk R7000 (my old router as an AP).
IWhy have the option to create a 2nd SSID, if it cannot be separated logically?
Its rather straight forward.
When the router is in router mode all ssid's terminate on the router and are natted to the Internet.
In ap mode this is not possible, since there is no direct internet access on the ap.
It could be possible if vlans were supported or if the router is used in router mode behind pfsense (typically with double nat). -
1 - Create VLANs with guest on its own VLAN and subnet.
2 - Guest forbid traffic to firewall services, main LAN subnet, and also whatever parts of internet you want blocked off, e.g. my guest lan is HTTP, HTTPS only.If you create the VLANs they need to be configured on any switches as well.
-
@chrcoluk said in Firewall rules to create a guest network:
2 - Guest forbid traffic to firewall services, main LAN subnet, and also whatever parts of internet you want blocked off, e.g. my guest lan is HTTP, HTTPS only.
Would like to see those rules, if you don't mind, need some inspiration.
-
@Bob-Dig Here's my guest rules:
Blocks access to the webgui, other stuff on the WAN network of my modem, blocks to the LAN network, and keeps my kids game boxes off the guest wifi network. Some of the rules say "0 states/0 traffic" because I don't have guests too often, and they certainly aren't poking around in those specific areas.
Jeff
-
@akuma1x That is some advanced ruling.
I like it.
Although, if you have a cable-modem, it will probably not blocked by this. -
@Bob-Dig said in Firewall rules to create a guest network:
Although, if you have a cable-modem, it will probably not blocked by this.
I don't understand what you mean here... And, I've got a DSL internet connection.
Jeff
-
@akuma1x I just thought about the block of WAN net and why someone would want that, but my "explanation" for that was wrong.
