Prevent wifi users from accessing pfsense?



  • Hi guys, Just wondering if it is possible to block wifi users from accessing pfsense on 192.168.1.1? The DHCP ranges are in this same range, don't want to change it if it can be avoided, but I also dont want someone to have a crack at logging in either.
    Thanks



  • Use strong passwords.


  • Netgate

    Not really if they're on the same LAN subnet.

    If they are on your LAN subnet I would be more worried about them having access to LAN hosts than the pfSense interface. This is a problem your firewall can do nothing about, since it's LAN traffic.

    If they are on a dedicated subnet, it's pretty much a FAQ around here as to the solution.

    Assumptions:

    Guests can ping pfSense and are using pfSense for DNS.

    Ignore all the other interfaces. Pretend your choices are Floating, WAN, LAN, and GUEST. Much more work would need to be done in the middle section for all the local interfaces in this firewall.

    ![Screen Shot 2016-06-18 at 9.34.20 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-06-18 at 9.34.20 PM.png_thumb)
    ![Screen Shot 2016-06-18 at 9.34.20 PM.png](/public/imported_attachments/1/Screen Shot 2016-06-18 at 9.34.20 PM.png)



  • @scott_io:

    Hi guys, Just wondering if it is possible to block wifi users from accessing pfsense on 192.168.1.1? The DHCP ranges are in this same range, don't want to change it if it can be avoided, but I also dont want someone to have a crack at logging in either.
    Thanks

    Sure it is… Just add a firewall rule blocking all access to the firewall on the specific interface, and put it at the top. Be sure to have an access rule above the new rule (for a specific IP that will be able to log in to manage the box) or you'll lock yourself out. If the machine you usually access the WebGUI from is on a different interface, and you don't need anyone at all accessing the WebGUI from wifi, then you wouldn't need this access rule. See below.

    -Bill



  • Netgate

    That does not prevent someone from setting a static address of .8 and accessing the webgui.



  • @Derelict:

    That does not prevent someone from setting a static address of .8 and accessing the webgui.

    Correct… only way to do that would be to delete that rule and use only the block rule. All I did there was show that there would be a way to permit one wifi device access to the WebGUI. Of course someone with enough smarts, who knew that one IP address (unlikely), could simply manually set their IP to .8 and access the GUI... if they also know the WebGUI pw. OP could/should change the DHCP pool range, and setup a static ip (outside the pool) with static ARP as well (for that one device), and that would be fairly secure… at least enough for the OP I suppose. His or her decision. However, I read from his question that they were looking to block ALL GUI access on wifi (which is why I suggested not using that rule in the first place)... again, my rules are a little different.

    That's how I do it.

    .8 is outside my pool. I have my one device setup with a static ip mapping and ARP in pf. No other device should then be allowed to manually set ip to .8... correct? I suppose they could ALSO spoof the MAC, but I suspect that anyone doing that will also find a way in anyway...


  • Netgate

    Management interfaces are better. Untrusted hosts should be completely isolated. Amazing what information can be gleaned from a packet capture.



  • @scott_io:

    Hi guys, Just wondering if it is possible to block wifi users from accessing pfsense on 192.168.1.1? The DHCP ranges are in this same range, don't want to change it if it can be avoided, but I also dont want someone to have a crack at logging in either.
    Thanks

    Yes.



  • I would configure it in your situation likes that;

    • WiFi as an WLAN AP (AP mode)
    • create a separate VLAN for each SSID
    • give all VLANs his each IP subnet or IP range
    • create now rules for drop the playing around with your box
    • activate the WiFI client isolation then on top for the guests VLAN