CP block LAN access



  • hello all,
    this is my first post, so excuse me if i make silly mistakes and assumptions.
    so my scenario is this:

    Modem ===> PFS (latest edition) ===> DLink Dumb (unmanaged) swich ===> 2X Cisco aironet 1131 AP (no wifi security only security is local user on PFS)

    and based on my testing i found that if i dont log in CP i still have access to the rest of the network all the other computers, servers, etc, so i need to block the user of the lan until authenticated, i have no idea how to do this, since it is a switch  problem (layer two).
    what might be an option to set CP as DHCP, where standard DHCP will give a 192.168.0.* and CP gives 192.168.1.* after authentication for example, knowing that this sounds kinda stupid, does anyone have any idea?



  • as you said, this is a layer2 problem and has to be solved there.
    running multiple ip subnets (layer3) on the same layer2 plane is a bad idea.

    Get a managed switch with vlan support. cheap ones can be found from $80 if you look closely.



  • thanks for the response, that makes sense, but as far as i understood i need dynamic vlan for clients, also im not sure but i dont think i can vlan a wifi client. and also adding to that where i live, i had a hard time getting a 16 port gigabit switch, a used gigabit managed one for  ~300USD



  • i don't know where you live ofcourse, but search for cheap tp-link, zyxel, hp switches / models can be found online or even on this forum …. i can't imagine that they would cost $300.

    also, do you actually need 16 managed ports ? you might be able to get away with a small managed switch and use your current switch behind it.



  • Yes that might work, 5 or 8 ports would do the job, and the rest to the dumb switch, I'll check them out. But assuming I got a switch, how do I go about isolating a wifi client untill authenticated then switching it back to the network?
    Honestly after thinking about it, I might need isolation at AP level not switch?



  • client isolation at ap level depends on the brands you work with / some work well others don't.

    personally i generally don't isolate a wifi client from other wifi clients on the same wireless network ( that's their business / i don't care)

    You normally create a seperate VLAN for each wireless network.  either by using good AP's that can handle vlans & you Tag em, or if using 'dumb' AP's where you handle the VLAN on the physical switchport that the AP is attached to.

    The vlans in turn are seperate (virtual) interface on your pfSense router that handle the firewalling / routing



  • ok, will look into it, thanks for your help.



  • @heper:

    client isolation at ap level depends on the brands you work with / some work well others don't.

    personally i generally don't isolate a wifi client from other wifi clients on the same wireless network ( that's their business / i don't care)

    If you have more then one AP, total client isolate can be enforced.

    I'm using some 'ebtables' rules on every AP :

    #!/bin/ash
    insmod ebtables
    insmod ebtable_filter
    ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT
    ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT
    ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT
    ebtables -t filter -A FORWARD -j DROP
    ## end
    

    00:0f:b5:fe:4e:e7 is the MAC of my portal NIC.
    These rules enforce that broadcasting passes (think about DHCP).
    Communication from pfSense to the AP is ok.
    Communication from AP to pfSense is ok.
    The rest (client inter comm) is ditched.

    I'm mostly using Linksys/Cisco routers. I always through away the original firmware, and use DD-WRT instead.
    The lines mentioned above are placed in the "startup" script.

    All this because I wanted to "offer an Internet connection - not my network so clients can't mess with each other".



  • so as far as i see, there is no easy way to dynamically isolate clients until authorized, client isolation is possible, but dynamically is nearly impossible, i think ill get back to the standard AP WPA thing nd get over with it.  :(


Log in to reply