• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

CP block LAN access

Scheduled Pinned Locked Moved Captive Portal
9 Posts 3 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O
    O.alZuabi
    last edited by Jul 2, 2016, 7:28 AM Jun 29, 2016, 8:53 AM

    hello all,
    this is my first post, so excuse me if i make silly mistakes and assumptions.
    so my scenario is this:

    Modem ===> PFS (latest edition) ===> DLink Dumb (unmanaged) swich ===> 2X Cisco aironet 1131 AP (no wifi security only security is local user on PFS)

    and based on my testing i found that if i dont log in CP i still have access to the rest of the network all the other computers, servers, etc, so i need to block the user of the lan until authenticated, i have no idea how to do this, since it is a switch  problem (layer two).
    what might be an option to set CP as DHCP, where standard DHCP will give a 192.168.0.* and CP gives 192.168.1.* after authentication for example, knowing that this sounds kinda stupid, does anyone have any idea?

    1 Reply Last reply Reply Quote 0
    • H
      heper
      last edited by Jun 29, 2016, 9:22 AM

      as you said, this is a layer2 problem and has to be solved there.
      running multiple ip subnets (layer3) on the same layer2 plane is a bad idea.

      Get a managed switch with vlan support. cheap ones can be found from $80 if you look closely.

      1 Reply Last reply Reply Quote 0
      • O
        O.alZuabi
        last edited by Jun 29, 2016, 9:31 AM

        thanks for the response, that makes sense, but as far as i understood i need dynamic vlan for clients, also im not sure but i dont think i can vlan a wifi client. and also adding to that where i live, i had a hard time getting a 16 port gigabit switch, a used gigabit managed one for  ~300USD

        1 Reply Last reply Reply Quote 0
        • H
          heper
          last edited by Jun 29, 2016, 6:05 PM

          i don't know where you live ofcourse, but search for cheap tp-link, zyxel, hp switches / models can be found online or even on this forum …. i can't imagine that they would cost $300.

          also, do you actually need 16 managed ports ? you might be able to get away with a small managed switch and use your current switch behind it.

          1 Reply Last reply Reply Quote 0
          • O
            O.alZuabi
            last edited by Jun 29, 2016, 6:19 PM

            Yes that might work, 5 or 8 ports would do the job, and the rest to the dumb switch, I'll check them out. But assuming I got a switch, how do I go about isolating a wifi client untill authenticated then switching it back to the network?
            Honestly after thinking about it, I might need isolation at AP level not switch?

            1 Reply Last reply Reply Quote 0
            • H
              heper
              last edited by Jun 29, 2016, 10:09 PM

              client isolation at ap level depends on the brands you work with / some work well others don't.

              personally i generally don't isolate a wifi client from other wifi clients on the same wireless network ( that's their business / i don't care)

              You normally create a seperate VLAN for each wireless network.  either by using good AP's that can handle vlans & you Tag em, or if using 'dumb' AP's where you handle the VLAN on the physical switchport that the AP is attached to.

              The vlans in turn are seperate (virtual) interface on your pfSense router that handle the firewalling / routing

              1 Reply Last reply Reply Quote 0
              • O
                O.alZuabi
                last edited by Jun 30, 2016, 7:01 AM

                ok, will look into it, thanks for your help.

                1 Reply Last reply Reply Quote 0
                • G
                  Gertjan
                  last edited by Jun 30, 2016, 7:12 AM

                  @heper:

                  client isolation at ap level depends on the brands you work with / some work well others don't.

                  personally i generally don't isolate a wifi client from other wifi clients on the same wireless network ( that's their business / i don't care)

                  If you have more then one AP, total client isolate can be enforced.

                  I'm using some 'ebtables' rules on every AP :

                  #!/bin/ash
                  insmod ebtables
                  insmod ebtable_filter
                  ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT
                  ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT
                  ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT
                  ebtables -t filter -A FORWARD -j DROP
                  ## end
                  

                  00:0f:b5:fe:4e:e7 is the MAC of my portal NIC.
                  These rules enforce that broadcasting passes (think about DHCP).
                  Communication from pfSense to the AP is ok.
                  Communication from AP to pfSense is ok.
                  The rest (client inter comm) is ditched.

                  I'm mostly using Linksys/Cisco routers. I always through away the original firmware, and use DD-WRT instead.
                  The lines mentioned above are placed in the "startup" script.

                  All this because I wanted to "offer an Internet connection - not my network so clients can't mess with each other".

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • O
                    O.alZuabi
                    last edited by Jul 2, 2016, 8:37 AM

                    so as far as i see, there is no easy way to dynamically isolate clients until authorized, client isolation is possible, but dynamically is nearly impossible, i think ill get back to the standard AP WPA thing nd get over with it.  :(

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received