-
I'm new here, tried pfSense back when it was 2.1. All I need is a bit of direction finding information on setting up two LAN's. The first LAN will have my NAS, printer, and wired computers. The 2nd LAN will have my wireless router (switched to AP), I would like the wireless devices to access the printer, NAS, and of course access the internet. I'm thinking of not using a DHCP server (use static) on the 2nd (wireless) network, my goal is to make it as secure as possible with the Access Point setup with MAC filtering and WPA and so on. So I'm just looking for direction, and of course any ideas on how to approach this in a logical way. The users (excluding me) are non-techie and I need to keep them from stabbing themselves in the eye. BTW, I'm using openDNS, have been for a long time and have that all configured already including Dynamic DNS. Thanks in advance, all I need is a little push in the right direction. Lastly, if I can get this setup and working in a satisfactory way, I'll be donating $99 a yr to pfSense, it would be worth it to me :)
-
"The users (excluding me) are non-techie and I need to keep them from stabbing themselves in the eye"
How does that go well with no dhcp server and mac filtering. So your users know how to view the mac address off all their wireless devices and give them too you? Do they know how to setup a static IP on their phones or other devices?
You do understand mac filtering and no dhcp server have been listed as dumbest ways to secure wifi, since some idiot suggested them.. Those methods don't make anything any more secure, they make network harder to access for your own users, and more work on your part having to maintain a mac filtering list..
What I would suggest you do is setup wpa2 with a secure psk.. problem with psk and users is they prob give it away. and now users you don't want are on the network, etc. etc. You could setup wpa2 enterprise and use say the freerad package to auth individual users and their own passwords. This way you can change or delete a user without having to tell all the other users the new psk when the old one gets compromised because someone wrote it down or posted it somewhere, etc..
If you want to really tight on your wifi, use eap-tls to auth. Now all your users need a cert provided by you, etc.
What direction do you need here, is there stuff on your lan that you don't want your wifi to access? If not any any on the opt2 interface you create and there you go..
If you want help securing the firewall rules after your setup just ask. But no dhcp and mac filtering?? While mac filtering can be used as a control method, its not really a security method by any means.
From 2005
http://www.zdnet.com/article/the-six-dumbest-ways-to-secure-a-wireless-lan/You forgot to not broadcast your ssid ;)
-
Thanks Johnpoz for your feedback, I'll go back to using DHCP and have a closer look at your suggestions. Really all I'm attempting to do is keep the script kiddies out and to secure the wireless side of the network as best as possible. I also agree, if it's to difficult, then I'll be spending time chasing around trying to fix issues. Cheers :)
-
Who are these users, are they always the same? Are they random guests? What do they need to access while on this wifi? Is it network resources that are of concern? What hardware are they connecting to the network with? Hardware you control or manage or their own?
If you have a mix, then yeah multiple wifi networks that have different layers of access to your network or internet.. Would have a network that is from your devices that you manage that can be allowed to access your internal network stuff that they need to access, etc.
Then you have a guest network that can use the internet - that would have not access to anything on your network, etc.
Maybe you use eap-tls to auth to the normal wifi network, or some other eap that has user name and password even if just peap, etc. Or sure a nice strong wpa2/aes with a good strong PSK - that maybe gets changed now and then because users leak it out, etc. Then your guest could be something as simple wide open no auth, or maybe it has captive portal like a hotel, or maybe you use a PSK that is simple to remember and you hand out to your guests, etc.