Opt1 interface setup



  • After a bit of time away from pfsense I've finally got my set up working again. Very pleased. Now just playing about a bit. The onboard ethernet plug in the box is currently unused. What I quite fancy doing is sticking a wireless transmitter into the socket and sending out a second wifi network. But it would be fair to say I'm not sure what I am doing. What I want to achieve is it to allow access to the net in a similar way to the rest of the box but not allow access to the rest of the home network. Would anyone like to spare a little time to educate me how to do it please? Many thanks.



  • You could get your wireless network by using an old wireless router:

    • Disable DHCP server on wireless router

    • Set the IP address for the LAN in your current network's subnet (but not in the pfSense box's DHCP range)

    • Connect Opt1 and one of the LAN ports on the old router (not the WAN port).

    • Configure the pfSense to use the Opt1 interface as part of the LAN



  • Sorry, the weehooey post is nonsense in regard of your requirement. He integrates (bridges) it into your LAN which is the opposite of what you wanted. How he describes it is not how you do it properly (if at all). You would better connect it to a switch on LAN.

    You want a separate subnet for your WLAN like for guest access.
    Assign the NIC to an interface at  Interface (assign). Go to that newly created interface and enable it, plus give it an IP address with netwask which does not overlap with your existing LAN network.
    At  Services > DHCP Server you might want to give it a DHCP range to hand addresses to your WiFi clients.
    Now you need to create firewall rules to
    –1 block traffic to the LAN subnet  and
    --2 allow DNS and access to the internet (HTTP, HTTPS and probably other stuff like mail etc.).
    Keep this order. It's easier to block a few networks, single hosts or what have you and allow the rest afterwards.



  • Thanks guys. Where I'm at so far. LAN on 192.168.1.x. Opt1 set up to run on 192.168.10.x. Firewall rules for Opt1 exactly mirror those for the LAN at the moment (until I get it going). And outbound is automatic. DHCP on the wireless router is off. No internet on Opt1 though - what am I  missing? Thanks for the help.



  • I've checked that DHCP is running on Opt1 and limited the range, although all still within 192.168.10.x, but it doesn't appear to be handing out IP addresses. If I attach to the LAN interface I can ping through to the OPT interface - and wireless AP attached to it. But nothgin if I attach to the wifi AP itself.

    UPDATE: now dishing out addresses but no ping to the internet.



  • malcmail - I owe you an apology. I read your post too quickly. jahonix is correct, my reply would not do what you wanted.

    jahonix - Thank you for pointing out my mistake. One question, had he wanted to just add wireless, why is it better to use a switch than to use Opt1? I have seen that comment before but unclear as to why. The only thing that comes to mind is to off load the switching of the LAN traffic to the switch (should be cheaper device). Is there another reason?

    malcmail - Regarding your follow up questions. Are you pinging an IP address or hostname? If you are pinging a host name, try IP address (eg 8.8.8.8). You might not have DNS.



  • weehooey - no problem. We've all done it. I tried pinging Google by number rather than name to check if it was DNS but no joy sadly.

    SO checking again I can ping the wireless AP from the client device but not the opt1 interface at 192.168.10.1. But the device has n IP address in the right subnet - and that is only being handled by pfsense as there is no DHCP on the wireless AP. I thought I was confused before!!



  • Just checking here …
    Are you aware of the fact that the LAN interface is "delivered" with a default pass-all rule ?!
    And that all other interfaces you activate afterwards (OPT1, OPT2, etc) have NO firewall rules, so NOTHING gets in - like DHCP requests ?!?

    With other words : what are your firewall rules for OPT1 ?



  • Yup. Spotted that one. So on Opt1 I have copied the LAN rules (changing the interface of course). Hopefully the attached shows enough of the rules to highlight any likely errors.

    ![OPT1 firewall rules.JPG](/public/imported_attachments/1/OPT1 firewall rules.JPG)
    ![OPT1 firewall rules.JPG_thumb](/public/imported_attachments/1/OPT1 firewall rules.JPG_thumb)



  • @malcmail:

    Yup. Spotted that one. So on Opt1 I have copied the LAN rules (changing the interface of course). Hopefully the attached shows enough of the rules to highlight any likely errors.

    Your image show the OPT1 firewall rules ?
    "LAN Net" is NOT "OPT1 Net".
    Can you show the OPT1 firewall rules ? (because we are talking OPT1 setup, not LAN setup).



  • And there we have it. The bonehead move that i inevitably made. Duh! Thanks very much for your help there.



  • @weehooey:

    had he wanted to just add wireless, why is it better to use a switch than to use Opt1?

    A router interface is in no way a substitution for a switchport.
    With a software based router each packet has to go all the way down to the kernel and back up to the interface again. Compare that to a switch where packet-pushing is handled in hardware within its chipset.



  • And for blocking WLAN to LAN create a rule to block From: Opt1 Net  To: LAN Net above any allow rule.



  • Thanking you Sir. I presume that still allows the LAN clients to access anything on OPT1?

    If I want to open one item (a printer) to OPT1 users I presume I canset up an allow rule before the deny rule to allow OPT1 net to access 192.168.1.{printer] (clearly with a number instead).

    ANd then it is on to traffic shaping :) And maybe captive portal just for a laugh frankly ;)



  • @malcmail:

    I presume that still allows the LAN clients to access anything on OPT1?

    Sure, you always filter what is coming IN on a specific interface.
    What's coming from your LAN is OUT on Opt1 interface. If you wanted to filter that it would be on the LAN rules tab.

    @malcmail:

    If I want to open one item (a printer) to OPT1 users I presume I canset up an allow rule before the deny rule to allow OPT1 net to access 192.168.1.{printer] (clearly with a number instead).

    Exactly.