Create a guest network with VLAN tag 1003
-
Hello. This is part of my learning process since my recent purchase of a SG-1000 firewall. Please be patient with me !
At my home, as indicated on the attached schematic,
1 - A Zyxel modem-router located in the basement creates a first LAN on the 192.168.0.1/24 address field, whose sole client is the SG-1000 pfSense firewall router.
2 - A SG-1000 pfSense firewall router also located in the basement is connected to it. Its WAN address is currently 192.168.0.33 (it can change since it is obtained by DHCP from the Zyxel modem router). It delivers my Main Network on the 192.168.1.1/24 address field, on my home ethernet backbone. Its current configuration is the default configuration (which mainly blocks all [inbound] packets on the WAN side [except of course those that are replies to outbound requests] and allow all [outbound] packets on the LAN side). Among other devices, three wifi devices are connected to this ethernet backbone:
2.1 A Time Capsule for computers' backups on the top floor, where the main computers are located;
2.2 An Aiport Extreme base station on the 1st floor which is a living area;
2.3 An Airport Express base station on the ground floor which is where the TV set resides.
All three wifi devices are configured the same and deliver (a roaming arrangement) the above Main Network under the name of "Internet de Bianca" (same password).
Now, I want to add to my Main Network a second network reserved for guests (Guests Network). the Guest Network would distribute access to internet to guests but would provide no access whatsoever to any element of the Main Network (no access to connected computers, which includes no access to printer scanner, no access to configuration of wifi devices, no access to configuration of SG-1000 main router, no access to configuration of Zyxel external modem router). The Guest Network would be accessible on the home ethernet backbone.
Since I have one and only one home ethernet backbone, I would like the Guest Network to be characterized by VLAN tagging, some thing I believe the pfSense router is able to do.
To distribute the Guest Network to users, I would like to use a Guest wifi network, separate from Internet de Bianca. I would call it "Invites de Bianca" and both devices would use the same password for guests. Both devices (Airport Extreme and Airport Express) are capable of distributing a guest network as long as they are created by VLAN tagging using the VLAN tag 1003.
I read that on Darko Krisik's techblog at <http://tech.krizic.net/2013/09/apple-airport-extreme-guest-mode-with.html> and I want to do the same.
The SG-1000 pfSense router is presently configured with the default configuration with two interfaces only:
WAN 192.168.0.33
LAN 192.168.1.1
I believe, based on Darko Krizic's blog, that I need to do the following;
1 - Add a second assignable LAN interface by
Interfaces > assignments > VLANs
To create a third interface called INVITES 192.168.2.1
Click + to add an interface. Then on the assignment window:
Parent interface: Select the LAN interface
VLAN tag: 1003
VLAN priority: 7 (lowest possible priority)
Description: LAN_Invites_de_Bianca
Click: Save
2 - Assign this second LAN interface to INVITES
Interfaces > Interfaces assignment > Available networks ports > Add
The interface has been added, it is called by pfSense OPT1 by default. I change the name to INVITES for guests
The interfaces menu changes automagically:
Interfaces / OPT1 => Interfaces / INVITES
Click: Enable interface
IPv4 configuration type: Static IPv4
IPv6 configuration type: None
IPv4 Address 192.168.2.1 / 24
I call the main network 192.168.1.1 / 24
I call the guest network 192.168.2.1 / 24
IPv4 upstream gateway: None (because this is a local area network)
Click: Save
Apply changes
3 - Create the new DHCP server that the INVITES network needs
Services > DHCP server > INVITES
Enable DHCP server on INVITES interface
Range: from 192.168.2.100 to 192.168.2.199
Click Save
4 - Have a look at rules on the LAN interface (that is to be able to copy them)
Firewall > Rules > LAN
First rule is anti-lockout rule
Second rule for IPv4
Action : Pass
Interface: LAN
Address family: IPv4
Protocol: Any
Source: LAN net
Destination: Any
Third rule for IPv6
Action : Pass
Interface: LAN
Address family: IPv6
Protocol: Any
Source: LAN net
Destination: Any
5 - Add to the INVITES interface a rule similar to the default LAN rule, to allow access to the internet, at least in the IPv4 address family (addressing IPv6 could be another layer of complexity)
Firewall > Rules > INVITES
One and only one rule:
Action: Pass
Interface: INVITES
Address family: IPv4
Protocol: Any
Source: INVITES net
Destination: Any
Save
Apply
6 - Backup configuration
7 - Test
It continues to work on its original LAN Internet de Bianca
I then configured the Airport Extreme and the Airport Express as bridges and added the guest network.
I tried it on the guest network "Invites de Bianca". IT WORKED !!! (thanks to Darko Krizik)
Now what do my tests report:
When I connect my mac to the guest network Invites de Bianca, I can access to:
The internet at large (so it appears);
The configuration interface of my SG-1000 pfSense router;
The configuration interface of my Zyxel modem router;But I do not find access (according to my attempts) to:
My printer, my scanner (located on the main network;
The configuration interfaces of my Apple wifi devices;
Other computers on my network.Can anyone explain (this is a learning experiment) the following:
1 - My unique rule on the new INVITES interface states (among others): "Protocol: Any; Source: INVITES net; Destination: Any". I believed "destination: Any" would allow packets originating on the INVITES side (INVITES net) to go to my main network and to any of its guests (such as my printer). Why is my belief wrong ?
2 - I thought I would need two rules on my INVITES interface: The last rule would block any and all traffic originating from INVITES; the first rule would specifically allow any and all traffic originating from INVITES to the interface that is the internet connection (the WAN interface). Why is it that I do not seem to need to create the block-all last rule on the INVITES interface ?
3 - I wanted to block access to the SG-1000 pfSense firewall router interface. How can I do that ?
4 - I wanted to block access to the Zyxel modem router interface. How can I do that ?
Many thanks in advance.
 -
Hello. No replies so far. I tried, without certainty, the part that looked more secure: to reply to my questions 1 and 2
Q1 - "My unique rule on the new INVITES interface states (among others): "Protocol: Any; Source: INVITES net; Destination: Any". I believed "destination: Any" would allow packets originating on the INVITES side (INVITES net) to go to my main network and to any of its guests (such as my printer). Why is my belief wrong ?"
I performed additional tests. They indicated that my belief is true: "destination: any;" is too wide. To carve out of it the LAN destinations, I changed the rule on the INVITES interface by specifying that this "Allow" rule is exclusive of packets to my internet gateway, as Darko Krizic had specified in his post. This time, the new rule seems to work.
Before, I could no longer access the printer with "Bonjour" but I had not realised that I could access it by its IP address (a fixed address 192.168.1.10). After, even at its IP address, I cannot access the printer.
To allow access to the printer, I subsequently added a first "Allow" rule, using its IP address as destination. Then I could access the printer using its IP address, but still not benefitting from the comfort of "Bonjour".
Q2 - "I thought I would need two rules on my INVITES interface: The last rule would block any and all traffic originating from INVITES; the first rule would specifically allow any and all traffic originating from INVITES to the interface that is the internet connection (the WAN interface). Why is it that I do not seem to create the block-all last rule on the INVITES interface ?"
I created this "Block" rule as rule #3 in INVITES. I then tested it. This rule does not seem to be needed. It seems it is implicit in pfSense.
The three rules (third one, apparently useless, not active) are in the photo below.
Can anyone confirm ?
Questions 3 and 4 remain mysterious and dangerous to me, mainly #3 as I need to use the console to reset the SG-1000 firewall to default in case a disaster occurs.
3 - I wanted to block access to the SG-1000 pfSense firewall router interface. How can I do that ?
4 - I wanted to block access to the Zyxel modem router interface. How can I do that ?
Any help will be appreciated. Many thanks in advance.
 -
2 - because all interfaces have a default deny rule.. If a rule does not trigger that either allows or blocks the traffic then the default is deny. So unless you want to do something specific with block rule on the end like only log syn traffic or something as you have turned off logging of the default rule. No that is not needed.
3 - with a rule, either block it to the specific interface you concerned with. Or use the built in alias "this firewall" which is all IPs on the firewall, wan, lan, opt, etc.
4 - Same thing with a rule to its IP.
BTW your rule forces traffic out your wan gateway. Keep in mind that if that gateway is down that rule is created minus the gateway so it would then because a any any rule.. And traffic from your invites to your whole lan would be allowed.. You need to check this box in advanced, misc..
If possible I would tend from creating rules that prevent the traffic your trying to stop via forcing out a gateway that you believe does not have access to that network. Better to block it directly or create a rule that does not allow it via ! (not rule) and allows out vs forcing out a gateway that shouldn't have access.. For all you know the downstream network could send them back to the network your trying to stop access too, etc.
-
Thanks johnpoz, this is immensely useful.
2 - OK. Thanks a lot. It helps to know this deny all rule is there by default.
3 - I created a rule "Block packets to all IPs on the firewall, wan, lan, opt, etc. (this SG-1000)". I tried it, it seems to work. Access is allowed when I am on the LAN and access seems denied when I am on the INVITES network.
4 - I created a rule "Block packets to IP 192.168.0.1 (the Zyxel modem-router)". Similarly, I tried it and it seems to work.
Then on System / Advanced Miscellaneous
Gateway monitoring I have Ticked "Skip rules when gateway is down"
If I understand your two last suggestions well,
I would create either one of the two following additional rules on INVITES gateway (created for the photo below but not active yet):
Either: as a first rule "Block all packets from INVITES to LAN" (not active)
Or as a last rule "And allow all INVITES' packets except to LAN addresses" (not active).
More precisely, I would create either one of these two rules and remove the rule "And allow INVITES to internet gateway only" and remove the "Skip rules when gateway is down" instruction.
I am writing this with the pfSense definitive guide (the book) open in front of me and I do not even find there (nor in the pfsense Book on the web) the definitions of the default aliases (like This Firewall, LAN net, INVITES net).
Is my understanding correct ? TIA
 -
Hello, johnpoz. I had not tested enough. With my new ruleset, the INVITES (guests) were denied access to the internet. By trial and error, I found the culprit: "Block packets to this Firewall (all IPs on the firewall, wan, lan, opt, etc.) (this SG-1000)"
I replaced it by
Block packets to IP 192.168.1.1 (this SG-1000)
There it works. So the second option of your suggestion, instead of blocking access to IP 192.168.1.1 (the SG-1000 Web interface), of "either block it to the specific interface you concerned with ; Or use the built in alias "this firewall" which is all IPs on the firewall, wan, lan, opt, etc." was, apparently, too broad. It blocked internet access.
I attach a picture of the current ruleset I now use.
TIA for any comment.
 -
You need to allow these clients to talk to the services you want on pfsense invite address. Like dns, ping.. Then use the block this firewall..
Your blocking access to the lan address of pfsense. But can hit the gui on invite IP, or the Wan IP or any other IP that is not lan.. Say you bring up another vlan, etc.
Just walk down your rules top down, stop when you get a rule that triggers.. Walk through what you want to allow or block..
-
OK, so My rule "block packets to IP 192.168.1.1" is too narrow. I need (1) to block all packets to This Firewall and (2) allow by a higher level rule internet access, which is the services that I want to allow to pfsense INVITES. I tried many things, which all failed.
I looked in the printed book "pfSense the definitive guide" and in "The pfSense book" which I had downloaded last week in epub format to my iPad. I found no mention on how to allow INVITES clients (INVITES IPs) to talk to the services I want. Like dns, ping..
The rule "Allow to WAN net" defeated my blocking rule "block packets to This firewall" and allowed access to the firwall web interface.
On the opposite, "Allow packets to all TCP/UDP" does not suffice to give internet access.
I am currently short on ideas. I need to get away from the computer, move back to simpler bicycle life and will try again tomorrow. Thanks, johnpoz, for your kind help. I guess I have a slow brain, which translates into cerveau lent in french, a pun (cerf volant).
-
Post up your current rules, and and what you would like your clients to be able to do and not do and will post screen shot of how to accomplish it and we can discuss why and how it works, etc.
Maybe this will help?
This is my dmz vlan.. So its locked from talking to any of my other networks.
So I allow ping to ipv4, v6 to pfsense IP address on this vlan
I allow this vlan to hit pfsense dns on either ipv4,v6 to the pfsense IP address in this vlan.
I then block any other access to any other IP address of pfsense, be it dmz, lan, wlan or even the wan IP, etc. That is what the this firewall alias is, its a list of all IPs on the firewall.
I then allow traffic anywhere as long as not any of my networks, which are all rfc1918 space. Create alias that lists the rfc1918 networks, use ! (not) on this dest.. So as long as its some public IP its allowed.
Same goes for my local IPv6 space, that is made up of /64 from my /48 from HE, etc.Does that help? Happy to discuss.
-
Thank you for the reply. That does help enormously. This is also quite above my level of understanding, so: (1) thank you very much for your consideration on this, (2) I will, with regards so far only to IPv4 (IPv6 will be mañana for me), do my homework and try to understand (2.1) why allowing ping may be important for IPv4 clients on the INVITES network, (2.2) why allowing DNS to pfSense may be useful to IPv4 clients (in my config, DNS is mainly provided by the PPPoE server of my ISP so I would anticipate that it would flow through gracefully). I will try to understand first instead of copying the rules. I intend to reply tomorrow and will (3) post then my current rules, without changing them until then. All that after allowing time to my bicycle club. :D Thanks and sorry for the delay.
-
No delay ;) I am not going anywhere.. Been here over 10 years.. More than likely be here for atleast a few more days ;) hehehe
Take your time and happy to walk through any rules you don't quite understand.
When it clicks you will kick yourself as to how simple it is.. But a basic understanding of ports and IP and such is a huge plus that is for sure ;)
Rules are evaluated as the traffic enters the interface towards pfsense from the network pfsense is attached too.. Clients sending traffic to internet or trying to get off the lan will send it inbound into the pfsense lan interface. So just walk down the rules from the top.. Does the traffic match that rule - if so its triggered and no others are evaluated be it allows the traffic or blocks it.
If it doesn't match that rule, then it moves to the next rule from the top down.. Until it finds a rule that matches the traffic, or doesn't if it gets to the end and no rules match then it would be denied by the default deny rule.
-
Thanks johnpoz. I wanted to do my homework on PING and DNS and post my existing rules before anything else, so here it goes:
2.1 PING. I never use ping so did not know why allowing ping to INVITES would be useful to them to permit their internet access. The PFSense docs state in Connectivity Troubleshooting "Check that the LAN (INVITES) rule allows all protocols, or at least TCP and UDP ports for reaching DNS and HTTP/HTTPS and allow ICMP for testing […]". This does not seem to say why PING is needed to INVITES (for testing?). So I searched again, and on security.stackexchange at "Is there any risk in allowing PING packets out through a firewall?", the subsequent discussion seems to state PING is a comfort rather than a *MUST and that (at a high cost to their convenience) denying PING to INVITES would remove the security risk cased by allowing ICMP reply echo back in. So PING does not seem to be mandatory for my INVITES.
2.2 DNS servers. There I am more confused. I edited my earlier post. My setup is as standard pfSense as possible and, accordingly, the SG-1000 connects via DHCP to the Zyxel modem router which receives DNS info from my ISP. So, in my control panel, DNS Server addresses are 127.0.0.1 (originated from the SG-1000 setup), 192.168.0.1 (the Zyxel modem router) 8.8.8.8 and 8.8.4.4 added in by the SG-1000. No mention even of the 80.10.246.130 DNS server provided by my ISP to the Zyxel modem router. So I may need to copy your rule "Allow DNS to PFSense".
(3) My rules are attached, unchanged so far (5 of them are grayed out, only 4 are active). As they are, they allow internet access to INVITES. What would blocks them would be my use my rule "Block packets to This firewall". I will experiment on (1) an allow rule on top allowing access to port53 (DNS) similat to your rule on your DMZ and (2) on an allow rule on top to allow HTTP traffic through the HTTP port (I have the list of ports somewhere), just to see whether or not HTTP requires it (a test which can't do harm) and report back here. Thanks.
 -
2.1. You never use ping? Wow… I use it multiple times a day every single day... It is just back connectivity check.. Something doesn't work, can you ping it..
Ie if wireless is not working and you show it connected, can you even ping the gateway.. First thing to check when something doesn't work is can you ping it or your gateway, etc. But if you do not think you use it or need it then no you don't need to allow it.
2.2 Out of the box pfsense running dhcp will hand its OWN ip on that interfaces as your dns server, it will then resolve.. Not forward.. So what you set in dns under general is pointless unless your forwarding.. Or you want pfsense to use something else for dns if its own resolver is down. Ie the 127.0.0.1 entry.
What are your clients pointing to for dns? Simple ipconfig /all on them will show you where they point for dns.. Or simple nslookup www.google.com will tell you if you can resolve and what your using for dns..
-
Now I can reply to your two posts. A basic understanding of ports and IP and such is a huge plus that is for sure ;) YES indeed, that is a huge requirement. The french forum provides a link to a great tutorial (<http://irp.nain-t.net/doku.php>). I need to spend more time there.
Yes, I got the logic of rules ordering, which means a huge difference from what I am used to from Apple devices, like the preset guest network set of rules on Airport routers which just work like magic.
PING ? I need to learn how to use it. This never crossed my head.
DNS. <quote>So what you set in dns under general is pointless unless your forwarding.. Or you want pfsense to use something else for dns if its own resolver is down. Ie the 127.0.0.1 entry. OK. I will not experiment on forwarding. I experimented as planned on an allow rule on top allowing access to port 53 (DNS) similar to your rule on your DMZ. It did its magic and everything immediately worked just like magic. No need for HTTP allow rule and the serie of equivalent rules… I will check on the tutorial above to better understand why my INVITES, who are expected to know nothing about DNS, need to be allowed to send packets to 192.168.2.1 (their router address) on port 53 for internet and mail to work for them.
I did some clean-up job on my rules. Here they are (5 active rules). They work fine and I understand they should be protective enough to allow me some rest and prepare for my next endeavour which will be the implementation of a crude form of traffic shaping to prevent the IP clients downloading stuff from appropriating all bandwith away from my wife's web browsing. This will be for next month. Thanks johnpoz, thanks a lot. I would never have managed that alone (even with tons of books). ;D ;D ;D
</quote> -
I’m attempting to get my guest network setup on my Airport Extremes and this thread has been very helpful but a couple of things I’m not sure about.
I’m using a Netgear GS724Tv2 switch to create the vlans MAIN_VLAN10 (pvid10) for all my desktops, printers and servers and WIFI_VLAN20 (pvid20) for the Airports. If I’m understanding correctly the Airports will tag guest traffic with 1003? I just need to set a VLAN20 on my firewall for my smart phones and laptops with rules to allow proper access to VLAN10 and internet? Set a VLAN1003 on my firewall with rules to allow access only to internet?
Still a little foggy on how pfSense matches the tags? Do I need special firewall rules to seperate VLAN20 traffic from vlan1003 traffic?
BTW- It’s a router-on-a-stick configuration. Switch connected to pfSense connected to single WAN.
-
Why are you creating a VLAN for desktops etc.? Normally, those don't need a VLAN, so you'd have to set up access ports on VLAN 10. Also, each VLAN in pfSense appears as a separate logical interface, which you'd use as any other interface. The rules etc., will depend on what you want to do.
-
Why are you creating a VLAN for desktops etc.? Normally, those don't need a VLAN, so you'd have to set up access ports on VLAN 10. Also, each VLAN in pfSense appears as a separate logical interface, which you'd use as any other interface. The rules etc., will depend on what you want to do.
When I set those vlans up I was using a guide that I modified slightly to meet my needs. That’s all up and running except for the guest WiFi. I’m just not sure what I need to do to get pfSense to read the tags. Is this done in the background or do I need to configure a rule to match the packets with the 1003 tag to my guest network?
-
Create a VLAN 1003 on the physical interface to your switch (using eth0 below as an example).
Assign an interface to that VLAN 1003 on eth0 interface.
Create appropriate firewall rules, DHCP services, etc on that interface.
Everything transmitted by that interface will be tagged with 1003. Everything arriving tagged 1003 will be processed by that interface.
-
I’m attempting to get my guest network setup on my Airport Extremes and this thread has been very helpful but a couple of things I’m not sure about.
I’m using a Netgear GS724Tv2 switch to create the vlans MAIN_VLAN10 (pvid10) for all my desktops, printers and servers and WIFI_VLAN20 (pvid20) for the Airports. If I’m understanding correctly the Airports will tag guest traffic with 1003?
I will just clarify the airport Extreme (or Express, or time Capsule) side.
When used as a router, an Airport Extreme (and the other new Airport base stations) will be able to *create a guest network by VLAN tagging, assigning the Vlan tag 1003 to packets going to the guest network (ethernet or wireless).
When used as a wifi simple access point, an airport Extreme base station will recognise packets Vlan tagged 1003 and be able to send them to the wireless guest network.
Given that your airport base stations are wifi access points and not routers, none of them will do the Vlan tagging. But they will need it. You need to do it on your guest interface in the pfSense router. pfSense > Interfaces > VlanAssignment > Vlans. I attach a copy of my setup. HTH
-
Create a VLAN 1003 on the physical interface to your switch (using eth0 below as an example).
Assign an interface to that VLAN 1003 on eth0 interface.
Create appropriate firewall rules, DHCP services, etc on that interface.
Everything transmitted by that interface will be tagged with 1003. Everything arriving tagged 1003 will be processed by that interface.
Outstanding. That's what I thought. Just wanted to be sure.
-
Given that your airport base stations are wifi access points and not routers, none of them will do the Vlan tagging. But they will need it. You need to do it on your guest interface in the pfSense router.
This is all fairly new to me, but I don"t see how this could be? You are able to login to the wifi guest network and also into the regular network that you have setup right? The Airport must have some way to distinguish between the 2 different wifi networks. I would think that the Airport must be applying tags to all traffic entering the guest network via wifi. Of course there's always the chance that I'm completely wrong. :D
