Create a guest network with VLAN tag 1003



  • Thanks johnpoz. I wanted to do my homework on PING and DNS and post my existing rules before anything else, so here it goes:

    2.1 PING. I never use ping so did not know why allowing ping to INVITES would be useful to them to permit their internet access. The PFSense docs state in Connectivity Troubleshooting "Check that the LAN (INVITES) rule allows all protocols, or at least TCP and UDP ports for reaching DNS and HTTP/HTTPS and allow ICMP for testing […]". This does not seem to say why PING is needed to INVITES (for testing?). So I searched again, and on security.stackexchange at "Is there any risk in allowing PING packets out through a firewall?", the subsequent discussion seems to state PING is a comfort rather than a *MUST and that (at a high cost to their convenience) denying PING to INVITES would remove the security risk cased by allowing ICMP reply echo back in. So PING does not seem to be mandatory for my INVITES.

    2.2 DNS servers. There I am more confused. I edited my earlier post. My setup is as standard pfSense as possible and, accordingly, the SG-1000 connects via DHCP to the Zyxel modem router which receives DNS info from my ISP. So, in my control panel, DNS Server addresses are 127.0.0.1 (originated from the SG-1000 setup), 192.168.0.1 (the Zyxel modem router) 8.8.8.8 and 8.8.4.4 added in by the SG-1000. No mention even of the 80.10.246.130 DNS server provided by my ISP to the Zyxel modem router. So I may need to copy your rule "Allow DNS to PFSense".

    (3) My rules are attached, unchanged so far (5 of them are grayed out, only 4 are active). As they are, they allow internet access to INVITES. What would blocks them would be my use my rule "Block packets to This firewall". I will experiment on (1) an allow rule on top allowing access to port53 (DNS) similat to your rule on your DMZ and (2) on an allow rule on top to allow HTTP traffic through the HTTP port (I have the list of ports somewhere), just to see whether or not HTTP requires it (a test which can't do harm) and report back here. Thanks.

    ![Rules > INVITES v2017-11-03.png](/public/imported_attachments/1/Rules > INVITES v2017-11-03.png)
    ![Rules > INVITES v2017-11-03.png_thumb](/public/imported_attachments/1/Rules > INVITES v2017-11-03.png_thumb)


  • LAYER 8 Global Moderator

    2.1.  You never use ping?  Wow… I use it multiple times a day every single day... It is just back connectivity check.. Something doesn't work, can you ping it..

    Ie if wireless is not working and you show it connected, can you even ping the gateway.. First thing to check when something doesn't work is can you ping it or your gateway, etc.  But if you do not think you use it or need it then no you don't need to allow it.

    2.2  Out of the box pfsense running dhcp will hand its OWN ip on that interfaces as your dns server, it will then resolve.. Not forward.. So what you set in dns under general is pointless unless your forwarding..  Or you want pfsense to use something else for dns if its own resolver is down. Ie the 127.0.0.1 entry.

    What are your clients pointing to for dns?  Simple ipconfig /all on them will show you where they point for dns.. Or simple nslookup www.google.com will tell you if you can resolve and what your using for dns..



  • Now I can reply to your two posts. A basic understanding of ports and IP and such is a huge plus that is for sure ;) YES indeed, that is a huge requirement. The french forum provides a link to a great tutorial (<http://irp.nain-t.net/doku.php>). I need to spend more time there.

    Yes, I got the logic of rules ordering, which means a huge difference from what I am used to from Apple devices, like the preset guest network set of rules on Airport routers which just work like magic.

    PING ? I need to learn how to use it. This never crossed my head.

    DNS. <quote>So what you set in dns under general is pointless unless your forwarding..  Or you want pfsense to use something else for dns if its own resolver is down. Ie the 127.0.0.1 entry. OK. I will not experiment on forwarding. I experimented as planned on an allow rule on top allowing access to port 53 (DNS) similar to your rule on your DMZ. It did its magic and everything immediately worked just like magic. No need for HTTP allow rule and the serie of equivalent rules… I will check on the tutorial above to better understand why my INVITES, who are expected to know nothing about DNS, need to be allowed to send packets to 192.168.2.1 (their router address) on port 53 for internet and mail to work for them.

    I did some clean-up job on my rules. Here they are (5 active rules). They work fine and I understand they should be protective enough to allow me some rest and prepare for my next endeavour which will be the implementation of a crude form of traffic shaping to prevent the IP clients downloading stuff from appropriating all bandwith away from my wife's web browsing. This will be for next month. Thanks johnpoz, thanks a lot. I would never have managed that alone (even with tons of books).  ;D ;D ;D

    ![Rules > INVITES V2017-11-06.png](/public/imported_attachments/1/Rules > INVITES V2017-11-06.png)
    ![Rules > INVITES V2017-11-06.png_thumb](/public/imported_attachments/1/Rules > INVITES V2017-11-06.png_thumb)</quote>



  • I’m attempting to get my guest network setup on my Airport Extremes and this thread has been very helpful but a couple of things I’m not sure about.

    I’m using a Netgear GS724Tv2 switch to create the vlans MAIN_VLAN10 (pvid10) for all my desktops, printers and servers and WIFI_VLAN20 (pvid20) for the Airports. If I’m understanding correctly the Airports will tag guest traffic with 1003? I just need to set a VLAN20 on my firewall for my smart phones and laptops with rules to allow proper access to VLAN10 and internet? Set a VLAN1003 on my firewall with rules to allow access only to internet?

    Still a little foggy on how pfSense matches the tags? Do I need special firewall rules to seperate VLAN20 traffic from vlan1003 traffic?

    BTW- It’s a router-on-a-stick configuration. Switch connected to pfSense connected to single WAN.



  • Why are you creating a VLAN for desktops etc.?  Normally, those don't need a VLAN, so you'd have to set up access ports on VLAN 10.  Also, each VLAN in pfSense appears as a separate logical interface, which you'd use as any other interface.  The rules etc., will depend on what you want to do.



  • @JKnott:

    Why are you creating a VLAN for desktops etc.?  Normally, those don't need a VLAN, so you'd have to set up access ports on VLAN 10.  Also, each VLAN in pfSense appears as a separate logical interface, which you'd use as any other interface.  The rules etc., will depend on what you want to do.

    When I set those vlans up I was using a guide that I modified slightly to meet my needs. That’s all up and running except for the guest WiFi. I’m just not sure what I need to do to get pfSense to read the tags. Is this done in the background or do I need to configure a rule to match the packets with the 1003 tag to my guest network?


  • LAYER 8 Netgate

    Create a VLAN 1003 on the physical interface to your switch (using eth0 below as an example).

    Assign an interface to that VLAN 1003 on eth0 interface.

    Create appropriate firewall rules, DHCP services, etc on that interface.

    Everything transmitted by that interface will be tagged with 1003. Everything arriving tagged 1003 will be processed by that interface.



  • @wgstarks:

    I’m attempting to get my guest network setup on my Airport Extremes and this thread has been very helpful but a couple of things I’m not sure about.

    I’m using a Netgear GS724Tv2 switch to create the vlans MAIN_VLAN10 (pvid10) for all my desktops, printers and servers and WIFI_VLAN20 (pvid20) for the Airports. If I’m understanding correctly the Airports will tag guest traffic with 1003?

    I will just clarify the airport Extreme (or Express, or time Capsule) side.
    When used as a router, an Airport Extreme (and the other new Airport base stations) will be able to *create a guest network by VLAN tagging, assigning the Vlan tag 1003 to packets going to the guest network (ethernet or wireless).
    When used as a wifi simple access point, an airport Extreme base station will recognise packets Vlan tagged 1003 and be able to send them to the wireless guest network.
    Given that your airport base stations are wifi access points and not routers, none of them will do the Vlan tagging. But they will need it. You need to do it on your guest interface in the pfSense router. pfSense > Interfaces > VlanAssignment > Vlans. I attach a copy of my setup. HTH




  • @Derelict:

    Create a VLAN 1003 on the physical interface to your switch (using eth0 below as an example).

    Assign an interface to that VLAN 1003 on eth0 interface.

    Create appropriate firewall rules, DHCP services, etc on that interface.

    Everything transmitted by that interface will be tagged with 1003. Everything arriving tagged 1003 will be processed by that interface.

    Outstanding. That's what I thought. Just wanted to be sure.



  • @Michel-angelo:

    Given that your airport base stations are wifi access points and not routers, none of them will do the Vlan tagging. But they will need it. You need to do it on your guest interface in the pfSense router.

    This is all fairly new to me, but I don"t see how this could be? You are able to login to the wifi guest network and also into the regular network that you have setup right? The Airport must have some way to distinguish between the 2 different wifi networks. I would think that the Airport must be applying tags to all traffic entering the guest network via wifi. Of course there's always the chance that I'm completely wrong.  :D


  • LAYER 8 Global Moderator

    My understanding is the guest network on a airport will be tagged 1003.. You need to setup your switching and pfsense correctly to understand that tag..

    https://www.thegeekpub.com/5191/use-airport-extreme-guest-network-bridge-mode/
    The Airport Extreme Guest Wireless network can be used with almost any other brand of router as your main router, as long is it supports VLANs



  • @johnpoz:

    My understanding is the guest network on a airport will be tagged 1003.. You need to setup your switching and pfsense correctly to understand that tag..

    https://www.thegeekpub.com/5191/use-airport-extreme-guest-network-bridge-mode/
    The Airport Extreme Guest Wireless network can be used with almost any other brand of router as your main router, as long is it supports VLANs

    Thanks. I think I’ve kinda got my head wrapped around the basics of the tag routing now. Having a family day today, but I’ll give it a shot tomorrow and see if I can get it to work.

    Thanks to everyone for your help so far.



  • @wgstarks:

    @johnpoz:

    My understanding is the guest network on a airport will be tagged 1003.. You need to setup your switching and pfsense correctly to understand that tag..

    https://www.thegeekpub.com/5191/use-airport-extreme-guest-network-bridge-mode/
    The Airport Extreme Guest Wireless network can be used with almost any other brand of router as your main router, as long is it supports VLANs

    Thanks. I think I’ve kinda got my head wrapped around the basics of the tag routing now. Having a family day today, but I’ll give it a shot tomorrow and see if I can get it to work.

    Thanks to everyone for your help so far.

    Well that didn't turn out too good. I created a VLAN10 (pvid 10) on my switch with associated ports tagged. Created VLAN10_MAIN on my firewall for approved laptops and other wireless devices and created VLAN1003_Guest for guest use.

    VLAN1003 should have no access to local network. Only internet. I believe that's working.

    VLAN10 needs to have full access to the local network as well as the internet. I can get access to the internet but not the local network.

    I'm hoping I've just missed a rule or misconfigured one?


  • LAYER 8 Netgate

    No way to know without knowing what that LOCAL_NETWORKS Alias and those port aliases are. Those rules don't make much sense.

    What are you trying to do here?

    I personally despise "blocking" traffic with pass ! rules. Hate it. Loathe it. Wish it would die in a fire.

    If you want to block it, just block it. Then pass any.

    ![Screen Shot 2018-01-01 at 3.50.23 PM.png](/public/imported_attachments/1/Screen Shot 2018-01-01 at 3.50.23 PM.png)
    ![Screen Shot 2018-01-01 at 3.50.23 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-01-01 at 3.50.23 PM.png_thumb)



  • @Derelict:

    No way to know without knowing what that LOCAL_NETWORKS Alias and those port aliases are. Those rules don't make much sense.

    What are you trying to do here?

    I personally despise "blocking" traffic with pass ! rules. Hate it. Loathe it. Wish it would die in a fire.

    If you want to block it, just block it. Then pass any.

    local_subnets

    These rules aren't mine really. Straight from a guide. Would be glad for any suggestions to simplify them.

    As far as what I want to accomplish. I have 2 airports that are configured with a WPA2 “Home Network” which works and a “Guest Network” which shows “no internet”. I’m trying to setup a vlan that will allow guest connections to DHCP server and WAN only, without interfering with the “Home Network” which needs full access to local networks.


  • LAYER 8 Netgate

    Just because it's in a "guide" doesn't mean it's correct.

    You only gave half the picture. What destination ports are you passing?



  • @Derelict:

    Just because it's in a "guide" doesn't mean it's correct.

    You only gave half the picture. What destination ports are you passing?

    Not sure what you mean by destination ports?



  • @wgstarks:

    @Derelict:

    Just because it's in a "guide" doesn't mean it's correct.

    You only gave half the picture. What destination ports are you passing?

    Not sure what you mean by destination ports?

    Guess I'm a little slow tonight.:)


  • LAYER 8 Netgate

    I would disable those rules and add a pass any any rule. Does it work? Then you are not passing traffic you need to pass.

    You do realize that you will be unable to ping with that configuration because it is not passed, right?

    I can be confident that pfSense is behaving exactly as it is being instructed to behave.

    Check the firewall logs for what is being blocked and evaluate whether it should be passed and pass it or don't.



  • @Derelict:

    I would disable those rules and add a pass any any rule. Does it work? Then you are not passing traffic you need to pass.

    Thanks. Makes a lot of sense. Maybe one of these days I’ll learn to quit following these online step-by-step guides.🙄



  • Think I've got everything working now. Thanks @Derelict. Guest network has access to DHCP Server and WAN but no access to firewall or LAN (only other local network currently).

    The firewall rules may need some tweaking. Any advice? I checked pinging, that works.

    Edit: Caught my mistake with the "Block LAN Access" rule order. It's now one above "Allow Any".


  • LAYER 8 Netgate

    Your Allow any rule will pass all traffic and nothing below it will have any effect.



  • @Derelict:

    Your Allow any rule will pass all traffic and nothing below it will have any effect.

    Are you saying I should modify “allow any” or delete the rules below it? Or both?


  • LAYER 8 Global Moderator

    What he is saying is rules are evaluated top down, first rule to trigger wins - no other rules are evaluated.

    Anything below an any any allow is pointless since no traffic will ever make it to that rule since the any any allow will pass the traffic.  You need to place your rules in the correct order top down so they evaluate how you want them to evaluate.



  • Thanks. Actually, I understood that. Should have been more specific.

    I can see that the default block rules aren’t going to do anything. If I move the any-any rule below them then it won’t do anything. Since I’m a noob at this, I’m not sure if I should modify the any-any rule or just delete the default block rules? My intent with this rule is to allow unlimited acces to the internet.


  • LAYER 8 Global Moderator

    there is a default deny rule anyway.. There is no reason to create your own rule unless have turned off logging of the default rule and would still like to log stuff that makes it through your rules that you block that meet some specific criteria you setup in the block rule that would be different than default deny, etc.  Or if you only want to log stuff on specific lan side interfaces and have turned off the logging of the default deny rule that is on all interfaces.


Log in to reply