WAN, LAN + OPT1 - CORRECT WAY OF SETUP



  • I installed pfsense in a pc with 3 network interfaces, in the following scenario:

    Lan is the private network, and its users may access the wan using squid. (this is already working)
    (Wan is the interface connected to internet)

    finally:

    The OPT1 interface is connected to a wireless router, i am using it as an Acess point.

    I want the clients of this access point may connect to internet through a captive portal, but restricting them from the lan network.

    Lan and wan is working well, but i tried to make opt1 but was not able to make it work well

    Please, does somebody know what is the correct way of doing this?



  • Is dhcp running on opt1 and is your access point getting an ip address?



  • @hbauer:

    Is dhcp running on opt1 and is your access point getting an ip address?

    dhcp server is enabled on opt1 interface, but is disabled in the access point.

    opt1 interface with the ip 192.168.27.254/24 with dhcp enabled

    the Access point is at 192.168.27.1/24, static, ( dhcp disabled). Gateway 192.168.27.254

    This access point is a tplink router with openwrt with this configuration:
    Uptime: 4h 44m 44s
    MAC-Address: F4:EC:38:xx:xx:xx
    IPv4: 192.168.27.1/24
    IPv6: fdd7:a463:e48a::1/60

    The network cable is connected to the opt1 interface and to 1 of the lan ports (of the access point).

    The wifi clients are getting ips from the opt1 dhcp server.


  • LAYER 8 Global Moderator

    "The wifi clients are getting ips from the opt1 dhcp server."

    So your working - so what firewall rules did you put on the opt1 network.. When you create new interface there is no default rules like lan when you setup pfsense.  You have to create the rules to allow the traffic you want to allow.



  • @johnpoz:

    "The wifi clients are getting ips from the opt1 dhcp server."

    So your working - so what firewall rules did you put on the opt1 network.. When you create new interface there is no default rules like lan when you setup pfsense.  You have to create the rules to allow the traffic you want to allow.

    This is a copy paste from Firewall/Rules/OPT1 :

    States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions

    IPv4 * OPT1 net * WAN net * * none

    IPv4 * * * WAN net * * none

    But not working, do you know if this is correct?



  • I cant test it in this moment but I believe your opt1 devices are not allowed to access the opt1 gateway in the first place

    may be add a

    IPv4 *  OPT1 net  *  opt1 addres  *  *  none

    first.

    Just a guess without any experience



  • @hbauer:

    I cant test it in this moment but I believe your opt1 devices are not allowed to access the opt1 gateway in the first place

    may be add a

    IPv4 *  OPT1 net  *  opt1 addres  *  *  none

    first.

    Just a guess without any experience

    I did add this rule but still not working.

    I am testing from my iphone, the address is correct:

    192.168.27.108/24, 
    router: 192.168.27.254 (pfsense - opt1)
    dns: 192.168.27.254

    I can access 192.168.27.1 (openwrt - Access point) from my pc on LAN, and from my iphone.
    I can access 192.168.27.254 ( pfsense - from the iphone)
    But no way to access the wan from opt1 (iphone)

    Edit: Maybe its some misconfiguration on the openwrt?



  • I've made some progress:

    First, I created a static route in openwrt, disabled firewall, and pointed the dns to google.

    Second, I activated the Captive Portal on pfsense in opt1

    Now when I type www.google.com in Iphone (opt1) i see the captive portal login.

    But When I entered the credentials, i am still unable to access the wan.

    www.google.com  doesnt show up, with the error:

    server stopped responding

    I am able to contact the internet gateway, that is connected to the wan interface of pfsense. This was not possible before creating that static route.

    Edit - After this, I added squid  to the opt1 interface, and defined 192.168.27.0/24 in allowed networks.
    Then, the google page showed up.

    But I still have a doubt:

    Should not internet work without squid in opt1 interface?


  • LAYER 8 Global Moderator

    "Should not internet work without squid in opt1 interface? "

    You do not need squid for internet to work..  I have multiple interfaces and do not have squid even installed.

    "First, I created a static route in openwrt,"

    What??

    "IPv4 *  OPT1 net  *  WAN net  *  *  none            "

    No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..  Wan net is not the internet… Its just the network your wan is on..  Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.



  • @johnpoz:

    "Should not internet work without squid in opt1 interface? "

    You do not need squid for internet to work..  I have multiple interfaces and do not have squid even installed.

    "First, I created a static route in openwrt,"

    What??

    "IPv4 *  OPT1 net  *  WAN net  *  *  none            "

    No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..  Wan net is not the internet… Its just the network your wan is on..  Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.

    I know that Wan (Wide Area Network) net in pfsense is not the internet itself, but just a reference to the network interface card that should be connected to the internet or another wide area network.

    When i said i created a static route i was not talking about pfsense, but the Openwrt device that i am using as an Access Point.

    I looked at the route table of that device and saw that the gateway 192.168.1.254 was not being referenced in that table even when i had configured as the gateway in the lan configuration (of the openwrt device).

    That was the motive a created a new route mannually in the route table to that gateway.

    After that  I created that rule, saved, and tested:  internet was not working but it was already possible to 'see' the hosts on the wan side. (i use another router on the wan side)

    After that I enabled squid in opt1 and it worked,

    I already know that the squid is not necessary for the internet to work, and that is no sense for me too, but it was what happened.

    Furthermore, I do not want the wifi clients in opt1 net could see the hosts inside the  "lan" network, but this was happening.

    So  to prevent it I created a new firewall rule in pfsense blocking all ipv4 and ipv6 from opt1 to lan, tested and i was working as i want.

    I still need to make more tests, but it seems it is working the way I want.

    My only concern now is how secure is pfsense?



  • New Problem detected.  As I said, internet in OPT1 interface works only when squid (proxy) is enabled.

    If I disable proxy in opt1, internet is disabled completely in opt1

    my pfsense rules in opt1:

    Protocol Source Port Destination Port Gateway Queue Schedule Description Actions

    IPv6 * OPT1 net * LAN net * * none

    IPv4 * OPT1 net * LAN net * * none

    IPv4 * OPT1 net * OPT1 address * * none

    IPv4 * OPT1 net * WAN net * * none

    IPv4 * *         * WAN net * * none

    Because of this, (I think) some applications as whatsapp are not working in opt1.

    I should I do in pfsense so that intrernet (wan) may work in opt1 without needing to enable squid?


  • LAYER 8 Global Moderator

    So lets repeat, since clearly your not grasping this

    "IPv4 *  OPT1 net  *  WAN net  *  *  none            "

    No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..  Wan net is not the internet… Its just the network your wan is on..  Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.

    Lets say your wan is 1.2.3.4/24… Wan net is means you could only talk to devices with IP 1.2.3.1-254...  That is the WAN net, this is NOT the interent...  The internet is ANY!!!  Since pretty much the internet could be ANY public IP address..

    You have no rule listed that would allow you to say googledns 8.8.8.8 or say forums.pfsense.org forum.pfsense.org [208.123.73.18]

    Your internet is only working via proxy because pfsense itself can get to the internet, and with proxy your just asking pfsense - hey go to this place for me..  If you want to get there direct than you have to allow that on the firewall.

    How hard its it put up a screenshot?  From those can not tell if those are blocked or allowed..

    You can see here I allow ping to wlan guest address, ipv4 and ipv6
    I allow access to my ntp servers that are on different vlans ipv4 and ipv6
    I allow the guest to go to public DNS, I hand out google in the dhcp server for this guest wifi network.  Via rule that is allow for anything NOT rfc1918(see alias created)
    I then block (reject actually with logging) any other access to any other firewall IP, be it lan, wan, or any other vlan IP.
    I then allow guests to go anywhere else as long as not rfc1918, or my local IPv6 networks.

    Where in you rules top down, first rule to trigger wins - no other rules allowed would your clients be able to go to any IP on the internet..  This is why the rules out of the box on pfsense are ANY ANY on the lan…



Log in to reply