Wireless on same subnet while using a non-PfSense DHCP Server

weediez

Can you give me a example or give me the information that I would need to set that sort of rule up?

ktims

Here's what I have set up at one install. It uses a DHCP server running on the pfSense box, but since DHCP is broadcast traffic it should work with an external DHCP server as well (obviously it must be on the LAN segment). The DHCP rule is a bit less granular than it could be, and obviously the allow all rule is less than optimal, but this config should work. As mentioned, you'll need to bridge the interfaces as well.

rules.png_thumb

weediez

ok ya we tried bridging it as well at one point but we didnt create any rules. thanks alot I'll give your suggestion a try and let you know how it goes.

weediez

I posed screenshots of my Rules for my LAN device and my Opt1 (Wireless AP). OPT1 is bridged with LAN.

I havent put the box live again since yesterday, just wanted insight on these rules before I do go live with it.

![OPT1 rules.JPG_thumb](/public/imported_attachments/1/OPT1 rules.JPG_thumb)
![OPT1 rules.JPG](/public/imported_attachments/1/OPT1 rules.JPG)
![LAN Firewall Rules.JPG_thumb](/public/imported_attachments/1/LAN Firewall Rules.JPG_thumb)
![LAN Firewall Rules.JPG](/public/imported_attachments/1/LAN Firewall Rules.JPG)

ktims

If you don't want traffic to be able to pass from the wireless LAN to the wired LAN, I would prefer to explicitly create a block or reject rule. The effect is the same, but it's more 'self documenting' than letting that traffic default out. Put all your reject rules first, then you can get rid of the 'not LAN subnet' destination specification.

This is more personal preference than anything (I don't like using NOTs in my firewall rules, or letting traffic intentionally hit the policy rules) as your ruleset should work as you expect.

weediez

Well I can get DHCP to give me Ip's when I conenct devices to my AP, which is OPT1. But I cant access network shares or the Internet. So thats why I'm just asking what rule I need to put in place to be able to access the web and get network access. I also need to know where I add the rules. Thanks.

ktims

It may be the NOT LAN Net rule that's causing the problem, it's probably blocking traffic to the default gateway (on the LAN net), and what you're seeing makes sense. Keep things simple when testing, and just add an allow all rule and see if that works before you try anything else.

Though really, if you want the WLAN and LAN segregated, it makes a lot more sense to just have a separate subnet. If the machines on the segment can't talk to each other, why do they need to use the same DHCP, seems a bit of a strange requirement.

OMEN

Forgive me for this but a quick google:

http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx
you need certain port forwarded to get funtionality,

netbios 137 and 138 and 139
smb (shares) 445
dns 53

weediez

Yea, I'm not too sure to be honest. It's what my boss wants done. I will try removing that rule and see if that helps at all. Thanks guys.

weediez

Thanks Omen, appreciate that man.