Wireless on same subnet while using a non-PfSense DHCP Server

weediez · Feb 25, 2009, 8:43 PM

Can you give me a example or give me the information that I would need to set that sort of rule up?

ktims · Feb 25, 2009, 9:19 PM

Here's what I have set up at one install. It uses a DHCP server running on the pfSense box, but since DHCP is broadcast traffic it should work with an external DHCP server as well (obviously it must be on the LAN segment). The DHCP rule is a bit less granular than it could be, and obviously the allow all rule is less than optimal, but this config should work. As mentioned, you'll need to bridge the interfaces as well.

weediez · Feb 25, 2009, 9:36 PM

ok ya we tried bridging it as well at one point but we didnt create any rules. thanks alot I'll give your suggestion a try and let you know how it goes.

weediez · Feb 26, 2009, 5:18 PM

I posed screenshots of my Rules for my LAN device and my Opt1 (Wireless AP). OPT1 is bridged with LAN.

I havent put the box live again since yesterday, just wanted insight on these rules before I do go live with it.

![OPT1 rules.JPG_thumb](/public/imported_attachments/1/OPT1 rules.JPG_thumb)
![OPT1 rules.JPG](/public/imported_attachments/1/OPT1 rules.JPG)
![LAN Firewall Rules.JPG_thumb](/public/imported_attachments/1/LAN Firewall Rules.JPG_thumb)
![LAN Firewall Rules.JPG](/public/imported_attachments/1/LAN Firewall Rules.JPG)

ktims · Feb 26, 2009, 6:05 PM

If you don't want traffic to be able to pass from the wireless LAN to the wired LAN, I would prefer to explicitly create a block or reject rule. The effect is the same, but it's more 'self documenting' than letting that traffic default out. Put all your reject rules first, then you can get rid of the 'not LAN subnet' destination specification.

This is more personal preference than anything (I don't like using NOTs in my firewall rules, or letting traffic intentionally hit the policy rules) as your ruleset should work as you expect.

weediez · Feb 26, 2009, 6:24 PM

Well I can get DHCP to give me Ip's when I conenct devices to my AP, which is OPT1. But I cant access network shares or the Internet. So thats why I'm just asking what rule I need to put in place to be able to access the web and get network access. I also need to know where I add the rules. Thanks.

ktims · Feb 26, 2009, 6:35 PM

It may be the NOT LAN Net rule that's causing the problem, it's probably blocking traffic to the default gateway (on the LAN net), and what you're seeing makes sense. Keep things simple when testing, and just add an allow all rule and see if that works before you try anything else.

Though really, if you want the WLAN and LAN segregated, it makes a lot more sense to just have a separate subnet. If the machines on the segment can't talk to each other, why do they need to use the same DHCP, seems a bit of a strange requirement.

OMEN · Feb 26, 2009, 6:37 PM

Forgive me for this but a quick google:

http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx
you need certain port forwarded to get funtionality,

netbios 137 and 138 and 139
smb (shares) 445
dns 53

weediez · Feb 26, 2009, 7:14 PM

Yea, I'm not too sure to be honest. It's what my boss wants done. I will try removing that rule and see if that helps at all. Thanks guys.

weediez · Feb 26, 2009, 7:26 PM

Thanks Omen, appreciate that man.